Configure health checks

Virtual border routers (VBRs) can connect data centers to Alibaba Cloud through Express Connect circuits. After you attach a VBR to a Cloud Enterprise Network (CEN) instance, you can use the health check feature of CEN to test the connectivity between a data center and Alibaba Cloud.

Background information

How it works

健康检查原理

After you enable health checks for a VBR, a ping packet is transmitted from the source IP address of health checks to the destination IP address in the data center every 2 seconds. If the ping packets are returned from the Express Connect circuit, the Express Connect circuit is declared healthy. If an Express Connect circuit does not respond to eight consecutive ping packets, or the ping packets are returned from other routes, the Express Connect circuit is declared unhealthy.

Health checks do not notify you of unhealthy Express Connect circuits. We recommend that you create alert rules for Express Connect circuits. Notifications are sent to you when the alert rules are triggered, so that you can manage anomalies at the earliest opportunity.

Warning

Make sure that the destination IP address of health checks is reachable and the data center does not throttle or block ping packets.
If a throttling mechanism, such as Control Plane Policing (CoPP) or local attack defense, is enabled for the gateway devices in the data center, ping packets may be dropped. As a result, the system may frequently switch between Express Connect circuits. We recommend that you disable throttling for the gateway devices in the data center.

Usage notes on standby Express Connect circuits

健康检查-路由切换

If a data center is connected to Alibaba Cloud through multiple Express Connect circuits, we recommend that you configure health checks for each Express Connect circuit. If one of the Express Connect circuits is declared unhealthy by health checks, the system automatically switches network traffic to a healthy Express Connect circuit.

When you configure health checks, you can specify whether to enable automatic route switchover.

Log on to the CEN console.
In the left-side navigation pane, click Health Checks.
On the Health Check page, select the region where the VBR that you want to manage is created and click Set Health Check.

In the Set Health Check panel, set the following parameters and click OK.

Parameter	Description
Instances	Select the CEN instance to which the VBR is attached.
Virtual Border Router (VBR)	Select the VBR that you want to monitor.
Source IP	You can use one of the following methods to configure a source IP address: Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block. We recommend that you select this option. Custom IP Address: You can specify an available IP address that falls within the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The specified IP address must not conflict with the destination IP address, the IP address of the VBR on the Alibaba Cloud side, or the IP address of the VBR on the customer side. Note Take note of the following rules if you select Automatic IP Address: In each of the following regions, at most 16 VBRs can be automatically assigned a source IP address: Click to view the regions US (Silicon Valley), China (Hong Kong), US (Virginia), China (Beijing), China (Shanghai), China (Shenzhen), Singapore, China (Hangzhou), China (Heyuan), China (Chengdu), China (Zhangjiakou), Germany (Frankfurt), Malaysia (Kuala Lumpur), and UK (London), China (Qingdao), Indonesia (Jakarta), China (Hohhot), China (Guangzhou), China (Ulanqab), China (Nanjing-Local Region), Japan (Tokyo), and Australia (Sydney) Closing Down In the Philippines (Manila), South Korea (Seoul), China (Fuzhou-Local Region), or Thailand (Bangkok) region, at most eight VBRs can be automatically assigned a source IP address. No matter which method you select, the CEN instance advertises a route whose destination CIDR block is the source IP address of the health check and the subnet mask is 32 bits in length to the VBR after the health check is configured. If the VBR and data center use the BGP dynamic routing protocol, the route is advertised to the data center over BGP.
Destination IP	Set the destination IP address to the IP address of the VBR on the customer side.
Probe Interval (Seconds)	Enter a time interval at which probe packets are sent during the health check. Unit: seconds. Valid values: 2 to 3. Default value: 2.
Probe Packets	Enter the number of consecutive probe packets that are sent during the health check. Unit: packets. Valid values: 3 to 8. Default value: 8.
Change Route	Specifies whether to allow the health check feature to switch to the standby route. This feature is enabled by default. If a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit. If you disable this feature, health checks perform only probing. The health check feature does not switch to the standby route even if an error is detected on the Express Connect circuit. Warning Before you turn off Change Route, make sure that network traffic can be switched to a standby route by using other mechanisms. Otherwise, network connections are interrupted if the Express Connect circuit fails.
Description	Enter a description for the health check.

What to do next

If your VBR uses static routes, you must add a static route to the on-premises device to which the Express Connect circuit is connected. Add the static route based on the following information:
Set the destination CIDR block to the source IP address of health checks, set the mask length to 32, and set the next hop to the IP address of the VBR on the Alibaba Cloud side.
Note
If your VBR uses Border Gateway Protocol (BGP) routes, you do not need to add a route to the data center.
Check whether the on-premises device to which the Express Connect circuit is connected can receive probe packets. Make sure that the on-premises device can return response packets as expected.
We recommend that you set threshold-based alert rules for the Express Connect circuit. This allows you to receive alert notifications at the earliest opportunity when the health check feature detects connection interruptions. For more information, see Create a threshold-based alert rule for an Express Connect circuit.

More operations

Modify a health check

After you configure a health check, you can modify the source IP address, destination IP address, probe interval, and number of probe packets.

Log on to the CEN console.
In the left-side navigation pane, click Health Checks.
On the Health Check page, select the region where the VBR is created.
Find the health check that you want to modify and click Edit in the Actions column.
In the Edit Health Check panel, you can modify the source IP address, destination IP address, probe interval, and number of probe packets. After you modify the health check, click OK.

Delete a health check

If you no longer need to monitor the connectivity between the data center and Alibaba Cloud, you can delete the health check.

Log on to the CEN console.
In the left-side navigation pane, click Health Checks.
On the Health Check page, select the region where the VBR is created.
Find the health check and click Delete in the Actions column.
In the Delete Healthcheck message, click OK.

References

EnableCenVbrHealthCheck: enables health checks for a VBR or modifies the health check configuration of a VBR.
DescribeCenVbrHealthCheck: queries the health check configuration of a VBR in a specified region.
DisableCenVbrHealthCheck: deletes the health check configuration of a VBR.