Add on-premises servers to an ALB instance within the same region - Server Load Balancer

This topic describes how to add on-premises servers in a data center to an Application Load Balancer (ALB) instance within the same region. ALB can work with transit routers of Cloud Enterprise Network (CEN) to forward requests to servers in a data center.

Sample scenario

ALB supports backend servers in data centers. This example shows how to add on-premises servers in a data center to an ALB instance within the same region.

A company created a virtual private cloud (VPC) named VPC1 in the China (Chengdu) region. An Internet-facing ALB instance is created in VPC1. The company wants the ALB instance to forward requests to on-premises servers in a data center in the China (Chengdu) region.

To meet this requirement, the company can use CEN to connect VPC1 and a virtual border router (VBR) to the transit router in the China (Chengdu) region. The data center is connected to Alibaba Cloud through the VBR. The ALB instance can forward requests to the data center by using transit routers. In this solution, the on-premises servers in the data center are added to the ALB instance as backend servers.

Limitations

Note

Alibaba Cloud has upgraded ALB at 00:00:00 on February 25, 2025 (UTC+8). ALB instances created at or after 00:00:00 on February 25, 2025 (UTC+8) are automatically upgraded versions. For more information, see ALB instance upgrade.
The ALB instance referred to in this topic is an upgraded ALB instance. If you want to use a non-upgraded ALB instance, refer to this user guide: How do I implement this use case with a non-upgraded ALB instance?

Backend servers

The server group to contain a backend server deployed in a different region must be of the IP address type.
You can add only private IP addresses. Public IP addresses are not supported.
If you want to specify IPv6 addresses as backend servers, IPv6 must be enabled for the server group. Take note of the following items:
- Only when IPv6 is enabled for the VPC where the server group is deployed, IPv6 can be enabled for the serve group.
- You can specify IPv6 addresses in listeners or forwarding rules for only dual-stack upgraded ALB instances. Non-upgraded instances do not support this feature.
- After IPv6 is enabled for the server group, only IPv6 addresses within the CIDR range of the VPC can be specified. Remote IP address are not supported.

Traffic forwarding between ALB and backend servers

If you configure an Enterprise Edition transit router for your ALB service, the transit router will create an elastic network interface (ENI) within a vSwitch in the zone you specify. The ENI works as the ingress of the transit router for receiving traffic from the VPC. Therefore, ensure that there is at least a vSwitch available in the zone you select. For more details, see How transit routers work.
You cannot customize routing tables in the VPC where your ALB service is deployed for traffic forwarding between ALB and backend servers. Only system routing tables are allowed.

Prerequisites

A VPC (VPC1) is created in the China (Chengdu) region, with vSwitches VSW1 and VSW2 created in Zone A and Zone B, respectively.

Click to view the planned network segments in this example. You can plan network segments based on your business requirements. Ensure that they do not overlap with each other.

China (Chengdu)	vSwitch	vSwitch zone	CIDR block
VPC1 Primary CIDR block: 172.16.0.0/12	VSW1	Zone A	172.16.0.0/24
VPC1 Primary CIDR block: 172.16.0.0/12	VSW2	Zone B	172.16.6.0/24
VBR	N/A	N/A	IPv4 address on the customer side: 10.0.0.2/30 IPv4 address on the Alibaba Cloud side: 10.0.0.1/30
Data center	VSW3	N/A	192.168.20.0/24

An Elastic Compute Service (ECS) instance is deployed within VSW1 in VPC1. Applications are hosted on the ECS instance. In this example, the ECS instance is named ECS01.
Click to view the commands to deploy a sample application on ECS01
```
yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is c****u ECS01." > index.html
```
An ALB instance is created in VPC1. For more information, see Create and manage an ALB instance.
A custom domain name is registered, an Internet content provider (ICP) number is obtained for the domain name, and a CNAME record is created to map the domain name to the domain name of your ALB instance.
A CEN instance is created, and a transit router is deployed in the China (Chengdu) region.
A connection over an Express Connect circuit is established and a VBR is created. For more information, see Classic mode and Create and manage a VBR.
An on-premises server for testing this use case is created in your data center. In this example, the server is named ECS02. Applications are hosted on ECS02.
Click to view the commands to deploy a sample application on ECS02
```
yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is h****z ECS02." > index.html
```

Procedure

Step 1: Create a server group for the ALB instance

Create a server group of the IP address type and add the IP addresses of ECS01 and ECS02 to the server group as backend servers.

