You can use an Express Connect circuit that connects to an Alibaba Cloud access point to connect a data center to a virtual private cloud (VPC) that belongs to a different account and region.
Scenario
An enterprise creates an Alibaba Cloud account (Account A), and then creates a VPC named VPC1 in the China (Hangzhou) region with Account A. The enterprise has a data center deployed in the same region. The private CIDR block of the data center is 172.16.0.0/12 and the private CIDR block of the VPC is 192.168.0.0/16. The enterprise uses Account A to apply for an Express Connect circuit, which is used to connect the data center and VPC1. The subsidiary of the enterprise creates a RAM user (Account B), and then creates a VPC named VPC2 in the China (Beijing) region with Account B. The private CIDR block of Account B is 10.0.0.0/8. The subsidiary wants to connect the data center to VPC2.
In this scenario, the subsidiary can reuse the Express Connect circuit purchased by Account A to connect the data center to VPC2 that belongs to Account B.
Parameter | Account A | Account B |
---|---|---|
VPCs | VPC1
| VPC2
|
Virtual border routes (VBRs) | VBR
| - |
VBR-to-VPC connections | VBR-to-VPC Connection 2 (initiator)
| VBR-to-VPC Connection 2 (acceptor)
|
Prerequisites
- Establish VBR-to-VPC Connection 1 to connect the data center to VPC1 within Account A.
- Due to security requirements, you cannot connect VBRs to VPCs that belong to a different account by default. To use this feature, contact your account manager. For more information, see Attach a VBR to a VPC that belongs to a different account.
- VPC2 is created in the China (Beijing) region and cloud resources such as Elastic Compute Service (ECS) instances are deployed in VPC2. For more information, see Create a VPC with an IPv4 CIDR block.
- You understand the security group rules of the Elastic Compute Service (ECS) instances in the virtual private cloud (VPC). Make sure that the rules allow the ECS instances to communicate with the data center. For more information, see View security group rules and Add a security group rule.
Procedure
Step 1: Apply for an Express Connect circuit and install the Express Connect circuit
Log on to the Express Connect console with Account A and apply for a dedicated Express Connect circuit or a shared Express Connect circuit pre-installed by the Express Connect partner. In this example, a dedicated Express Connect circuit is used. For more information, see Create and manage a dedicated connection over an Express Connect circuit.
Step 2: Create a VBR for the Express Connect circuit
- Log on to the Express Connect console. by using Account A.
- In the top navigation bar, select the region where you want to apply for an Express Connect circuit. In this example, China (Hangzhou) is selected.
- On the Physical Connection page, find the Express Connect circuit and click its ID.
- On the Express Connect circuit details page, click the VBR tab and click Create VBR.
- In the Create VBR panel, set the following parameters and click OK.
Parameter Description Basic Information Account Specify the Alibaba Cloud account to which the VBR belongs. The default setting is Current Account. If you select this option, a VBR is created for Account A. Name Enter a name for the VBR. In this example, VBR-test is entered.
Physical Connection Information Physical Connection Interface Select the type of Express Connect circuit that you want to associate with the VBR. Then, select an Express Connect circuit that is enabled and functions as expected from the drop-down list. Valid values:
- Dedicated Physical Connection: a dedicated Express Connect circuit
- Shared Physical Connection: a shared Express Connect circuit
In this example, Dedicated Physical Connection is selected. Then, select the corresponding Express Connect circuit from the drop-down list.
VLAN ID Enter the VLAN ID of the VBR. Valid values: 0 to 2999. In this example, 0 is entered.
Set VBR Bandwidth Value Specify the maximum bandwidth of the VBR. In this example, 200Mb is selected.
IPv4 Address (Alibaba Cloud Gateway) Enter an IPv4 address for the VBR to route network traffic between the VPC and data center. IPv4 Address (Alibaba Cloud Gateway) and IPv4 Address (Data Center Gateway) must belong to the same CIDR block. In this example, 10.100.0.1 is entered.
IPv4 Address (Data Center Gateway) Specify an IPv4 address for the gateway device in the data center to route network traffic between the VPC and data center. Note To allow services in the VPC to access a specified gateway IP address, you must add a route to the route table of the VBR. Set the destination CIDR block of the route to the CIDR block to which the specified gateway IP address belongs and set the next hop to the Express Connect circuit. For more information about how to add a route, see Add a custom route.In this example, 10.100.0.10 is entered.
Subnet Mask (IPv4 Address) Enter the subnet mask of the IPv4 addresses that you specify for the VBR and the gateway device in the data center. You can enter a long subnet mask because only two IP addresses are required. In this example, 255.255.255.0 is entered.
Support IPv6 Specify whether to enable IPv6 for the VBR. In this example, Disable is selected. - Disable: disables IPv6. This is the default setting.
