Express Connect:Create active/standby connections and configure BGP routing

Scenario

The following example shows how to use Express Connect circuits to create active/standby connections between a data center and a VPC and configure BGP routing for the connections. An enterprise has a data center in Shanghai and deploys business-critical systems such as database clusters in the data center. In addition, the enterprise creates a VPC in the China (Shanghai) region and deploys applications on Elastic Compute Service (ECS) instances in the VPC. To ensure the stability of data transfer, the enterprise needs to lease two Express Connect circuits to connect the customer-premises equipment (CPE) and virtual border routers (VBRs). Each Express Connect circuit connects to a separate piece of CPE in the data center. Then, attach the VBRs and the VPC to a CEN instance. This way, the data center and the VPC can communicate with each other. The data center is connected to the VPC by using a primary Express Connect circuit and a secondary Express Connect circuit. The enterprise configures BGP routing and Bidirectional Forwarding Detection (BFD) to accelerate route convergence between the data center and the VPC and improve service availability.

Preparations

Before you start, make sure that the following preparations are completed:

• An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create one. For more information, see Sign up to Alibaba Cloud.

• A VPC is created in the China (Shanghai) region, and cloud resources such as Elastic Compute Service (ECS) instances that host your business systems are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

  Note

  Before you connect an Enterprise Edition transit router to a VPC, make sure that the VPC has at least one vSwitch in a zone that supports Enterprise Edition transit routers. The vSwitch must have at least one idle IP address. In this example, the transit router is created in the China (Shanghai) region. Shanghai Zone F and Shanghai Zone G support Enterprise Edition transit routers.

• You understand the security group rules of the Elastic Compute Service (ECS) instances in the virtual private cloud (VPC). Make sure that the rules allow the ECS instances to communicate with the data center. For more information, see View security group rules and Add a security group rule.

• A CEN instance is created. For more information, see the "Create a CEN instance" section of the CEN instances topic.

• The VPC in a zone supported by the Enterprise Edition transit router has sufficient vSwitches. Each vSwitch has at least one idle IP address. For more information about how to create a vSwitch, see Create a vSwitch.

  • If the Enterprise Edition transit router is deployed in a region that supports only one zone, for example, China (Nanjing - Local Region), the VPC must have at least one vSwitch in the zone.

  • If the Enterprise Edition transit router is deployed in a region that supports multiple zones, for example, China (Shanghai), the VPC must have at least two vSwitches in the zones. The vSwitches must be in different zones.

• The following table describes how CIDR blocks are allocated in this example. You can allocate CIDR blocks based on your business requirements. Make sure that the CIDR blocks do not overlap with each other.

  Entity	CIDR block	Server or client IP address
  Data center	10.1.1.0/24	Client IP address: 10.1.1.1
  VPC	192.168.20.0/24	Server IP address: 192.168.20.161
  VBR1	Virtual local area network (VLAN) ID: 110 IPv4 CIDR block for the VBR: 172.16.1.2/30 IPv4 CIDR block for the gateway device in the data center: 172.16.1.1/30	N/A
  VBR2	VLAN ID: 120 IPv4 CIDR block for the VBR: 172.16.2.2/30 IPv4 CIDR block for the gateway device in the data center: 172.16.2.1/30	N/A

Procedure

Step 1: Create two connections over Express Connect circuits

In this example, two dedicated connections are created. For more information, see Create and manage a dedicated connection over an Express Connect circuit.

Step 2: Create VBRs

Create a VBR for each Express Connect circuit. The VBRs serve as bridges for data exchange between the data center and the VPC.

1. Log on to the Express Connect console.

2. In the top navigation bar, select a region and click Virtual Border Routers (VBRs) in the left-side navigation pane.

3. On the Virtual Border Routers (VBRs) page, click Create VBR. In the Create VBR panel, configure the parameters that are described in the following table and click OK.

   Parameter	Description
   Account	The Alibaba Cloud account to which the VBR belongs. In this example, Current Account is selected.
   Name	The name of the VBR. In this example, VBR1 is entered.
   Express Connect Circuit	The type of the connection over the Express Connect circuit. In this example, Dedicated Physical Connection and Express Connect Circuit 1 are selected.
   VLAN ID	The VLAN ID of the VBR. In this example, 110 is entered.
   Set VBR Bandwidth Value	The bandwidth of the VBR. In this example, 200Mb is selected.
   Alibaba Cloud Side IPv4 Address	The IPv4 address for the VBR to route network traffic between the VPC and data center. In this example, 172.16.1.2 is entered.
   Data Center Side IPv4 Address	The IPv4 address for the gateway device in the data center to route network traffic between the data center and VPC. In this example, 172.16.1.1 is entered.
   IPv4 Subnet Mask	The subnet mask of the specified IPv4 addresses. In this example, 255.255.255.252 is used.

