All Products
Search
Document Center

Express Connect:Connect an on-premises data center to a VPC by using an Express Connect circuit

最終更新日:Feb 01, 2024

You can connect an on-premises data center to a virtual private cloud (VPC) on Alibaba Cloud by using an Express Connect circuit. This way, the data center and the VPC can exchange data by using private connections.

Scenario

As shown in the following figure, an enterprise has a data center in Hangzhou, China, and deploys a VPC in the China (Hangzhou) region. In this case, the enterprise needs to apply for an Express Connect circuit to connect the data center to the VPC.

通过高速通道实现本地IDC与云上VPC互通

Configuration item

IP address/CIDR block

CIDR block of the VPC

192.168.0.0/16

CIDR block of the data center

172.30.0.0/24

Peer IP addresses that are configured on the virtual border router (VBR)

  • IP address (Alibaba Cloud gateway): 10.0.0.1/30

  • IP address (data center gateway): 10.0.0.2/30

  • Subnet mask: 255.255.255.252

Health check configurations

  • Source IP address: 172.16.0.2

  • Destination IP address: 10.0.0.2

Prerequisites

  • A VPC is created in the China (Hangzhou) region. For more information, see Create a VPC with an IPv4 CIDR block.

    Note

    Before you connect a VPC to an Enterprise Edition transit router, make sure that the VPC has at least one vSwitch in a zone that supports Enterprise Edition transit routers. The vSwitch must have at least one idle IP address. In this example, the transit router is deployed in the China (Hangzhou) region, and the supported zones are Zone H and Zone I.

  • An access point of an Express Connect circuit is chosen, and a pre-installation site survey is completed by your connectivity provider. For more information, see Preparations.

  • You have read and understand the billing rules of dedicated Express Connect circuits. For more information, see Billing overview.

  • A Cloud Enterprise Network (CEN) instance is created. For more information, see Create a CEN instance.

  • An Enterprise Edition transit router is created in the region where the VPC resides. For more information, see Create a transit router.

Configuration process

配置流程

Step 1: Apply for an Express Connect circuit and install it

  1. Log on to the Express Connect console

  2. In the top navigation bar, select a region.

  3. Apply for an Express Connect circuit.

    1. On the Physical Connection page, click Create Physical Connection.

    2. You can create a physical connection only after you enable billing for outbound data transfer. You can perform the following steps to enable billing for outbound data transfer. If billing for outbound data transfer has already been enabled, skip the steps.

      1. In the Sign Agreement dialog box, read and select the agreement on billing for outbound data transfer, and then click Continue.

      2. On the page that appears, read and select Terms of Service, and then click Enable Now.

      3. Go back to the homepage of the Express Connect console. On the Physical Connection page, click Create Physical Connection.

    3. Configure the following parameters and click OK.

      Note

      The Connection Status column displays the actual status of a Express Connect circuit only after the Express Connect circuit is installed and paid. Otherwise, the Connection Status column displays Down.

      Parameter

      Description

      Region

      Select the region where you want to create a connection over the Express Connect circuit. In this example, China (Hangzhou) is selected.

      Leased Line Provider

      Select a connectivity provider. The access points that you can choose vary based on the connectivity provider. In this example, China Mobile is selected.

      Important
      • If you choose China Unicom, China Telecom, or China Mobile as the connectivity provider, you can lease lines only from the selected connectivity provider. You are not allowed to lease lines from other connectivity providers.

      • If you choose China Unicom, China Telecom, or China Mobile as the connectivity provider, bare optical fibers are not supported.

      Access Point

      Select the access point that is nearest to your data center. In this example, Hangzhou-Xiaoshan-D is selected.

      Access points are Alibaba Cloud data centers that are located in different regions. The access points allow you to connect your data center to Alibaba Cloud from different geographical locations and support different connection types. Each region contains one or more access points. For more information, see Locations of access points.

      Port Type

      Select a port type. Valid values:

      • 100 GE Single-mode Optical Port

      • 40 GE Single-mode Optical Port

      • 1 GE Single-Mode Optical Port

      • 10 GE Single-Mode Optical Port

      The resource occupation fees vary based on the port type. Choose the port type that best meets your business requirements. In this example, 1 GE Single-Mode Optical Port is selected.

      Resource Group

      Select the resource group to which the Express Connect circuit belongs from the drop-down list.

      You can click Manage Resource Group to create or modify a resource group in the Resource Management console. For more information, see Create a resource group.