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance resides. In this example, China (Chengdu) is selected.
In the left-side navigation pane, choose ALB > Server Groups.

On the Server Groups page, click Create Server Group. In the Create Server Group panel, configure the parameters, and click Create.

The following table describes only the parameters that are relevant to this topic. You can use the default values for the other parameters. For instructions on configuring all parameters, see Create and manage a server group.

Parameter	Description
Server Group Type	Select IP, which allows adding IP addresses of servers that are not deployed in the VPC as backend servers.
VPC	Select VPC1.
Backend Server Protocol	Select HTTP. Note Only server groups whose Backend Server Protocol is HTTP can be specified in HTTPS listeners for basic ALB instances.
Scheduling Algorithm	Keep the default value Weighted Round-robin. For detailed information about the scheduling algorithms, see SLB scheduling algorithms.

In the dialog box that is displayed, click Add Backend Server.
In the Add Backend Server panel, enter the private IP address of ECS01, click Next, set Port and Weight, and click OK.
Specify the port used by the backend server to provide services for Port. In this example, 80 is specified. Keep the default value for Weight.
Click Add IP Address. In the Add Backend Server panel, enter the private IP address of ECS02, enable Remote IP, click Next, set Port and Weight, and click OK. In this example, specify 80 for Port and keep the default value for Weight.
With Remote IP enabled, IP addresses within the following CIDR ranges can be added as backend servers:
- 10.0.0.0/8
- 100.64.0.0/10
- 172.16.0.0/12
- 192.168.0.0/16
When Remote IP is disabled, only IP addresses within the CIDR range of the VPC can be added.

Step 2: Create a listener for the ALB instance

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance resides. In this example, China (Chengdu) is selected.
On the Instances page, find the ALB instance and click Create Listener in the Actions column.

On the Configure Server Load Balancer page, in the Configure Listener step, configure the parameters and click Next. The following table describes only key parameters. You can use the default values for the other parameters.

Parameter	Description
Listener Protocol	Select HTTP.
Listener Port	Specify the port on which the ALB instance listens. The ALB instance listens for requests on the specified port and then forwards the requests to backend servers. Valid values: 1 to 65535. In this example, `80` is specified.

In the Select Server Group step, select IP from the drop-down list in the Server Group section, select the server group that you created in Step 1, and click Next.
In the Configuration Review step, confirm the configurations and click Submit.

Step 3: Attach the VPC to the CEN instance

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you created.
On the Basic Information > Transit Router tab, find the transit router that you want to use and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, configure the parameters and click OK. The following table describes only key parameters. You can use the default values for the other parameters. For instructions on configuring all parameters, see Use an Enterprise Edition transit router.

Parameter	Description
Instance Type	In this example, Virtual Private Cloud (VPC) is selected.
Region	Select the region where the network instance is deployed. In this example, China (Chengdu) is selected.
Network Instance	Select the ID of the VPC that you want to attach to the CEN instance. In this example, VPC1 is selected.
VSwitch	Select vSwitches that are deployed in zones supported by Enterprise Edition transit routers. In this example, VSW1 and VSW2 are selected.

Step 4: Attach the VBR to the CEN instance

After you attach VPC1 to the CEN instance, click Create More Connections.

On the Connection with Peer Network Instance page, configure the parameters and click OK. The following table describes parameters that are relevant to this topic. You can use the default values for the other parameters. For instructions on configuring all parameters, see Connect a VBR to an Enterprise Edition transit router.

