This topic describes how to connect a data center to a virtual private cloud (VPC) that resides in a different region and belongs to a different account over an Express Connect circuit. The Express Connect circuit connects to an Alibaba Cloud access point.
Scenario
An enterprise creates an Alibaba Cloud account (Account A), and then creates a VPC named VPC1 in the China (Hangzhou) region with Account A. The enterprise has a data center deployed in the same region. The private CIDR block of the data center is 172.16.0.0/12 and the private CIDR block of the VPC is 192.168.0.0/16. The enterprise uses Account A to apply for an Express Connect circuit, which is used to connect the data center and VPC1. The subsidiary of the enterprise creates Account B, and then creates a VPC named VPC2 in the China (Beijing) region with Account B. The private CIDR block of VPC2 is 10.0.0.0/8. The subsidiary wants to connect the data center to VPC2.
In this scenario, the subsidiary can reuse the Express Connect circuit purchased by Account A to connect the data center to VPC2 that belongs to Account B.
The following figure shows the network topology for connecting the data center to VPC2.
The following table describes the resource configurations of Account A and Account B. The "-" sign in the following table indicates that the item is not involved.
Item | Account A | Account B |
VPC | VPC1
| VPC2
|
VBR | VBR
| - |
VBR-to-VPC connection | VBR-to-VPC Connection 2 (initiator)
| VBR-to-VPC Connection 2 (acceptor)
|
Prerequisites
The data center is connected to VPC1 in Account A through VBR-to-VPC Connection 1. For more information, see the configurations of Express Connect Circuit 1 in Establish active/active connections between a data center and Alibaba Cloud over Express Connect circuits (static routing).
Due to security requirements, you cannot connect VBRs to VPCs that belong to a different account by default. To use this feature, contact your account manager. For more information, see Limits.
VPC2 is created in the China (Beijing) region for Account B, and cloud resources such as Elastic Compute Service (ECS) instances that host business systems are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
Step 3: Create VBR-to-VPC Connection 2 and configure health checks
Grant the permissions on VPC2 to Account A
Use Account B to log on to the VPC console.
In the top navigation bar, select the region of VPC2. In this example, China (Beijing) is selected.
On the VPC page, find VPC2 and click its ID.
On the VPC details page, click the .
In the Cross-Account VBR Authorization dialog box, set the following parameters and click OK.
After the configuration is complete, the permissions are granted to the VBR. You can view the authorization information on the Cross-Account VBR Authorization tab.
NoteYou can record the UID of Account B and the ID of the VPC, which are required when you create VBR-to-VPC connections.
Create VBR-to-VPC Connection 2 (cross-region and cross-account).
Use Account A to log on to the Express Connect console .
In the left-side navigation pane, choose .
On the VBR-to-VPC page, click Create Peering Connection.
On the Establish VBR-VPC Interconnection page, configure the parameters that are described in the following table.
The following table describes only the key parameters. For more information, see Create a VBR-to-VPC connection.
Item
Description
Initiator Region
Select the region where the VBR is deployed. In this example, China (Hangzhou) is selected.
Initiator VBR
Select a VBR as the initiator from the drop-down list. In this example, the VBR in the China (Beijing) region is selected.
Acceptor Region Type
Specify whether the initiator VBR and the acceptor VPC belong to the same region. In this example, Inter-Region is selected.
Acceptor Region
Select the region of the acceptor. In this example, China (Beijing) is used.
Accepter Account Type
Specify whether the initiator VBR and the acceptor VPC belong to the same Alibaba Cloud account. In this example, Another Account is selected.
Acceptor Account ID
When acceptor Account Type is set to Another Account, you need to specify the UID of the account to which the acceptor belongs.
Select the UID of the account to which the acceptor belongs from the drop-down list. In this example, the UID of Account B is selected.
Acceptor VPC
Select the ID of the VPC on which the initiator has permissions. In this example, the ID of VPC2 is selected.
Billing Method
In this example, the value is automatically set to Pay-By-Bandwidth.
Select Bandwidth
Specify the maximum bandwidth of VBR-to-VPC Connection 2.
Subscription Duration
Specify the subscription duration.
Select I have read and agree to Terms of Service for Express Connect - Peering Connections (Pay-As-You-Go) and click OK.
After the VBR-to-VPC connection is established, the status of the initiator and the acceptor changes to Activated.
Configure health checks.
Click Health Check in the Actions column of VBR-to-VPC Connection 2 , and then click Settings. In the dialog box that appears, configure the parameters and click OK.
Step 2: Configure routes for the VBR to access VPC2
Add a route to the VBR to route traffic destined for VPC2 (10.0.0.0/8) to VPC2.
Use Account A to log on to the Express Connect console .
In the top navigation bar, select the region. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, click Virtual Border Routers (VBRs). On the Virtual Border Routers (VBRs) page, click the ID of the VBR.
On the VBR details page, choose and click Add Route.
In the Add Route panel, configure the parameters that are described in the following table and click OK.
Step 3: Configure routes for VPC2 to access the data center
You need to add routes to VPC2 to route traffic destined for the data center (172.16.0.0/12) to the VBR.
Use Account B to log on to the Express Connect console .
In the top navigation bar, select the region. In this example, China (Beijing) is selected.
In the left-side navigation pane, choose .
On the VBR-to-VPC page, find the acceptor VBR that you want to manage in the Acceptor column and click Route Settings.
In the Basic Information panel, click Add Route and set Destination CIDR Block to 172.16.0.0/12.
Step 4: Configure routes and health checks on the data center side
You need to add routes that point to VPC2 to the CPE in the data center. This way, the CPE can exchange data between the data center and VPC2. In addition, you need to configure health check and a return route for health check probe packets. Then, you need to configure the gateway device to route network traffic based on health check results to achieve network redundancy.
Configure routes in the data center.
The configuration commands may vary based on the gateway device. The following example is for reference only. For more information about the configuration commands, consult the vendor of your gateway device.
#Add a route to route traffic to VPC2. ip route 10.0.0.0 255.255.0.0 10.100.1.2Configure health checks for the data center. For more information, see Configure and manage health checks.
NoteIf you create a VBR-to-VPC connection across accounts, you must configure health checks for the VBR by using the acceptor account.
Step 5: Test the network connectivity
After you complete the preceding steps, you must test the connectivity of the Express Connect circuits.
Before you check the connectivity, make sure that you understand the security group rules of the ECS instances in the VPC. Make sure that the rules allow the ECS instances to communicate with the data center. For more information, see View security group rules and Add a security group rule.
Open the command-line interface (CLI) on a computer of the data center side.
Run the
pingcommand to check the connectivity between the data center and an ECS instance in VPC2 (CIDR block: 10.0.0.0/8).If echo reply packets are returned, the data center is connected to VPC2.