Specify an on-premises server as a backend server of ALB - Server Load Balancer

Application Load Balancer (ALB) allows you to specify an on-premises server or a server in a different region as a backend server. This topic describes how to use services such as Cloud Enterprise Network (CEN) transit routers to specify an on-premises server as a backend server for an ALB instance, and then enable the ALB instance to distribute network traffic to the on-premises server.

Scenarios

ALB supports on-premises servers and servers in a different region as backend servers. This topic describes how to specify an on-premises server as a backend server for ALB. A company created a VPC named VPC1 in the China (Chengdu) region and deployed an ALB instance in the VPC. The company wants to use the ALB instance in VPC1 to forward requests to an on-premises server in the same region.

To achieve this goal, the company attaches VPC1 and a virtual border router (VBR) to a CEN instance. This enables the ALB instance in VPC1 to forward user traffic to the VBR and then to the on-premises server. This allows the on-premises server to function as a backend server of ALB.

Specify an on-premises server as a backend server of an ALB instance

The following table describes how networks are planned. You can plan the CIDR blocks based on your business requirements. Make sure that the CIDR blocks do not overlap with each other.


China (Chengdu)	vSwitch	Zone	CIDR block
VPC1 Primary CIDR block: 172.16.0.0/12	VSW1	Zone A	172.16.0.0/24
VPC1 Primary CIDR block: 172.16.0.0/12	VSW2	Zone B	172.16.6.0/24
VBR	N/A	N/A	IPv4 address on the user side: 10.0.0.2/30 IPv4 address on the Alibaba Cloud side: 10.0.0.1/30
Data center	VSW3	N/A	192.168.20.0/24

Precautions

To specify an on-premises server as a backend server of an ALB instance, you must add the IP address of the on-premises server to a server group of the IP type.
You can specify an on-premises server as a backend server of an Internet-facing ALB or internal-facing ALB instance.

The following table describes the regions that allow you to specify on-premises servers and servers in another region as backend servers of ALB.


Area	Region
China	China (Chengdu), China (Qingdao), China (Beijing), China (Guangzhou), China (Hangzhou), China (Ulanqab), China (Shanghai), China (Shenzhen), China (Zhangjiakou), and China (Hong Kong)
Asia Pacific	Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), Australia (Sydney), Singapore, and India (Mumbai)
Europe and Americas	Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley)

When you associate Enterprise Edition transit routers with the VPCs, elastic network interfaces (ENIs) are automatically created. Then, the ENIs are attached to the vSwitch in each zone. The ENIs are used to forward network traffic from the VPCs to the Enterprise Edition transit routers. When you create the VPCs, you must specify at least one vSwitch in each zone of the Enterprise Edition transit routers. This way, network traffic can be routed from the VPCs to the transit routers. For more information, see Regions and zones that support Enterprise Edition transit routers.
You can add only internal-facing servers and cannot add Internet-facing servers.
You cannot add ALB or CLB instances that reside in the same VPC.
You can use Enterprise Edition transit routers and Express Connect for cross-region forwarding. Basic Edition transit routers are not supported.
In each region of a CEN instance, only one VPC can exist that contains one or more ALB instances for which on-premises servers are specified as backend servers.
- ALB instances in different VPCs in the same region cannot use the same transit router to access on-premises servers.
- ALB instances in different VPCs in the same region cannot use different transit routers to access the same on-premises server.
Network traffic between an ALB instance and its backend servers can be routed based only on the system route table. VPC custom route tables are not supported.

Preparations

VPC1 is created in the China (Chengdu) region. Two vSwitches (VSW1 and VSW2) are deployed in VPC1. VSW1 is deployed in Zone A. VSW2 is deployed in Zone B. For more information, see Create and manage a VPC.
An ALB instance is created in VPC1. For more information, see Create an ALB instance.
An Elastic Compute Service (ECS) instance is deployed in VPC1. Application services are hosted on the ECS instance. In this example, the ECS instance is referred to as ECS1. For more information, see Create an instance by using the wizard.
A CEN instance is created, and a transit router is deployed in the China (Chengdu) region. For more information, see Create a CEN instance and Create a transit router.
A connection over an Express Connect circuit is established. A VBR is created. For more information, see Create and manage a dedicated connection over an Express Connect circuit and Create and manage a VBR.

Procedure

Step 1: Create a server group for the ALB instance

Create a server group of the IP type and add the IP address of the on-premises server to the server group.