Parameter	Description
Instance Type	In this example, Virtual Border Router (VBR) is selected.
Region	Select the region where the network instance is deployed. In this example, China (Chengdu) is selected.
Network Instance	Select the ID of the VBR that you want to attach to the CEN instance. In this example, the VBR deployed in the China (Chengdu) region is selected.

Step 5: Add routes to the system route table of VPC1

Check whether the system route table of VPC1 contains a route that directs traffic whose destination is the CIDR block of the on-premises server to the transit router. If no such route exists, perform the following operations to add a route.

Note

Network traffic between an ALB instance and its backend servers can be forwarded only based on the system route table. Forwarding based on VPC custom route tables is not supported.

Log on to the VPC console.
On the VPCs page, click the ID of VPC1.
On the details page of VPC1, click the Resources tab and click the number below Route Table.
On the Route Tables page, find the route table whose Route Table Type is System and click its ID.
On the details page of the route table, choose Route Entry List > Custom Route and click Add Route Entry.

In the Add Route Entry panel, configure the parameters by referring to the following table and click OK.

Parameter	Description
Destination CIDR Block	Enter the destination CIDR block. In this example, the CIDR block of the on-premises server is entered, which is `192.168.20.0/24`.
Next Hop Type	Select a type of next hop. In this example, Transit Router is selected.
Transit Router	Select a transit router. In this example, the transit router to which VPC1 is attached in Step 3 is selected.

Step 6: Add VBR routes

Add a route that points to the data center to the route table of the VBR.

Log on to the Express Connect console.
In the top navigation bar, select the region where the VBR resides and click Virtual Border Routers (VBRs) in the left-side navigation pane.
On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to use.
On the details page of the VBR, click the Routes tab and click Add Route.

In the Add Route panel, configure the parameters by referring to the following table and click OK.

Parameter	Description
Next Hop Type	Select a type of next hop. In this example, Physical Connection Interface is selected.
Destination CIDR Block	In this example, the CIDR block of the on-premises server is entered, which is `192.168.20.0/24`.
Next Hop	Select an Express Connect circuit.

Step 7: Add routes to the route table of the on-premises server

View the CIDR blocks of the vSwitches to which the ALB instance is connected, and add routes for directing traffic to the vSwitches to the on-premises server.

Note

After a VPC is connected to a transit router, the transit router can learn all routing information on the vSwitches in the VPC. You don't need to add routes for directing traffic to the vSwitches to which ALB is connected, to the route table of the transit router.

View the CIDR blocks of the vSwitches to which the ALB instance is connected.
1. Log on to the VPC console.
2. In the top navigation bar, select the region where VPC1 resides. In this example, China (Chengdu) is selected.
3. On the VPCs page, click the ID of VPC1.
4. On the VPC details page, click the Resource Management tab and click the number below vSwitch.
5. On the vSwitch page, find the vSwitches to which the ALB instance is connected, and copy their CIDR blocks.
Add routes for directing traffic to ALB to the route table of the on-premises server.
On the gateway of the on-premises server, add routes whose destination is the CIDR block of the vSwitches connected to the ALB instance. The following code shows an example. If the ALB instance is connected to multiple vSwitches, repeat the preceding operations to specify all CIDR blocks.
Note
The route configuration is for reference only. The configuration may vary based on the gateway device.
```
ip route 172.16.0.XX/24 255.255.255.0 <The VBR IP address on the Alibaba Cloud side>
ip route 172.16.6.XX/24 255.255.255.0 <The VBR IP address on the Alibaba Cloud side>
```

Step 8: Test the load balancing effect

Test the network connectivity between ALB and the backend servers.
Access the custom domain name of your service in the browser of a local PC, for example, http://<Domain name>. Refresh the page for several times. You can see that the client receives responses as expected. The accessed server alternates between ECS01 and ECS02.
Simulate a backend server failure, and test ALB.
1. Run the systemctl stop nginx.service command to stop the application deployed on ECS01.
2. Access the custom domain name of your service in the browser of the local PC, for example, http://<Domain name>. You can see that the client still receives responses as expected. This indicates that load balancing is implemented between the cloud-based server and on-premises server by using ALB.