- Enable: enables IPv6. If you select this option, you cannot disable IPv6 after the VBR is created. Set the following parameters of the VBR:
- IPv6 Address (Alibaba Cloud Gateway): Enter an IPv6 address for the VBR to route network traffic between the VPC and the data center. The values of the IPv6 Address (Alibaba Cloud Gateway) and IPv6 Address (Data Center Gateway) parameters must belong to the same CIDR block.
- IPv6 Address (Data Center Gateway): Enter an IPv6 address for the gateway device in the data center to route network traffic between the VPC and the data center.
- Subnet Mask (IPv6): Enter the subnet mask of the IPv6 addresses that you specify for the VBR and the gateway device in the data center.
Step 3: Create VBR-to-VPC Connection 2 and configure health checks
- Configure cross-account VPC authorization.
- Create VBR-to-VPC Connection 2 (cross-region and cross-account)
Step 4: Add routes to the VBR
You need to add routes to the VBR to route traffic destined for the data center and VPC2. This way, the VBR can exchange data between the data center and VPC2.
Add a route to the VBR to route traffic destined for the data center
Add a route to the VBR to route traffic destined for the data center (172.16.0.0/12) to the Express Connect circuit.
- Log on to the Express Connect console. by using Account A.
- In the top navigation bar, select the region where the VBR is deployed. In this example, China (Hangzhou) is selected.
- In the left-side navigation pane, click Virtual Border Routers (VBRs). On the Virtual Border Routers (VBRs) page, click the ID of the VBR.
- On the VBR details page, choose Add Route. and click
- In the Add Route panel, set the following parameters and click OK.
Parameter Description Next Hop Type Select the type of next hop. Valid values: - VPC: The VBR routes network traffic destined for the destination CIDR block to a VPC.
- Physical Connection Interface: The VBR routes network traffic destined for the destination CIDR block to an Express Connect circuit.
In this example, Physical Connection Interface is selected.
Destination CIDR Block Enter the CIDR block of the data center. In this example, 172.16.0.0/12 is entered.
Next Hop Select the ID of the next hop based on the specified next hop type. In this example, the ID of the Express Connect circuit created in Step 1: Apply for an Express Connect circuit and install the Express Connect circuit is selected.
Description Enter a description for the route.
Add a route to the VBR to route traffic destined for the VPC
Add a route to the VBR to route traffic destined for VPC2 (10.0.0.0/8) to VPC2.
- Log on to the Express Connect console. by using Account A.
- In the top navigation bar, select the region where you want to apply for an Express Connect circuit. In this example, China (Hangzhou) is selected.
- In the left-side navigation pane, click Virtual Border Routers (VBRs). On the Virtual Border Routers (VBRs) page, click the ID of the VBR.
- On the VBR details page, choose Add Route. and click
- In the Add Route dialog box, set the following parameters and click OK.
Parameter Description Next hop type Select the type of next hop. Valid values: - VPC: The VBR routes network traffic destined for the destination CIDR block to a VPC.
- Physical Connection Interface: The VBR routes network traffic destined for the destination CIDR block to an Express Connect circuit.
In this example, VPC is selected.
Destination CIDR Block Enter the CIDR block of VPC2. In this example, 10.0.0.0/8 is entered.
Next Hop Select the ID of the next hop based on the specified next hop type. In this example, the ID of VPC2 is entered.
Description Enter a description for the route.
Step 5: Add routes to VPC2
You need to add routes to VPC2 to route traffic destined for the data center (172.16.0.0/12) to the VBR.
- Log on to the Express Connect console. by using Account B.
- In the top navigation bar, select the region where VPC2 is deployed. In this example, China (Beijing) is selected.
- In the left-side navigation pane, choose .
- On the VBR-to-VPC page, find the acceptor VBR that you want to manage in the Acceptor column and click Route Settings.
- In the Basic Information panel, click Add Route.
- In the Add Route dialog box, set Destination CIDR Block to 172.16.0.0/12 and click OK.
Step 6: Configure routes and health checks on the data center side
You need to add routes that point to VPC2 to the gateway device in the data center. This way, the gateway device can exchange data between the data center and VPC2. You also need to add routes to route health check probe packets to Alibaba Cloud, configure health checks, and associate the routes with health checks so that traffic can be routed over two redundant connections.
- Add routes to the gateway device in the data center.
The configuration commands may vary based on the gateway device. The following example is for reference only. For more information about the configuration commands, consult the vendor of your gateway device.
#Add a route to route traffic to VPC2. ip route 10.0.0.0 255.255.0.0 10.100.1.2
- Configure health checks on the data center side. For more information, see Configure and manage health checks.
Step 7: Test network connectivity
After you perform the preceding steps, you must test the connectivity of the Express Connect circuit.
- Open the command-line interface (CLI) on a computer in the data center.
- Run the
ping
command to verify the connectivity between the data center and an ECS instance in VPC2 (10.0.0.0/8).If echo reply packets are returned, the data center is connected to VPC2.