All Products
Search
Document Center

Express Connect:Establish active/active connections between a data center and Alibaba Cloud over Express Connect circuits (static routing)

最終更新日:Aug 15, 2023

This topic describes how to establish active/active connections between a data center and Alibaba Cloud over Express Connect circuits and static routing.

Scenario

In this topic, the following scenario is used as an example to describe how to establish connections. If your data center is connected to Alibaba Cloud through two Express Connect circuits, network traffic is distributed across both connections by default. If one of the Express Connect circuits is down, the other Express Connect circuit takes over to serve your workloads. This ensures service availability.

In this scenario, a company has an on-premises data center in Shanghai and creates a virtual private cloud (VPC) in the China (Shanghai) region. The private CIDR block of the on-premises data center is 172.16.0.0/12, and the CIDR block of the VPC is 192.168.0.0/16. To prevent single points of failure (SPOFs), the company needs to lease two Express Connect circuits from different connectivity providers to configure active/active failover.

Architecture

The following table describes the configurations of the virtual border routers (VBRs) connected to the Express Connect circuits.

Configuration itemVBR1 (connected to Express Connect circuit 1)VBR2 (connected to Express Connect circuit 2)
VLAN ID00
IPv4 address of gateway at Alibaba Cloud side10.100.0.110.100.0.5
IPv4 address of gateway in data center10.100.0.1010.100.0.6
Subnet mask (IPv4)255.255.255.0255.255.255.0

Prerequisites

  • A VPC is created in the China (Shanghai) region, and cloud resources such as Elastic Compute Service (ECS) instances that host your business systems are deployed in the VPC.For more information, see Create a VPC with an IPv4 CIDR block.
  • You understand the security group rules of the Elastic Compute Service (ECS) instances in the virtual private cloud (VPC). Make sure that the rules allow the ECS instances to communicate with the data center. For more information, see View security group rules and Add a security group rule.

Procedure

Procedure

Step 1: Create two connections over Express Connect circuits

In this example, two dedicated connections are created. For more information, see Create and manage a dedicated connection over an Express Connect circuit.

When you apply for the second Express Connect circuit, you may need to specify a redundant Express Connect circuit based on the access point.
  • If you want to connect the Express Connect circuits to the same access point, you must specify the redundant Express Connect circuit. Set the Redundant Physical Connection ID parameter to the ID of the first Express Connect circuit. This way, the Express Connect circuits will be connected to different access devices of an access point.
  • If you want to connect the Express Connect circuits to different access points, you do not need to specify the redundant Express Connect circuit. In this case, you do not need to configure the Redundant Physical Connection ID parameter.

    In this example, the Express Connect circuits are connected to different access points.

Step 2: Create VBRs for both Express Connect circuits

After you create two connections over Express Connect circuits, you need to create a VBR for each Express Connect circuit. The VBRs serve as bridges for data exchange between the data center and the VPC.

  1. Log on to the Express Connect console.
  2. In the top navigation bar, select a region.
  3. On the Physical Connection page, find Express Connect circuit 1 that you enabled and click the corresponding instance ID.
  4. On the VBR tab, click Create VBR.
  5. In the Create VBR panel, configure the parameters described in the following table and click OK.
    ParameterDescription
    Basic Information
    AccountSpecify whether to use the current Alibaba Cloud account to create the VBR. By default, Current account is selected, which indicates that the VBR will be created under the current Alibaba Cloud account.
    Name

    Enter the name of the VBR.

    Physical Connection Information
    Physical Connection InterfaceSelect the port type of an Express Connect circuit that you want to associate with the VBR. Then, select an Express Connect circuit that is enabled and functions as expected from the drop-down list.

    Valid values:

    • Dedicated Physical Connection: a dedicated Express Connect circuit.
    • Shared Physical Connection: a shared Express Connect circuit.

    In this example, Dedicated Physical Connection is selected. Then, select an Express Connect circuit from the drop-down list.

    VLAN IDEnter the virtual LAN (VLAN) ID of the VBR. Valid values: 0 to 2999.

    In this example, 0 is entered.

    Set VBR Bandwidth ValueSelect the bandwidth of the VBR.

    In this example, 200Mb is selected.

    IPv4 Address (Alibaba Cloud Gateway)Enter an IPv4 address for the VBR to route network traffic between the VPC and the data center. The values of the IPv4 Address (Alibaba Cloud Gateway) and IPv4 Address (Data Center Gateway) parameters must belong to the same CIDR block.

    In this example, 10.100.0.1 is entered.