4. Repeat the preceding steps to create VBR2 for the other Express Connect circuit.

   The following table describes the parameters related to VBR2.

   Parameter	Description
   Account	The Alibaba Cloud account to which the VBR belongs. In this example, Current Account is selected.
   Name	The name of the VBR. In this example, VBR2 is entered.
   Express Connect Circuit	The type of the connection over the Express Connect circuit. In this example, Dedicated Physical Connection and Express Connect Circuit 2 are selected.
   VLAN ID	The VLAN ID of the VBR. In this example, 120 is entered.
   Set VBR Bandwidth Value	The bandwidth of the VBR. In this example, 200Mb is selected.
   Alibaba Cloud Side IPv4 Address	The IPv4 address for the VBR to route network traffic between the VPC and data center. In this example, 172.16.2.2 is entered.
   Data Center Side IPv4 Address	The IPv4 address for the gateway device in the data center to route network traffic between the data center and VPC. In this example, 172.16.2.1 is entered.
   IPv4 Subnet Mask	The subnet mask of the specified IPv4 addresses. In this example, 255.255.255.252 is used.

Step 3: Connect the transit router to the VPC and the VBRs

After the Express Connect circuits are installed, you need to connect the transit router in the China (Shanghai) region to the VPC that you want to connect to the data center. Then, connect the transit router to the VBRs that are associated with the Express Connect circuits. This way, the VPC and the data center can communicate with each other.

1. Log on to the CEN console.

2. On the Instances page, click the ID of the CEN instance that you want to manage.

3. On the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

4. On the Connection with Peer Network Instance page, configure the following parameters and click OK.

   Note

   When you perform this operation for the first time, the system automatically creates a service-linked role named AliyunServiceRoleForCEN. This role allows the transit router to create an elastic network interface (ENI) in a vSwitch of the VPC. For more information, see AliyunServiceRoleForCEN.

   Parameter	Description
   Instance Type	The type of network instance. In this example, VPC is selected.
   Region	The region in which the VPC is deployed. In this example, China (Shanghai) is selected.
   Transit Router	The system automatically displays the transit router in the selected region.
   Resource Owner ID	The Alibaba Cloud account to which the VPC belongs. In this example, Current Account is selected.
   Billing Method	By default, transit routers use the pay-as-you-go billing method. For more information, see Billing rules.
   Attachment Name	The name of the VPC connection. In this example, VPC-test is used.
   Tag	Tag Key: the key of the tag. You can select or enter a key. The tag key can be up to 64 characters in length. The tag key cannot start with aliyun or acs: and cannot contain http:// or https://. Tag Value: the value of the tag. You can select or enter a value. The tag value can be up to 128 characters in length. The tag value cannot start with aliyun or acs: and cannot contain http:// or https://.
   Network Instance	The ID of the VPC. In this example, the VPC that you created is selected.
   VSwitch	The vSwitch in a zone that supports transit routers. In this example, the vSwitch in the corresponding zone is selected.
   Advanced Settings	By default, the following advanced features are enabled: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically Create Route That Points to Transit Router and Add to All Route Tables of Current VPC. In this example, the default settings are used.

5. On the Connection with Peer Network Instance page, click Create More Connections.

6. On the Connection with Peer Network Instance page, configure the following parameters and click OK to create a connection for VBR1.

   Parameter	Description
   Instance Type	The type of the network instance. In this example, Virtual Border Router (VBR) is selected.
   Region	The region in which the VBR is deployed. In this example, China (Shanghai) is selected.
   Transit Router	The system automatically displays the transit router in the selected region.
   Resource Owner ID	The Alibaba Cloud account to which the VBR belongs. In this example, Current Account is selected.
   Attachment Name	The name of the VBR connection. In this example, VBR-test is used.
   Network Instance	The ID of the VBR. In this example, VBR1 is selected.
   Advanced Settings	By default, the following advanced features are enabled: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Propagate Routes to VBR. In this example, the default settings are used.

7. Repeat Step 5 and Step 6 to create a connection for VBR2.

   After the network connections are created, you can view the details about the connections on the Intra-region Connections tab. For more information, see View network instance connections.

Step 4: Configure routes

You need to configure BGP routing between the data center and the VBRs. You can use the Autonomous System (AS) path attribute to configure route priorities in the data center.

1. Configure the data center and VBRs as BGP peers and advertise routes. For more information, see Configure and manage BGP.

   The Autonomous System Number (ASN) of Alibaba Cloud is 45104. The data center can use 2-byte or 4-byte ASNs.

