Establish active/active connections between a data center and Alibaba Cloud over Express Connect circuits (static routing) - Express Connect

This topic describes how to establish active/active connections between a data center and Alibaba Cloud over Express Connect circuits by using static routing.

Scenario

In this example, the following scenario is used. If your data center is connected to Alibaba Cloud over two Express Connect circuits, network traffic is distributed across both connections by default. If one of the Express Connect circuits is down, the other Express Connect circuit takes over to serve your workloads. This ensures service availability.

In this scenario, a company has a data center in Shanghai and creates a virtual private cloud (VPC) in the China (Shanghai) region. The private CIDR block of the data center is 172.16.0.0/12, and the CIDR block of the VPC is 192.168.0.0/16. To prevent single points of failure (SPOFs), the company needs to apply for two Express Connect circuits from different Internet service providers (ISPs) to configure active/active failover.

架构图

The following table describes the configurations of the virtual border routers (VBRs) connected to the Express Connect circuits.

Parameter	VBR 1 (connected to Express Connect Circuit 1)	VBR 2 (connected to Express Connect Circuit 2)
VLAN ID	0	0
Alibaba Cloud Side IPv4 Address	10.100.0.1	10.100.0.5
Data Center Side IPv4 Address	10.100.0.10	10.100.0.6
IPv4 Subnet Mask	255.255.255.0	255.255.255.0

Prerequisites

A VPC is created in the China (Shanghai) region, and cloud resources such as Elastic Compute Service (ECS) instances that host your business systems are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
You understand the security group rules of the Elastic Compute Service (ECS) instances in the virtual private cloud (VPC). Make sure that the rules allow the ECS instances to communicate with the data center. For more information, see View security group rules and Add a security group rule.

Procedure

配置流程图

Step 1: Create two connections over Express Connect circuits

In this example, two dedicated connections are created. For more information, see Create and manage a dedicated connection over an Express Connect circuit.

When you create a connection over Express Connect Circuit 2, you may need to specify a redundant Express Connect circuit based on the access point.

If you want to connect the Express Connect circuits to the same access point, you must specify the redundant Express Connect circuit. Set the Redundant Express Connect Circuit ID parameter to the ID of Express Connect Circuit 1. This way, the Express Connect circuits are connected to different access devices of an access point.
If you want to connect the Express Connect circuits to different access points, you do not need to specify the redundant Express Connect circuit. In this case, you do not need to configure the Redundant Express Connect Circuit ID parameter.
In this example, the Express Connect circuits are connected to different access points.

Step 2: Create VBRs for both Express Connect circuits

After two connections over Express Connect circuits are enabled, create a VBR for each Express Connect circuit. The VBRs serve as bridges for data exchange between the data center and the VPC.

Log on to the Express Connect console.
In the top navigation bar, select a region.
On the Physical Connection page, click the ID of the connection over Express Connect Circuit 1.
On the VBR tab, click Create VBR.

In the Create VBR panel, configure the parameters that are described in the following table and click OK.

Parameter	Description
Basic Information
Account	The type of the account that is used to create VBR 1. By default, Current Account is selected, which specifies that VBR 1 is created within the current Alibaba Cloud account.
Name	The name of VBR 1.
Physical Connection Information
Express Connect Circuit	The type of the connection over the Express Connect circuit that you want to associate with VBR 1. Then, select a connection over an Express Connect circuit that is enabled and functions as expected from the drop-down list. Valid values: Dedicated Physical Connection: a dedicated connection over an Express Connect circuit. Shared Physical Connection: a hosted connection over an Express Connect circuit. In this example, Dedicated Physical Connection is selected, and the connection over Express Connect Circuit 1 is selected from the drop-down list.
VLAN ID	The virtual LAN (VLAN) ID of VBR 1. Valid values: 0 to 2999. In this example, 0 is entered.
Set VBR Bandwidth Value	The bandwidth of VBR 1. In this example, 200Mb is selected.
Alibaba Cloud Side IPv4 Address	The IPv4 address for the VBR to route network traffic from the VPC to the data center. The IPv4 addresses that are specified by the Alibaba Cloud Side IPv4 Address and Data Center Side IPv4 Address parameters must belong to the same CIDR block. In this example, `10.100.0.1` is entered.
Data Center Side IPv4 Address	The IPv4 address for the gateway device in the data center to route network traffic from the data center to the VPC. Note To allow services in the VPC to access a specific gateway IP address, you must add a route to the route table of the VBR. Set the destination CIDR block to the CIDR block to which the specified gateway IP address belongs and set the next hop to the Express Connect circuit. For more information, see Add a custom route. In this example, `10.100.0.10` is entered.
IPv4 Subnet Mask	The subnet mask of the IPv4 addresses that are specified for the VBR and the gateway device in the data center. You can enter a long subnet mask because only two IP addresses are required. In this example, `255.255.255.0` is entered.
Support IPv6	Specifies whether to enable IPv6 for VBR 1. In this example, Disable is selected. Disable (default): disables IPv6. Enable: enables IPv6. If you select this option, you cannot disable IPv6 after the VBR is created. Configure the following parameters of the VBR: IPv6 Address (Alibaba Cloud Gateway): Enter an IPv6 address for the VBR to route network traffic between the VPC and the data center. The values of the IPv6 Address (Alibaba Cloud Gateway) and IPv6 Address (Data Center Gateway) parameters must belong to the same CIDR block. IPv6 Address (Data Center Gateway): Enter an IPv6 address for the gateway device in the data center to route network traffic between the VPC and the data center. Subnet Mask (IPv6): Enter the subnet mask of the IPv6 addresses that you specified for the VBR and the gateway device in your data center.

