Connect an NLB instance to a same-region data center - Server Load Balancer

Use Network Load Balancer (NLB) with Cloud Enterprise Network (CEN) to forward traffic from your virtual private cloud (VPC) to on-premises servers in a data center. This lets you include data center servers as NLB backend servers without migrating workloads to the cloud.

How it works

NLB identifies backend servers by private IP address. To reach on-premises servers, NLB routes traffic through a CEN transit router and a virtual border router (VBR), which connects your VPC to the data center over an Express Connect circuit.

The following diagram shows the architecture used in this guide. VPC1 is deployed in the China (Hangzhou) region and hosts an NLB instance. The on-premises data center connects to Alibaba Cloud through a VBR attached to the transit router. With this setup, the NLB instance forwards requests to data center servers as backend servers.

Network planning

Plan your CIDR blocks based on your requirements. Make sure that no CIDR blocks overlap.

Resource	Zone	CIDR block
VPC1 (primary CIDR block: 192.168.0.0/16)	—	192.168.0.0/16
VSW1	Zone G	192.168.81.238
VSW2	Zone J	192.168.27.21
Data center (VSW3)	N/A	172.16.6.0/24

VBR gateway addresses:

Alibaba Cloud side: 10.0.0.1
Customer side: 10.0.0.2
Subnet mask: 255.255.255.252

Limitations

On-premises servers must use private IP addresses. Public IP addresses are not supported.
Traffic between an NLB instance and its backend servers uses the system route table only. VPC custom route tables are not supported.
On-premises servers can be added to both internal-facing and Internet-facing NLB instances.
If you use an Enterprise Edition transit router, specify at least one vSwitch in each zone of the transit router so that traffic can be routed from the VPC to the transit router. For supported regions and zones, see Regions and zones that support Enterprise Edition transit routers.

Prerequisites

Before you begin, ensure that you have:

A VPC (VPC1) created in the China (Hangzhou) region, with two vSwitches: VSW1 in Zone G and VSW2 in Zone J. See Create and manage a VPC.
An NLB instance created in VPC1. See Create and manage an NLB instance.
An Elastic Compute Service (ECS) instance (ECS01) running in VPC1 with an application deployed, used to test access to the data center. See Create an instance by using the wizard.
A CEN instance with an Enterprise Edition transit router created in the China (Hangzhou) region. See Create a CEN instance and Create a transit router.
An Express Connect circuit established and a VBR created. See Create and manage a dedicated connection over an Express Connect circuit and Create and manage a VBR.

Step 1: Create a server group

Create an IP-type server group and add the on-premises server's private IP address as a backend server.

Important

Enter a private IP address for the on-premises server. Public IP addresses are not supported.

Log on to the NLB console.
In the top navigation bar, select the region where the NLB instance is deployed. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, choose NLB > Server Groups.
On the Server Groups page, click Create Server Group.
In the Create Server Group dialog box, configure the parameters and click Create. The following table describes the key parameters. Use default values for all other parameters. For the full parameter reference, see Create a server group.
Parameter Description
Server Group Type Select IP.
Server Group Name Enter a name for the server group.
VPC Select VPC1.
Backend Server Protocol Select TCP.
Scheduling Algorithm Select Weighted Round-robin.
In the Server group created. dialog box, click Add Backend Server.
On the Backend Servers tab, click Add IP Address.
In the Add Backend Server panel, enter the private IP address of the on-premises server and click Next. In this example, 172.16.6.5 is used.
In the Ports/Weights step, set the port and weight for the IP address, click OK, and then click Close. In this example, port 80 is used with the default weight.

Parameter	Description
Server Group Type	Select IP.
Server Group Name	Enter a name for the server group.
VPC	Select VPC1.
Backend Server Protocol	Select TCP.
Scheduling Algorithm	Select Weighted Round-robin.

Step 2: Create a listener

Log on to the NLB console.
In the top navigation bar, select the region where the NLB instance is deployed. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, choose NLB > Instances.
On the Instances page, click the ID of the NLB instance in VPC1.
Click the Listener tab, then click Quick Create Listener.
In the Quick Create Listener dialog box, configure the parameters and click OK.
Parameter Description
Listener Protocol Select TCP.
Listener Port Enter 80.
Server Group Select IP and the server group created in Step 1.

Parameter	Description
Listener Protocol	Select TCP.
Listener Port	Enter `80`.
Server Group	Select IP and the server group created in Step 1.