    IPv4 Address (Data Center Gateway)Enter an IPv4 address for the gateway device in the data center to route network traffic between the VPC and the data center.
    Note To allow services in the VPC to access a specific gateway IP address, you must add a route to the route table of the VBR. Set the destination CIDR block to the CIDR block to which the specified gateway IP address belongs and the next hop to the Express Connect circuit. For more information about how to add a route, see Add a custom route.

    In this example, 10.100.0.10 is entered.

    Subnet Mask (IPv4)Enter the subnet mask of the IPv4 addresses that you specify for the VBR and the gateway device in the data center. You can enter a long subnet mask because only two IP addresses are required.

    In this example, 255.255.255.0 is entered.

    Support IPv6Specify whether to enable IPv6 for the VBR. In this example, Disable is selected.
    • Disable (default): disables IPv6.

    • Enable: enables IPv6. If you select this option, you cannot disable IPv6 after the VBR is created. Set the following parameters of the VBR:

      • IPv6 Address (Alibaba Cloud Gateway): Enter an IPv6 address for the VBR to route traffic between the VPC and your data center. The values of the IPv6 Address (Alibaba Cloud Gateway) and IPv6 Address (Data Center Gateway) parameters must belong to the same CIDR block.

      • IPv6 Address (Data Center Gateway): Enter an IPv6 address for the gateway device in the data center to route traffic between the VPC and your data center.

      • Subnet Mask (IPv6): Enter the subnet mask of the IPv6 addresses that you specified for the VBR and the gateway device in your data center.

  6. Repeat the preceding steps to create VBR2 for Express Connect circuit 2.
    The following table describes only a part of parameters related to VBR2. For more information, see Create and manage a VBR.
    ParameterDescription
    VLAN IDEnter the VLAN ID of the VBR. Valid values: 0 to 2999.

    In this example, 0 is entered.

    Set VBR Bandwidth ValueSelect the bandwidth of the VBR.

    In this example, 200Mb is selected.

    IPv4 Address (Alibaba Cloud Gateway)Enter an IPv4 address for the VBR to route network traffic between the VPC and the data center.

    In this example, 10.100.0.5 is entered.

    IPv4 Address (Data Center Gateway)Enter an IPv4 address for the gateway device in the data center to route network traffic between the VPC and the data center.

    In this example, 10.100.0.6 is entered.

    Subnet Mask (IPv4)Enter the subnet mask of the IPv4 addresses that you specify for the VBR and the gateway device in the data center.

    In this example, 255.255.255.0 is entered.

Step 3: Create VBR-to-VPC connections and configure health checks

After you create VBRs for both Express Connect circuits, you need to create a VBR-to-VPC connection for each Express Connect circuit. Then, you need to configure health checks. After the health checks are configured, probe packets are sent at a specific time interval to monitor the connectivity between the VBRs and the data center.

  1. Log on to the Express Connect console.
  2. In the top navigation bar, select a region in which you want to create a VBR-to-VPC connection.
  3. In the left-side navigation pane, choose VPC Peering Connections > VBR-to-VPC.
  4. On the VBR-to-VPC page, click Create Peering Connection.
  5. On the Establish VBR-VPC Interconnection page, configure the parameters described in the following table.
    ParameterDescription
    Initiator RegionSelect the region in which the VBR is deployed. The connection is initiated from the VBR.
    Initiator VBRSelect a VBR as the initiator from the drop-down list. In this example, the VBR created in Step 2: Create VBRs for both Express Connect circuits is selected.
    Acceptor Region TypeSpecify whether the initiator VBR and the acceptor VPC belong to the same region. In this example, Intra-Region is selected.
    Acceptor Account TypeSpecify the Alibaba Cloud account to which the acceptor VPC belongs. In this example, Current Account is selected.
    Acceptor VPCSelect a VPC as the acceptor from the drop-down list.
    Fee DetailsThe bandwidth fee is automatically displayed next to Bandwidth Fee.
  6. Read and select the Terms of Service and click OK.

    Note

    If the initiator or acceptor is deployed outside the Chinese mainland and the acceptor is deployed in the Chinese mainland or vice versa, the VBR-to-VPC connection is a cross-border connection. In this case, you must select the agreement for cross-border connections before you can create the VBR-to-VPC connection.

    After the VBR-to-VPC connection is established, the status of the initiator and the acceptor changes to Activated.

  7. Repeat the preceding steps to create a connection between VBR2 and the VPC.
  8. After you create connections between the VBRs and the VPC, you need to configure a health check on the connectivity of the Express Connect circuits. For more information, see Add a static route to the VBR.

Step 4: Configure routes to route network traffic from the VPC to the data center

Configure routes that point to the data center for the VPC and each VBR. In addition, you need to manage the traffic among the VPC, VBRs, and data center to implement secure network communication.