2. When you configure BGP routing in the data center, you must specify the destination CIDR block of the BGP routes that you want to advertise to Alibaba Cloud. In this example, the destination CIDR block is 10.1.1.0/24. To establish active/standby connections from Alibaba Cloud to the data center, specify the AS path length to determine route priorities.

The primary Express Connect circuit connects to CPE 1. The secondary Express Connect circuit connects to CPE 2. You can set the AS path length to configure route priorities. A shorter AS path indicates a higher priority. The following table describes how BGP routing is configured on the two pieces of CPE in the data center. For more information about the commands, contact the service provider of the CPE.

Step 5: Configure health checks

You must configure health checks for the Express Connect circuits. After health checks are configured, probe packets are sent at the specified time interval. If no response is returned from one of the Express Connect circuits after the specified number of probe packets are sent, CEN automatically switches to the other Express Connect circuit.

1. Log on to the CEN console.

2. In the left-side navigation pane, click Health Checks.

3. On the Health Checks page, select the region in which a VBR is deployed. Then, click Set Health Check.

   In this example, China (Shanghai) is selected, which is the region of VBR1.

4. In the Set Health Check dialog box, configure the parameters that are described in the following table and click OK.

   Parameter	Description
   Instances	The CEN instance to which the VBR is attached.
   Virtual Border Router (VBR)	The VBR that you want to monitor. In this example, VBR1 is selected.
   Source IP Address	The source IP address. You can select one of the following methods to specify the source IP address: Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block. We recommend that you select this option. Note If you select this option and an ACL policy is configured on the peer , you must modify the ACL policy to allow this CIDR block. Otherwise, the health check fails.   Custom IP Address: You need to specify an idle IP address within the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The specified IP address cannot be the IP address with which you want to communicate, the IP address of the VBR on the Alibaba Cloud side, or the IP address of the VBR on the user side.
   Destination IP	The IP address of the VBR on the user side.
   Probe Interval (Seconds)	The interval at which probe packets are sent for the health check. Unit: seconds. Default value: 2. Valid values: 2 to 3.
   Probe Packets	The number of probe packets that are sent for health checks. Unit: packet. Default value: 8. Valid values: 3 to 8.
   Change Route	Specifies whether to allow the health check feature to switch to the redundant route. By default, Change Route is turned on. This indicates that the health check feature can switch to the redundant route. If a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit. If you turn off Change Route, the health check feature does not switch to the redundant route. Only probing is performed. The health check feature does not switch to the redundant route even if an error is detected on the Express Connect circuit. Warning Before you turn off Change Route, make sure that the system can switch to a redundant route by using other mechanisms. Otherwise, network connections are interrupted if the Express Connect circuit is down.

   Note

   The system sends probe packets at the specified intervals. If the number of consecutively dropped packets reaches the specified value, the health check fails.

5. Repeat Step 3 to Step 4 to configure health checks for VBR2.

Step 6: Enable BFD for the VBRs

Enable BFD for the VBRs to accelerate network convergence.

1. Log on to the Express Connect console.

2. In the top navigation bar, select a region and click Virtual Border Routers (VBRs) in the left-side navigation pane.

3. On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click Edit in the Actions column.

4. In the Edit VBR panel, configure the parameters and click OK.

   The following table describes the parameters related to BFD. Use default values for the other parameters.

   Parameter	Description
   Submission Interval	The time interval at which BFD packets are sent. Unit: milliseconds. Default value: 1000. In this example, the default value is used.
   Reception Interval	The time interval at which BFD packets are received. Unit: milliseconds. Default value: 1000. In this example, the default value is used.
   Detection Time Multiplier	The detection time multiplier that is used to determine the maximum number of lost packets. Default value: 3. In this example, the default value is used.

5. On the Virtual Border Routers (VBRs) page, click the ID of the VBR for which you want to configure BGP routing.

6. On the details page of the VBR, click the BGP Peers tab.

7. Find the BGP peer that you want to manage and click Edit in the Actions column.

8. In the Modify BGP Peer panel, select Enable BFD, configure the BFD Hop Count parameter, and then click OK.

   Note

   BFD supports single-hop and multi-hop authentication. You can set hops based on your network configuration.

Step 7: Test the network connectivity

1. Open the Command Prompt window of your computer at the on-premises data center.
2. Run the ping command to connect to an ECS instance that belongs to the 192.168.0.0/24 CIDR block in the VPC. If the ping request is successful, the connection between the on-premises data center and Alibaba Cloud is established.
3. Disconnect a leased line (for example, from VBR1 to CPE1) and run the tracert command. You can see that the CEN instance switches routes and that all traffic from Alibaba Cloud to the on-premises data center is forwarded over VBR2.