FAQs

How do I implement this use case with a non-upgraded ALB instance?

The procedure for a non-upgraded ALB instance is basically the same as the procedure described above, except for Step 7.

Limitations
Backend servers
- Remote IP addresses can be added as backend servers in these regions and zones: Regions and zones.
- Only server groups of the IP type support adding backend servers deployed across regions.
- You can add only private IP addresses. Public IP addresses are not supported.
- You cannot add an ALB instance, a Network Load Balancer (NLB) instance, or a Classic Load Balancer (CLB) instance in the same VPC as a backend server.
Traffic forwarding between ALB and backend servers
- You can use Enterprise Edition transit routers and Express Connect circuits for cross-region forwarding. Basic Edition transit routers are not supported.
  If you configure an Enterprise Edition transit router for your ALB service, the transit router will create an ENI within a vSwitch in the zone you specify. The ENI works as the ingress of the transit router for receiving traffic from the VPC. Therefore, ensure that there is at least a vSwitch available in the zone you select. For more details, see How transit routers work.
- Make sure that no loops exist. ALB adds the ALICLOUD-ALB-TRACE HTTP header to each request to detect loops. If a loop is detected, ALB stops forwarding requests to backend servers and returns the 463 status code in case a network storm arises and exhausts all resources.
- For the same CEN instance, each region can have only one VPC in which one or more ALB instances use backend servers deployed in different regions.
  ALB instances in different VPCs within the same region cannot use the same transit router to access backend servers.
  ALB instances in different VPCs within the same region cannot use different transit routers to access the same backend server.
- Network traffic between an ALB instance and its backend servers can be routed based only on the system route table. VPC custom route tables are not supported.

Step 7: Add back-to-origin routes

View the back-to-origin route of the ALB instance, and add the back-to-origin route to the transit router associated with VPC1 and the data center.

View the back-to-origin route.
1. Log on to the ALB console.
2. In the top navigation bar, select the region where the ALB instance resides. In this example, China (Chengdu) is selected.
3. On the Instances page, click the ID of the ALB instance.
4. On the Instance Details page, click View next to Back-to-prigin Route.

Add the back-to-origin routes of the ALB instance to the transit router associated with VPC1.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you created.
On the Basic Information > Transit Router tab, click the ID of the transfer router that is associated with VPC1.
On the Route Table tab, click the ID of the route table to which you want to add the back-to-origin route, click the Route Entry tab, and click Add Route Entry.

In the Add Route Entry dialog box, configure the parameters by referring to the following table and click OK.

Parameter	Description
Route Table	By default, the current route table is selected.
Transit Router	By default, the current transit router is selected.
Destination CIDR Block	Enter the destination CIDR block of the route. In this example, the destination CIDR block of the back-to-origin route of the ALB instance is entered. If the ALB instance has multiple back-to-origin routes, repeat the preceding operations to add all back-to-origin routes.
Blackhole Route	Select No.
Next Hop	Select a next hop. In this example, the transit router to which VPC1 is connected is selected.

Add the back-to-origin routes of the ALB instance to the data center.
Add the back-to-origin route of the ALB instance to the gateway of the on-premises server. Refer to the following sample code. If the ALB instance has multiple back-to-origin routes, repeat the preceding operations to add all of the back-to-origin routes.
Note
The route configuration in the sample code is for reference only. The configuration may vary based on the gateway device.
```
ip route 100.XX.XX.0/25 255.255.255.128 The VBR IP address on the Alibaba Cloud side
```

Do both Internet-facing and internal-facing ALB instances support adding on-premises servers as backend servers?

Yes, both of them support this feature.

References

To specify backend servers in a VPC in a different region, see Specify a backend server located in a VPC in a different region for ALB.
To use NLB to implement the same use cases, see Add on-premises servers to an NLB instance within the same region and Add backend servers in VPCs to NLB across regions.