Cloud Enterprise Network:Use CEN to enable intra-region network communication

Scenario

The following scenario is used in this topic. A company has a data center in Hangzhou. The data center is connected to Alibaba Cloud through Express Connect circuits and VBRs. The company has a branch office in Hangzhou, whose network is connected to Alibaba Cloud through Smart Access Gateway (SAG) and CCN. The company has a VPC in the China (Hangzhou) region. Elastic Compute Service (ECS) instances are deployed in the VPC.

Due to business growth, the company wants to use CEN to enable network communication between the data center and the VPC, and between the branch office and the VPC.

Procedure

The following figure shows the procedure for enabling intra-region network communication.

• If the CEN instance and the network instances that you want to attach to the CEN instance belong to the same Alibaba Cloud account, you can attach the network instances to the CEN instance.

• If the CEN instance and the network instances that you want to attach to the CEN instance belong to different Alibaba Cloud accounts, you must grant permissions to the accounts before you can attach the network instances. After the required permissions are granted to the accounts, you can attach the network instances to the same CEN instance to enable private network communication.

Prerequisites

• The data center is connected to Alibaba Cloud through Express Connect circuits and VBRs. For more information, see Connect a data center to ECS by using an Express Connect circuit.

• The network of the branch office is connected to Alibaba Cloud through SAG and CCN. For more information, see SAG Tutorials.

• A VPC is deployed in the China (Hangzhou) region. ECS instances are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

• You are aware of the security group rules of the ECS instance that is deployed in the VPC, and the access control rules of the data center and the branch office. Make sure that the security rules and access control rules allow the VPC to communicate with the data center and branch office network. For more information, see View security group rules and Add a security group rule.

• Make sure that the network instances are not attached to another CEN instance.

Step 1: Create a CEN instance

When you create a CEN instance, you can select a network instance that belongs to the same account as the CEN instance and attach the network instance to the CEN instance.

1. Log on to the CEN console.

2. On the Instances page, click Create CEN Instance.

3. In the Create CEN Instance panel, set the following parameters and click OK.

   • Name: Enter a name for the CEN instance.

     The name must be 2 to 128 characters in length and can contain digits, hyphens (-), and underscores (_). It must start with a letter.

   • Description: Enter a description for the CEN instance.

     The description must be 2 to 256 characters in length, and cannot start with http:// or https://. You can leave this parameter empty.

   • Attach Network: Attach network instances that belong to the same Alibaba Cloud account to the CEN instance.

     • Network Type: Select the type of network instance. VPC is selected in this example.

     • Region: Select the region where the network instance is created. In this example, China (Hangzhou) is selected.

     • Networks: Select the network instance that you want to attach.

Step 2: Attach network instances to the CEN instance

Attach the network instances that need to communicate with each other to the same CEN instance. After you attach network instances to a CEN instance, the CEN instance automatically learns routes of the attached network instances. Then, the network instances can communicate with each other.

Attach a network instance that is created by the same account

1. Log on to the CEN console.

2. On the Instances page, click the ID of the CEN instance that you want to manage.

3. Click the Networks tab and then click Attach Network.

4. In the Attach Network panel, click the Your Account tab.

5. Set the following parameters to attach the network instance to the CEN instance and click OK:

   • Network Type: Select the type of network instance that you want to attach. In this example, Virtual Border Router (VBR) is selected.

   • Region: Select the region where the network instance is created. In this example, China (Hangzhou) is selected.

   • Networks: Select the VBR that you want to attach.

6. Repeat this step to attach the CCN instance to the CEN instance.

Attach a network instance that is created by a different account

You must acquire the required permissions from the account of the network instance that you want to attach. After you acquire the permissions, you must obtain the account ID and the ID of the network instance that you want to attach.

• You must acquire the required permissions from the Alibaba Cloud account to which the VPC belongs before you attach the VPC. For more information, see Manage network instances.

• You must acquire the required permissions from the Alibaba Cloud account to which the VBR belongs before you attach the VBR. For more information, see Manage network instances.

• You must acquire the required permissions from the Alibaba Cloud account to which the CCN instance belongs before you attach the CCN instance. For more information, see Attach a network instance.

1. Log on to the CEN console.

2. On the Instances page, click the ID of the CEN instance that you want to manage.

3. Click the Networks tab and then click Attach Network.

4. In the Attach Network panel, click the Different Account tab.

5. Set the following parameters to attach the network instance to the CEN instance and click OK:

   • Owner Account: Enter the ID of the account to which the network instance belongs.

   • Network Type: Select the type of network instance to attach. In this example, Virtual Border Router (VBR) is selected.

   • Region: Select the region where the network instance is created. In this example, China (Hangzhou) is selected.

   • Networks: Select the VBR that you want to attach.

6. Repeat this step to attach the CCN instance to the CEN instance.

Step 3: Test network connectivity

After you attach the network instances to the CEN instance, you can run the ping command to test the network connectivity.

1. Log on to the ECS instance. For more information, see Connection methods.

2. Run the ping command to test whether the ECS instance is connected to the data center.

   ping 172.16.0.89

   If you receive an echo reply packet, it indicates that the ECS instance and the data center are connected.

3. Run the ping command to test whether the ECS instance is connected to the branch office.

   ping 10.0.0.33

   If you receive an echo reply packet, it indicates that the ECS instance and the branch office are connected.

What to do next

• You can create alert rules in CloudMonitor to monitor the VBRs, bandwidth plans, and bandwidth usage for inter-region connections. Resource exhaustion may disrupt services.

  • For more information about how to set alerts rules for VBRs, see Monitor Express Connect circuits.

  • For more information about how to set alerts rules for bandwidth plans, see Monitor bandwidth plans.

  • For more information about how to set alerts rules for bandwidth usage of inter-region connections, see Monitor region connections.

    Alert rules for bandwidth usage of inter-region connections apply only to scenarios in which network instances communicate with each other across regions. For more information, see Purchase a bandwidth plan and Manage bandwidth for cross-region connections.

• Network instances that are attached to a CEN instance can access cloud services through the CEN instance. For more information, see Access cloud services and PrivateZone overview.

• You can configure route policies to filter and modify routes. This allows you to manage network communication in the cloud. For more information, see Routing policy overview.