Configure routes for the VBRs

Configure routes for the VBRs to route network traffic from the VBRs to the data center (172.16.0.0/12) to the Express Connect circuits.

  1. Log on to the Express Connect console.
  2. In the top navigation bar, select a region and then click Virtual Border Routers (VBRs) in the left-side navigation pane.
  3. On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click its ID.
  4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
  5. Click the Routes tab, and then click Add Route on the Custom Route tab.
  6. In the Add Route panel, configure the parameters described in the following table and click OK.
    ParameterDescription
    Next Hop TypeSelect the type of the next hop. Valid values:
    • VPC: The VBR routes network traffic destined for the destination CIDR block to a VPC.
    • Physical Connection Interface: The VBR routes network traffic destined for the destination CIDR block to an Express Connect circuit.

    In this example, Physical Connection Interface is selected.

    Destination CIDR BlockEnter the CIDR block of the data center.

    In this example, 172.16.0.0/12 is entered.

    Next HopSelect the instance ID of the next hop based on the specified type.

    Select Express Connect circuit 1 that is created in Step 1: Create two connections over Express Connect circuits .

    DescriptionEnter a description for the route.
  7. Repeat the preceding steps to configure a route that points to Express Connect circuit 2 for VBR2.

Configure routes for the VPC

Configure routes for the VPC to route network traffic from the VPC to the data center (172.16.0.0/12) to the VBRs.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Route Tables.
  3. In the top navigation bar, select the region to which the route table belongs.
  4. On the Route Tables page, find the custom route table of the VPC and click the route table ID.
  5. On the details page of the route table, click the Route Entry List tab and then the Custom Route subtab.
  6. Click Add Route Entry. In the Add Route Entry panel, configure the parameters described in the following table and click OK.
    ParameterDescription
    NameEnter a name for the route.
    Destination CIDR BlockEnter the destination CIDR block to which you want to route traffic.

    In this example, IPv4 CIDR Block is selected, and 172.16.0.0/12 is entered. 172.16.0.0/12 is the CIDR block of the data center.

    Next Hop TypeSelect the type of the next hop.

    In this example, Router Interface (To VBR) is selected. Then, click the General Routing tab, and select the router interface of the VBR-to-VPC connection from the drop-down list.

  7. Repeat the preceding steps to configure a route that points to VBR2 for the VPC.

Step 5: Configure routes to route network traffic from the data center to the VPC

Configure routes that point to the VPC for the VBRs and routes that point to the VBRs for the gateway device in the data center. This ensures that network traffic can be securely routed from the data center to the VPC.

Configure routes for the VBRs

Configure routes to route network traffic from the VBRs to the VPC (192.168.0.0/16) to the VPC.

  1. Log on to the Express Connect console.
  2. In the top navigation bar, select a region and then click Virtual Border Routers (VBRs) in the left-side navigation pane.
  3. On the Virtual Border Routers (VBRs) page, click the ID of VBR1.
  4. Click the Routes tab, and then click Add Route on the Custom Route tab.
  5. In the Add Route panel, configure the parameters described in the following table and click OK:
    ParameterDescription
    Next Hop TypeSelect the type of the next hop.

    In this example, VPC is selected.

    Destination CIDR BlockEnter the CIDR block of the VPC.

    In this example, 192.168.0.0/16 is entered.

    Next HopSelect the VPC that you created.
    DescriptionEnter a description for the route.
  6. Repeat the preceding steps to configure a route that points to the VPC for VBR2.

Configure routes and health checks for the data center

Configure routes for the data center to route network traffic from the data center to the VBRs. After you configure the routes, you need to configure health checks for probe packets to send at a specific time interval in the checks. This helps ensure the connectivity between the data center and the VPC over Express Connect circuits.

  1. Configure routes in the data center.

    The configuration may vary based on the gateway device. For more information about the configuration commands, consult the vendor of your gateway device.

    #Configure routes in the data center to route network traffic to the VPC.
    ip route 192.168.0.0 255.255.0.0 10.100.0.1
    ip route 192.168.0.0 255.255.0.0 10.100.0.5
  2. Configure health checks for the data center. For more information, see Configure and manage health checks.

Step 6: Test the connectivity

After you complete the preceding steps, you must test the connectivity of the Express Connect circuits.

  1. Open the CLI on a computer in the data center.
  2. Run the ping command to test the connectivity between the data center and an ECS instance in the VPC. The CIDR block of the VPC is 192.168.0.0/16.
    If echo reply packets are returned, the ECS instance is reachable from the data center.
  3. To check whether active/active connections are established between the data center and Alibaba Cloud, run the tracert command to query the routes through which packets are sent.