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed. In this example, China (Chengdu) is selected.
In the left-side navigation pane, choose ALB > Server Groups.

On the Server Groups page, click Create Server Group, set the following parameters, and then click Create.


Parameter	Description
Server Group Type	Select the type of server group that you want to create. In this example, IP is selected.
Server Group Name	Enter a name for the server group. The name must be 2 to 128 characters in length, and can contain letters, digits, periods (.), underscores (_), and hyphens (-). The name must start with a letter.
VPC	Select a VPC from the drop-down list. In this example, VPC1 is selected.
Backend Server Protocol	Select a backend protocol. In this example, HTTP is selected. Note HTTPS listeners of a basic ALB instance can be associated only with server groups that use HTTP.
Scheduling Algorithm	Select a scheduling algorithm. In this example, the default value Weighted Round-robin is used.
Resource Group	Select the resource group to which the server group belongs.
Session Persistence	Specify whether to enable session persistence.
Configure Health Check	Specify whether to enable the health check feature. In this example, the health check feature is enabled, which is the default setting.
Advanced Settings	In this example, the default advanced settings are used. For more information, see Create and manage a server group.

On the Server Groups page, find the server group that you want to manage and click Modify Backend Server in the Actions column.
On the Backend Servers tab, click Add IP Address.
In the Add Backend Server panel, enter the IP address of the on-premises server, turn on Remote IP Address, and then click Next.
Specify the port and weight of the IP address and click OK. In this example, the port is set to 80 and the default weight is used.

Step 2: Configure a listener for the ALB instance

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed. In this example, China (Chengdu) is selected.
On the Instances page, find the ALB instance deployed in VPC1 and click Create Listener in the Actions column.

In the Configure Listener step, set the following parameters and click Next.


Parameter	Description
Listener Protocol	Select a listening protocol. In this example, HTTP is selected.
Listener Port	Specify the port on which the ALB instance listens. The ALB instance listens for requests on the specified port and then forwards the requests to backend servers. Valid values: 1 to 65535. In this example, `80` is specified.
Listener Name	Specify a name for the listener.
Advanced Settings	In this example, the default advanced settings are used.

On the Select Server Group wizard page, select IP from the Server Group drop-down list, select the server group that is created in Step 1, and then click Next.
On the Confirm wizard page, confirm the configurations and click Submit.

Step 3: Attach the VPC to the CEN instance

Log on to the CEN console.
On the Instances page of the CEN console, click the ID of the CEN instance that you want to manage.
On the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, set the following parameters and click OK.


Parameter	Description
Network Type	In this example, VPC is selected.
Region	Select the region where the network instance is created. In this example, China (Chengdu) is selected.
Transit Router	The transit router deployed in the selected region is selected by default.
Resource Owner ID	Specify whether the network instance belongs to the current or another Alibaba Cloud account. In this example, Your Account is selected.
Billing Method	In this example, Pay-As-You-Go is selected.
Attachment Name	Enter a name for the connection.
Network Instance	Select the ID of the VPC that you want to connect. In this example, VPC1 is selected.
VSwitch	Select a vSwitch that is deployed in a zone supported by Enterprise Edition transit routers. In this example, VSW1 and VSW2 are selected.
Advanced Settings	By default, advanced settings are enabled. In this example, the default advanced settings are used.

Step 4: Attach the VBR to the CEN instance

After you attach VPC1 to the CEN instance, click Create More Connections.

On the Connection with Peer Network Instance page, set the following parameters and click OK.


Parameter	Description
Network Type	In this example, Virtual Border Router (VBR) is selected.
Region	Select the region where the network instance is created. In this example, China (Chengdu) is selected.
Transit Router	The system automatically selects the transit router in the current region.
Resource Owner ID	Specify whether the network instance belongs to the current or another Alibaba Cloud account. In this example, Your Account is selected.
Attachment Name	Enter a name for the connection.
Network Instance	Select the ID of the VBR that you want to connect. In this example, the VBR deployed in the China (Chengdu) region is selected.
Advanced Settings	By default, advanced settings are enabled. In this example, the default advanced settings are used. For more information, see Create a VBR connection.

Step 5: Add routes to the system route table of VPC1

Check whether the system route table of VPC1 contains a route whose destination is the VPC1 connection. If no such route exists, perform the following operations to add a route:

Note Network traffic between an ALB instance and its backend servers can be routed based only on the system route table. VPC custom route tables are not supported.