      Tags

      Tag Key

      Enter a complete tag key.

      You can specify up to 20 tag keys. A tag key can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

      Tag Value

      Enter a complete tag value.

      You can specify up to 20 tag values. A tag value can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

      Redundant Physical Connection ID

      Specify a redundant Express Connect circuit in the same region to configure an equal-cost multi-path (ECMP) routing. In this example, None is selected.

  4. Apply for a Letter of Authorization (LOA).

    Note
    • To obtain information such as the location of the data center and device ports, submit a ticket .

    • After the port of an Express Connect circuit is created, the system automatically allocates resources. You can apply for an LOA only after resources are allocated.

    1. On the Physical Connection page, find the Express Connect circuit and click Apply for LOA in the Actions column.

    2. In the Apply for LOA panel, enter the information about the construction and the field engineers. Then, click OK.

    3. In the Notes dialog box, read the notes and click OK.

      After you apply for an LOA, the Status of the Express Connect circuit changes to In Application. Alibaba Cloud reviews your application within two business days. After your application is approved, the Status of the Express Connect circuit changes to Approved LOA. You can download the LOA file from the console.

      Note

      If the access point is deployed outside the Chinese mainland, Alibaba Cloud reviews your application within three business days.

  5. Install the Express Connect circuit.

    1. On the Physical Connection page, find the Express Connect circuit and click View LOA in the View LOA column.

    2. In the View LOA panel, click Download to download the LOA file.

    3. Contact the connectivity provider to connect the Express Connect circuit to the access device in the Alibaba Cloud data center based on the LOA.

      Note
      • You must submit the LOA issued by Alibaba Cloud and send an on-site installation form to the field engineers of Alibaba Cloud one day before the connectivity provider enters the Alibaba Cloud data center. You can obtain the on-site installation form by submitting a ticket or contacting your account manager.

      • After the connectivity provider completes the installation, you can request a survey report from the connectivity provider to ensure that the Express Connect circuit functions as expected.

      • If the access point is deployed in the Chinese mainland, Alibaba Cloud engineers will assist the connectivity provider in installing the Express Connect circuit. After you click Confirm Delivery in the console, Alibaba Cloud engineers will install the fiber pigtail and connect it to the corresponding physical port.

      • If the access point is deployed outside the Chinese mainland, the connectivity provider independently completes the installation. The access device that is connected to the Express Connect circuit can be an optical distribution frame (ODF) or a patch panel. After you click Confirm Delivery in the console, Alibaba Cloud engineers will install the fiber pigtail and connect it to the corresponding physical port.

      • If the connectivity provider needs to enter the Alibaba Cloud data center after the installation is completed, contact your account manager to apply for the required permissions.

    4. After the connectivity provider installs the Express Connect circuit, contact the connectivity provider to obtain the Express Connect circuit ID, cable ID, or optical distribution frame (ODF) port specifications. Then, click Confirm Delivery on the Physical Connection page.

    5. On the Confirm Delivery page, enter the information about the Express Connect circuit and click OK.

      Then, the Status of the dedicated connection changes to Waiting for Pigtail Installation. Field engineers from Alibaba Cloud will install the fiber pigtail within two business days. After the fiber pigtail is installed, the Status of the dedicated connection changes to Pending for Pay.

      Note

      If the access point is deployed outside the Chinese mainland, field engineers from Alibaba Cloud will install the fiber pigtail within three business days.

  6. Pay the resource occupation fees.

    1. On the Physical Connection page, find the Express Connect circuit and click Pay Resource Occupation Fees in the Pay Resource Occupation Fees column.

    2. Select a subscription duration and a renewal method, click Buy Now, and then complete the payment.

    After you complete the payment, the Status of the Express Connect circuit changes to Enabled.

Step 2: Create a VBR and add a route to the VBR

After the Express Connect circuit is installed, you must create a VBR to exchange data between the VPC and the data center.

  1. Log on to the Express Connect console

  2. In the top navigation bar, select the region and then click Virtual Border Routers (VBRs) in the left-side navigation pane.

  3. Create a VBR.

    1. On the Virtual Border Routers (VBRs) page, click Create VBR.

    2. In the Create VBR panel, configure the following parameters and click OK.

      Parameter

      Description

      Account

      By default, Current account is selected.

      Name

      Enter a name for the VBR.

      Physical Connection Information

      In this example, Dedicated Physical Connection is selected. Then, select the Express Connect circuit created in Step 1: Apply for an Express Connect circuit and install it from the drop-down list.

