Add servers in data centers to an NLB instance - Server Load Balancer

Network Load Balancer (NLB) allows you to add servers in data centers (on-premises servers) as backend servers. After you specify an on-premises server as a backend server of an NLB instance, you can use services such as Cloud Enterprise Network (CEN) transit routers to enable the NLB instance to distribute network traffic to the on-premises server.

Scenarios

The following scenario is used as an example in this topic. A company created a virtual private cloud (VPC) named VPC1 in the China (Hangzhou) region and deployed an NLB instance in the VPC. The company wants to use the NLB instance to distribute network traffic to an on-premises server in China (Hangzhou).

To achieve this goal, the company plans to create a virtual border router (VBR) in the China (Hangzhou) region and attach the VBR and VPC1 to a CEN instance. This way, the NLB instance in VPC1 can forward user traffic to the VBR and then to the on-premises server that functions as a backend server of NLB.

The following table describes how CIDR blocks are planned in this example. You can plan the CIDR blocks based on your business requirements. Make sure that the CIDR blocks do not overlap with each other.


China (Hangzhou)	vSwitch	Zone	CIDR block
VPC1 Primary CIDR block: 192.168.0.0/16	VSW1	Zone G	192.168.81.238
VPC1 Primary CIDR block: 192.168.0.0/16	VSW2	Zone J	192.168.27.21
VBR	N/A	N/A	IPv4 address of the gateway at the Alibaba Cloud side: 10.0.0.1 IPv4 address of the gateway at the customer side: 10.0.0.2 IPv4 subnet mask: 255.255.255.252
Data center	VSW3	N/A	172.16.6.0/24

Limits

When you add an on-premises server to NLB as a backend server, you must select IP as the backend server type. You must add the on-premises server by specifying its private IP address. Public IP addresses are not supported.
You can specify an on-premises server as a backend server of an Internet-facing NLB or internal-facing NLB instance.
Network traffic between an NLB instance and its backend servers can be routed based only on the system route table. VPC custom route tables are not supported.
To add on-premises servers to NLB, you can use Enterprise Edition transit routers and Basic Edition transit routers. If you use an Enterprise Edition transit router, you must specify at least one vSwitch in each zone of the Enterprise Edition transit router. This way, network traffic can be routed from the VPC to the transit router. For more information,see What is CEN?

Prerequisites

VPC1 is created in the China (Hangzhou) region. Two vSwitches (VSW1 and VSW2) are deployed in VPC1. VSW1 is deployed in Zone G. VSW2 is deployed in Zone J. For more information, see Create and manage a VPC.
An NLB instance is created in VPC1. For more information, see Create and manage an NLB instance.
ECS01 is created in VPC1 and an application is deployed on ECS01. ECS01 is used to access the server in the data center. For more information about how to create an ECS instance, see Create an instance by using the wizard.
A CEN instance is created and an Enterprise Edition transit router is created in the China (Hangzhou) region. For more information, see Create a CEN instance and Create a transit router.
A connection over an Express Connect circuit is established. A VBR is created. For more information, see Create and manage a dedicated connection over an Express Connect circuit and Create and manage a VBR.

Procedure

Step 1: Create a server group in the NLB console

Create a server group of the IP type and add the on-premises server as the backend server by specifying its private IP address.

Log on to the NLB console.
In the top navigation bar, select the region where the NLB instance is deployed. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, choose Network Load Balancer (NLB) > Server Groups.
On the Server Groups page, click Create Server Group.

In the Create Server Group dialog box, set the following parameters and click Create.


Parameter	Description
Server Group Type	Specify how backend servers are added to a server group. Valid values: In this example, IP is selected.
Server Group Name	Enter a name for the server group.
VPC	Select a VPC from the drop-down list. In this example, VPC1 is selected.
Backend Server Protocol	Select a backend protocol. In this example, TCP is selected.
Scheduling Algorithm	Select a scheduling algorithm. Valid values: Round-Robin, Weighted Round Robin, Source IP Hashing, Four-Element Hashing, and QUIC ID Hashing. In this example, Weighted Round-Robin is selected.
Enable Connection Draining	In this example, connection draining is disabled, which is the default setting.
Client IP Preservation	You do not need to set this parameter. Note You cannot enable client IP preservation for a server group of the IP type. If you want the server group to retrieve client IP addresses, enable Proxy Protocol for the associated listener.
Enable All-port Forwarding	In this example, all-port forwarding is disabled, which is the default setting.
Configure Health Check	Specify whether to enable or disable health checks. In this example, the health check feature is enabled, which is the default setting.
Advanced Settings	In this example, the default settings are used.

In the Server group created dialog box, click Add Backend Server.
On the Backend Servers tab, click Add IP Address.
In the Add Backend Server panel, enter the private IP address of the on-premises server and click Next.
In this example, 172.16.6.5 is entered.
On the Ports/Weights tab, specify the port and weight of the IP address, click OK, and then click Close.
In this example, the port is set to 80 and the default weight is used.

Step 2: Configure a listener for the NLB instance in the NLB console

Log on to the NLB console.
In the top navigation bar, select the region where the NLB instance is deployed. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, choose Network Load Balancer (NLB) > Instances.
On the Instances page, find the NLB instance that is created in VPC1 and click the instance ID.
Click the Listener tab. On the Listener tab, click Quick Create Listener.

In the Quick Create Listener dialog box, set the following parameters and click OK.


Parameter	Description
Listener Protocol	Select a listening protocol. In this example, TCP is selected.
Listener Port	Specify the frontend port that is used to receive and route requests to backend servers. In this example, `80` is used.
Server Group	Select a backend server group. In this example, IP and the server group created in Step 1 are selected.