Log on to the VPC console.
On the VPCs page, click the ID of VPC1.
On the details page, click the Resources tab and then click the number below Route Table.
On the Route Tables page, find the route table whose Route Table Type is System and click its ID.
On the details page of the route table, choose Route Entry List > Custom Route, and click Add Route Entry.

In the Add Route Entry panel, set the following parameters and click OK.


Parameter	Description
Name	Enter a name for the route.
Destination CIDR Block	Enter the CIDR block that you want to access. In this example, the CIDR block of the on-premises server is entered, which is `192.168.20.0/24`.
Next Hop Type	Select the type of the next hop. Transit Router is selected in this example.
Transit Router	Select a transit router. In this example, the VPC1 connection is selected.

Step 6: Configure routes in the VBR

Configure a route that points to the data center in the VBR.

Log on to the Express Connect console.
In the top navigation bar, select a region and then click Virtual Border Routers (VBRs) in the left-side navigation pane.
On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click its ID.
On the details page of the VBR, click the Routes tab and click Add Route.

In the Add Route panel, set the following parameters and click OK.


Parameter	Description
Next Hop Type	Select the type of next hop. In this example, Physical Connection Interface is selected.
Destination CIDR Block	In this example, the CIDR block of the on-premises server is entered, which is `192.168.20.0/24`.
Next Hop	Select an Express Connect circuit.

Step 7: Configure back-to-origin routes

View the back-to-origin route of the ALB instance. Add the back-to-origin route to the route table of the transit router that is associated with VPC1 and to the route table in the data center.

Perform the following operations to view the back-to-origin route of an ALB instance:
1. Log on to the ALB console.
2. In the top navigation bar, select the region where the ALB instance is deployed. In this example, China (Chengdu) is selected.
3. On the Instances page, click the ID of the ALB instance in VPC1.
4. On the Instance Details tab, click View next to Back-to-origin Route.

To add the back-to-origin route of the ALB instance to the transit router associated with VPC1, perform the following operations:

Log on to the CEN console.
On the Instances page in the CEN console, click the ID of the CEN instance that you want to manage.
Choose Basic Settings > Transit Router, find the transit router associated with VPC1, and then click its ID.
On the Route Table tab, click the ID of the route table to which you want to add the back-to-origin route, click the Route Entry tab, and then click Add Route Entry.

In the Add Route Entry dialog box, set the following parameters and click OK.


Parameter	Description
Route Table	The current route table is selected by default.
Transit Router	The current transit router is selected by default.
Name	Enter a name for the route. The name can be 0 to 128 characters in length, and can contain letters, digits, commas (,), periods (.), semicolons (;), forward slashes (/), at signs (@), underscores (_), and hyphens (-).
Destination CIDR	Enter the destination CIDR block of the route. In this example, the destination CIDR block of the back-to-origin route of the ALB instance is entered. If the ALB instance has multiple back-to-origin routes, repeat the preceding operations to add all of the back-to-origin routes. In this example, the following routes are added to the transit router associated with VPC1: 100.XX.XX.0/25 100.XX.XX.128/25 100.XX.XX.64/26 100.XX.XX.128/26 100.XX.XX.192/26 100.XX.XX.0/26
Blackhole Route	The default value No is selected.
Next Hop	Select a next hop. In this example, the VPC1 connection is selected.
Description	Enter a description for the route. The description must be 2 to 256 characters in length and can contain letters, digits, commas (,), periods (.), semicolons (;), forward slashes (/), at signs (@), underscores (_), and hyphens (-).

Perform the following operations to add the back-to-origin route of the ALB instance to the gateway device in the data center.
The following example shows how to add a back-to-origin route of an ALB instance to a gateway device in a data center. If the ALB instance has multiple back-to-origin routes, repeat the preceding operations to add all of the back-to-origin routes.
Note The route configuration in this example is for reference only. The configuration may vary based on the gateway device.
```
ip route 100.XX.XX.0/25 255.255.255.128 IP address for the VBR
```

Step 8: Test the connectivity

Log on to the ECS instance that is deployed in VPC1. For more information, see Guidelines on ECS instance connection.
Run the wget http://domain name of the ALB instance command to check whether the ECS instance in VPC1 can access the on-premises server.
The command used in this example is:
```
wget http://alb-fo89znps6q********.internal.cn-chengdu.alb.aliyuncs.com
```
If you can receive echo reply packets such as XX.html, the connection is established.