      VLAN ID

      Enter the virtual local area network (VLAN) ID of the VBR. In this example, 0 is used.

      Set VBR Bandwidth Value

      Set the maximum bandwidth of the VBR.

      IPv4 Address (Alibaba Cloud Gateway)

      Enter an IPv4 address for the VBR to route network traffic between the VPC and the on-premises data center. In this example, 10.0.0.1/30 is used.

      IPv4 Address (Data Center Gateway)

      Enter an IPv4 address for the gateway device in the on-premises data center to route network traffic between the on-premises data center and the VPC. In this example, 10.0.0.2/30 is used.

      Subnet Mask (IPv4)

      Enter the subnet mask of the IPv4 addresses that you specified for the VBR and the gateway device in the on-premises data center. In this example, 255.255.255.252 is used.

  4. Add a route to the VBR. The route must point to the data center.

    1. On the Virtual Border Routers (VBRs) page, click the ID of the VBR to which you want to add a route.

    2. On the details page of the VBR, click the Routes tab and click Add Route.

    3. In the Add Route panel, set the following parameters and click OK.

      Parameter

      Description

      Next Hop Type

      In this example, Physical Connection Interface is selected.

      Destination CIDR Block

      Enter the CIDR block of the data center. In this example, 172.30.0.0/24 is used.

      Next Hop

      Select an Express Connect circuit. In this example, the Express Connect circuit created in Step 1: Apply for an Express Connect circuit and install it is selected.

Step 3: Attach the VBR and the VPC to a CEN instance

After you connect the VBR and the VPC to a CEN transit router, the CEN instance automatically advertises and learns routes to enable network communication between the VPC and the data center.

  1. Log on to the CEN console.

  2. On the Instances page, click the ID of the CEN instance that you want to manage.

  3. On the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

  4. On the Connection with Peer Network Instance page, configure the following parameters and click OK.

    Note

    If this is the first time that you attach a VPC to a transit router, the system automatically creates a service-linked role named AliyunServiceRoleForCEN. This role allows the transit router to create an elastic network interface (ENI) in a vSwitch of the VPC. For more information, see AliyunServiceRoleForCEN.

    Parameter

    Description

    Network Type

    Select the type of network instance that you want to attach to the CEN instance.

    In this example, VPC is selected.

    Region

    Select the region where the network instance is deployed.

    In this example, China (Hangzhou) is selected.

    Transit Router

    The system automatically displays the transit router in the selected region.

    Resource Owner ID

    Select the Alibaba Cloud account to which the network instance belongs.

    In this example, Current Account is selected.

    Billing Method

    By default, transit routers use the pay-as-you-go billing method.

    For more information, see Billing rules.

    Attachment Name

    Enter a name for the VPC connection.

    In this example, VPC-test is used.

    Network Instance

    Select the ID of the VPC that you want to connect.

    In this example, the VPC that you created is selected.

    vSwitch

    Select a vSwitch in a zone that supports transit routers.

    In this example, vSwitches in the zones that support transit routers are selected.

    Advanced Settings

    By default, the following three advanced features are selected: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically Creates Route That Points to Transit Router and Adds to All Route Tables of Current VPC.

    In this example, the default settings are used.

  5. On the Connection with Peer Network Instance page, click Create More Connections.

  6. On the Connection with Peer Network Instance page, configure the following parameters and click OK to create a VBR connection.

    Parameter

    Description

    Network Type

    In this example, Virtual Border Router (VBR) is selected.

    Region

    Select the region where the network instance is deployed.

    In this example, China (Hangzhou) is selected.

    Transit Router

    The system automatically displays the transit router in the selected region.

    Resource Owner ID

    Select the Alibaba Cloud account to which the network instance belongs.

    In this example, Current Account is selected.

    Attachment Name

    Enter a name for the VBR connection.

    In this example, VBR-test is used.

    Network Instance

    The ID of the VBR that you want to connect.

    In this example, the VBR that you created is selected.

    Advanced Settings

    By default, the following three advanced features are selected: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Propagate Routes to VBR.

    In this example, the default settings are used.

    After the VPC connection and the VBR connection are created, you can view the details about the connections on the Intra-region Connections tab. For more information, see View network instance connections.

Step 4: Configure health checks on Alibaba Cloud

If you use the default health check settings, Alibaba Cloud sends a probe packet every 2 seconds over the Express Connect circuit from the source IP address to the destination IP address in the data center. If no responses are returned for eight consecutive probe packets, the Express Connect circuit is down.