Step 3: Attach VPC1 to the CEN instance

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance.
On the Basic Information > Transit Router tab, find the transit router and click Create Connection in the Actions column.

On the Connect with Peer Network Instance page, configure the parameters and click OK.

Parameter	Description
Instance Type	Select VPC.
Region	Select China (Hangzhou).
Transit Router	Automatically selected for the chosen region.
Resource Owner ID	Select Current Account.
Billing Method	Select Pay-As-You-Go.
Network Instance	Select VPC1.
vSwitch	Select the vSwitches in the zones of the Enterprise Edition transit router. In this example, Zone H and Zone J are selected.

Step 4: Attach the VBR to the CEN instance

After connecting VPC1 to the transit router, click Create More Connections.

On the Connect with Peer Network Instance page, configure the parameters and click OK.

Parameter	Description
Instance Type	Select Virtual Border Router (VBR).
Region	Select China (Hangzhou).
Transit Router	Automatically selected for the chosen region.
Resource Owner ID	Select Current Account.
Network Instance	Select the VBR deployed in the China (Hangzhou) region.

Step 5: Add a route to the system route table of VPC1

Add a route in VPC1's system route table so that traffic destined for the data center is forwarded to the transit router.

Note

Traffic between an NLB instance and its backend servers uses the system route table only. VPC custom route tables are not supported.

Log on to the VPC console.
In the top navigation bar, select China (Hangzhou).
On the VPC page, click the ID of VPC1.
On the VPC details page, click the Resources tab, then click the number under Route Table.
On the Route Tables page, find the route table with Route Table Type set to System and click its ID.
On the route table details page, choose Route Entry List > Custom Route and click Add Route Entry.

In the Add Route Entry panel, configure the parameters and click OK.

Parameter	Description
Destination CIDR Block	Enter `172.16.6.0/24` (the CIDR block of the on-premises data center).
Next Hop Type	Select Transit Router.
Transit Router	Select the VPC1 connection created in Step 3.

Step 6: Add a route to the VBR

Add a route in the VBR that points to the data center's CIDR block.

Log on to the Express Connect console.
In the top navigation bar, select a region, then click Virtual Border Routers (VBRs) in the left-side navigation pane.
On the Virtual Border Routers (VBRs) page, click the ID of the VBR.
On the VBR details page, click the Routes tab and click Add Route.
In the Add Route panel, configure the parameters and click OK.
Parameter Description
Next Hop Type Select Physical Connection Interface.
Destination CIDR Block Enter 172.16.6.0/24.
Next Hop Select the Express Connect circuit.

Parameter	Description
Next Hop Type	Select Physical Connection Interface.
Destination CIDR Block	Enter `172.16.6.0/24`.
Next Hop	Select the Express Connect circuit.

Step 7: Add routes on the on-premises gateway device

Add routes on the on-premises gateway device that point to the CIDR blocks of the vSwitches associated with the NLB instance. This lets the data center send return traffic back through the VBR.

Note

After VPC1 is attached to the transit router, the transit router automatically learns all vSwitch routes from VPC1. No additional routes are needed on the transit router side.

Find the vSwitch CIDR blocks:

Log on to the VPC console.
In the top navigation bar, select China (Hangzhou).
On the VPC page, click the ID of VPC1.
On the VPC details page, click the Resource Management tab, then click the number under vSwitch.
On the vSwitch page, find the vSwitches associated with the NLB instance and record their CIDR blocks.

Add routes on the gateway device:

On the on-premises gateway device, add a route for each vSwitch CIDR block. The following are sample configurations — actual commands may vary depending on your gateway device.

ip route 192.168.81.238 255.255.255.0 The address of the VBR at the Alibaba Cloud side
ip route 192.168.27.21 255.255.255.0 The address of the VBR at the Alibaba Cloud side

If the NLB instance is associated with additional vSwitches, add a route for each one.

Step 8: Test network connectivity

Log on to ECS01 in VPC1.
Run the following command to verify that ECS01 can reach the on-premises server through the NLB instance:
```
telnet nlb-ygfajln3bwbfs3****.cn-hangzhou.nlb.aliyuncsslbintl.com 80
```
Replace the domain name with the actual NLB instance domain name. If you receive an echo reply, the connection is working.

Server Load Balancer:Connect an NLB instance to a same-region data center