Step 3: Create a VPC connection in the CEN console

Log on to the CEN console.
On the Instances page of the CEN console, click the ID of the CEN instance that you want to manage.
On the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, set the following parameters and click OK.


Parameter	Description
Network Type	In this example, VPC is selected.
Region	Select the region where the network instance is deployed. China (Hangzhou) is selected in this example.
Transit Router	The transit router in the selected region is selected by default.
Resource Owner ID	Specify whether the network instance belongs to the current or another Alibaba Cloud account. In this example, Your Account is selected.
Billing Method	In this example, Pay-As-You-Go is selected.
Attachment Name	Enter a name for the connection.
Networks	Select the ID of the VPC that you want to connect. In this example, VPC1 is selected.
vSwitch	Select one or more vSwitches that are deployed in a zone supported by Enterprise Edition transit routers. In this example, Zone H and Zone J are selected.
Advanced Settings	The advanced features are selected by default. In this example, the default advanced settings are used.

Step 4: Create a VBR connection in the CEN console

After you attach the VPC to the CEN instance, click Create More Connections.

On the Connection with Peer Network Instance page, set the following parameters and click OK.


Parameter	Description
Network Type	In this example, Virtual Border Router (VBR) is selected.
Region	Select the region where the network instance is deployed. China (Hangzhou) is selected in this example.
Transit Router	The transit router deployed in the selected region is selected by default.
Resource Owner ID	Specify whether the network instance belongs to the current or another Alibaba Cloud account. In this example, Your Account is selected.
Attachment Name	Enter a name for the connection.
Networks	Select the ID of the VBR that you want to connect. In this example, the VBR that you created is selected.
Advanced Settings	The advanced features are selected by default. In this example, the default advanced settings are used. For more information, see Create a VBR connection.

Step 5: Add a route to the system route table of VPC1 in the VPC console

Check whether the system route table of VPC1 contains a route whose destination is the VPC1 connection. If no such route exists, perform the following operations to add a route:

Note Network traffic between an NLB instance and its backend servers can be routed based only on the system route table. VPC custom route tables are not supported.

Log on to the VPC console.
In the top navigation bar, select the region to which VPC1 belongs. China (Hangzhou) is selected in this example.
On the VPCs page, click the ID of VPC1.
On the details page, click the Resources tab and then click the number below Route Table.
On the Route Tables page, find the route table whose Route Table Type is System and click its ID.
On the details page of the route table, choose Route Entry List > Custom Route, and click Add Route Entry.

In the Add Route Entry panel, set the following parameters and click OK.


Parameter	Description
Name	Enter a name for the route.
Destination CIDR Block	Enter the CIDR block that you want to access. In this example, the CIDR block of the on-premises server is entered, which is `172.16.6.0/24`.
Next Hop Type	Select the type of the next hop. Transit Router is selected in this example.
Transit Router	Select a transit router. In this example, the VPC1 connection created in Step 3 is selected.

Step 6: Configure a VBR route in the Express Connect console

Configure a route that points to the data center in the VBR.

Log on to the Express Connect console.
In the top navigation bar, select a region and then click Virtual Border Routers (VBRs) in the left-side navigation pane.
On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click its ID.
On the details page of the VBR, click the Routes tab and click Add Route.

In the Add Route panel, set the following parameters and click OK.


Parameter	Description
Next Hop Type	Select the type of next hop. In this example, Physical Connection Interface is selected.
Destination CIDR Block	In this example, the CIDR block of the on-premises server is entered, which is `172.16.6.0/24`.
Next Hop	Select Physical Connection Interface.

Step 7: Configure routes in the data center

View the CIDR blocks of the vSwitches associated with the NLB instance and add the CIDR blocks of all vSwitches associated with the NLB instance to the data center.

Note After you create the VPC connection on the transit router, the transit router learns the routes that point to the CIDR blocks of the vSwitches that belong to the connected VPC. Therefore, you do not need to configure routes that point to the CIDR blocks of the vSwitches where the NLB instance resides for the transit router.

Perform the following steps to obtain the CIDR blocks of the vSwitches associated with the NLB instance.
1. Log on to the VPC console.
2. In the top navigation bar, select the region to which VPC1 belongs. China (Hangzhou) is selected in this example.
3. On the VPCs page, find and click the ID of VPC1.
4. On the details page, click the Resources tab and then click the number below VSwitch.
5. On the vSwitch page, find the vSwitches associated with the NLB instance and record the CIDR blocks.
Perform the following steps to add routes that point to the CIDR blocks of the vSwitches associated with the NLB instance for the data center.
Add routes that point to the CIDR blocks of the vSwitches associated with the NLB instance on the on-premises gateway device. The following routes are configured in this example. If multiple vSwitches are used, repeat the operation until routes that point to CIDR blocks of all vSwitches associated with the NLB instance are added.
Note The route configurations in this example are for reference only. The configurations may vary based on the gateway device.
```
ip route 192.168.45.0 255.255.255.0 IP address of the VBR on the Alibaba Cloud side
```
```
ip route 192.168.32.0 255.255.255.0 IP address of the VBR on the Alibaba Cloud side
```

Step 8: Test network connectivity

Log on to ECS01 of VPC1. For more information, see Guidelines on instance connection.
Run the telnet DNS name Listening port command to test whether ECS01 in VPC1 can access the on-premises server through the NLB instance.
The following command is used in this example:
```
telnet nlb-ygfajln3bwbfs3****.cn-hangzhou.nlb.aliyuncs.com 80
```
If you can receive echo reply packets, the connection is established.