  1. Log on to the Cloud Enterprise Network console.

  2. In the left-side navigation pane, click Health Checks.

  3. On the Health Checks page, select the region where the VBR is deployed and click Set Health Check.

    In this example, the VBR is deployed in the China (Hangzhou) region.

  4. In the Set Health Check dialog box, configure the following parameters and click OK.

    Parameter

    Description

    Instances

    Select the CEN instance to which the VBR is attached.

    Virtual Border Router (VBR)

    Select the VBR that you want to monitor.

    Source IP

    You can use one of the following methods to configure a source IP address:

    • Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block. We recommend that you select this option.

    • Custom IP Address: You can specify an available IP address that falls within the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The specified IP address must not conflict with the destination IP address, the IP address of the VBR on the Alibaba Cloud side, or the IP address of the VBR on the customer side.

    Note
    • Take note of the following rules if you select Automatic IP Address:

      • In each of the following regions, at most 16 VBRs can be automatically assigned a source IP address:

        Click to view the regions US (Silicon Valley), China (Hong Kong), US (Virginia), China (Beijing), China (Shanghai), China (Shenzhen), Singapore, China (Hangzhou), China (Heyuan), China (Chengdu), China (Zhangjiakou), Germany (Frankfurt), Malaysia (Kuala Lumpur), and UK (London), China (Qingdao), Indonesia (Jakarta), China (Hohhot), India (Mumbai), China (Guangzhou), China (Ulanqab), China (Nanjing-Local Region), Japan (Tokyo), and Australia (Sydney)

      • In the Philippines (Manila), South Korea (Seoul), China (Fuzhou-Local Region), or Thailand (Bangkok) region, at most eight VBRs can be automatically assigned a source IP address.

    • No matter which method you select, the CEN instance advertises a route whose destination CIDR block is the source IP address of the health check and the subnet mask is 32 bits in length to the VBR after the health check is configured.

      If the VBR and data center use the BGP dynamic routing protocol, the route is advertised to the data center over BGP.

    Destination IP

    Set the destination IP address to the IP address of the VBR on the customer side.

    Probe Interval (Seconds)

    Enter a time interval at which probe packets are sent during the health check. Unit: seconds.

    Valid values: 2 to 3. Default value: 2.

    Probe Packets

    Enter the number of consecutive probe packets that are sent during the health check. Unit: packets.

    Valid values: 3 to 8. Default value: 8.

    Change Route

    Specifies whether to allow the health check feature to switch to the standby route.

    This feature is enabled by default. If a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit.

    If you disable this feature, health checks perform only probing. The health check feature does not switch to the standby route even if an error is detected on the Express Connect circuit.

    Warning

    Before you turn off Change Route, make sure that network traffic can be switched to a standby route by using other mechanisms. Otherwise, network connections are interrupted if the Express Connect circuit fails.

    Description

    Enter a description for the health check.

Step 5: Configure routes and health checks in the data center

You must configure routes and health checks in the data center, and then configure the gateway device to route network traffic based on health check results to achieve connection redundancy.

  1. Configure routes in the data center.

    The following example is for reference only. Route configurations may vary based on the gateway device.

    ip route 192.168.0.0 255.255.0.0 10.0.0.1
  2. Configure health checks in the data center.

    You can configure Bidirectional Forwarding Detection (BFD) or Network Quality Analyzer (NQA) on the gateway device in the data center to monitor the reachability of routes destined for the VBR. For more information about the configuration commands, consult the vendor of your gateway device. BFD can detect a link failure within milliseconds. We recommend that you configure BFD on your gateway device.

  3. Configure the gateway device to route network traffic based on health check results.

    Route configurations may vary based on the gateway device. For more information, consult the vendor of your gateway device.

    After you add routes, the following private connection is established: data center > Express Connect circuit > VBR > VPC.

Step 6: Test the network connectivity

You can run the ping command in the data center to verify the connectivity to the VBR and VPC.

  1. Open the command-line interface (CLI) on a server in the data center.

  2. Run the ping 10.0.0.1 command to verify the connectivity between the data center and VBR.

    If the server in the data center receives echo reply packets, the data center and the VBR are connected.

  3. Run the ping 192.168.0.10 command to verify the connectivity between the data center and VPC.

    If the server in the data center receives echo reply packets, the data center and the VPC are connected.

References