Repeat the preceding steps to create VBR 2 for Express Connect Circuit 2.

The following table describes only some of the parameters related to VBR 2. For more information about how to create a VBR, see Create and manage a VBR.

Parameter	Description
VLAN ID	The VLAN ID of VBR 2. Valid values: 0 to 2999. In this example, 0 is entered.
Set VBR Bandwidth Value	The bandwidth of VBR 2. In this example, 200Mb is selected.
Alibaba Cloud Side IPv4 Address	The IPv4 address for the VBR to route network traffic from the VPC to the data center. In this example, `10.100.0.5` is entered.
Data Center Side IPv4 Address	The IPv4 address for the gateway device in the data center to route network traffic from the data center to the VPC. In this example, `10.100.0.6` is entered.
IPv4 Subnet Mask	The subnet mask of the IPv4 addresses that are specified for the VBR and the gateway device in the data center. In this example, `255.255.255.0` is entered.

Step 3: Create VBR-to-VPC connections and configure health checks

After VBRs are created for both Express Connect circuits, create a VBR-to-VPC connection for each Express Connect circuit. Then, configure health checks. After health checks are configured, probe packets are sent at a specific time interval to monitor the connectivity between the VBRs and the data center.

Log on to the Express Connect console.
In the top navigation bar, select a region in which you want to create a VBR-to-VPC connection between VBR 1 and the VPC.
In the left-side navigation pane, choose VPC Peering Connections > VBR-to-VPC.
On the VBR-to-VPC page, click Create Peering Connection.

On the Establish VBR-VPC Interconnection page, configure the parameters that are described in the following table.

The following table describes only the parameters related to this topic. For more information about how to configure other parameters, see Create and manage a VBR-to-VPC connection.

Parameter	Description
Initiator Region	The region in which the initiator VBR resides.
Initiator VBR	The VBR that serves as the initiator instance. In this example, VBR 1 created in Step 2: Create VBRs for both Express Connect circuits is selected.
Acceptor Region Type	Specifies whether the acceptor VPC resides in the same region as the initiator VBR. In this example, Intra-Region is selected.
Acceptor Account Type	The type of the account to which the acceptor VPC belongs. In this example, Current Account is selected.
Acceptor VPC	The VPC that serves as the acceptor instance.

Read and select the Terms of Service and click OK.
Note
If the initiator or acceptor is deployed outside the Chinese mainland and the acceptor is deployed in the Chinese mainland or vice versa, the VBR-to-VPC connection is a cross-border connection. In this case, you must select the agreement for cross-border connections before you can create the VBR-to-VPC connection.
After the VBR-to-VPC connection is established, the status of the initiator and the acceptor changes to Activated.
Repeat the preceding steps to create a VBR-to-VPC connection between VBR 2 and the VPC.
After VBR-to-VPC connections are created, configure health checks on the connectivity of the Express Connect circuits for static routing. For more information, see Configure health checks if you connect a data center to Alibaba Cloud by creating a VBR-to-VPC connection.

Step 4: Configure routes to route network traffic from the VPC to the data center

Configure a route that points to the data center for the VPC and each VBR. This ensures that network traffic can be securely routed from the VPC and VBRs to the data center.

Configure routes for the VBRs

Configure routes for the VBRs to route network traffic from the VBRs to the data center (172.16.0.0/12) to the Express Connect circuits.

Log on to the Express Connect console.
In the top navigation bar, select a region. In the left-side navigation pane, click Virtual Border Routers (VBRs).
On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
In this example, VBR 1 is used.
On the details page of the VBR, click the Routes tab and then the Custom Route Entry tab. Then, click Add Route.

In the Add Route panel, configure the parameters that are described in the following table and click OK.

Parameter	Description
Next Hop Type	The type of the next hop. Valid values: VPC: routes network traffic destined for the destination CIDR block to a VPC. Physical Connection Interface: routes network traffic destined for the destination CIDR block to an Express Connect circuit. In this example, Physical Connection Interface is selected.
Destination CIDR Block	The CIDR block of the data center. In this example, `172.16.0.0/12` is entered.
Next Hop	The instance ID of the next hop based on the specified type. In this example, the connection over Express Connect Circuit 1 created in Step 1: Create two connections over Express Connect circuits is selected.
Description	The description of the route.

Repeat the preceding steps to configure a route that points to Express Connect Circuit 2 for VBR 2.

Configure routes for the VPC

Configure routes for the VPC to route network traffic from the VPC to the data center (172.16.0.0/12) to the VBRs.

Log on to the VPC console.
In the left-side navigation pane, click Route Tables.
In the top navigation bar, select the region to which the route table belongs.
On the Route Tables page, find the custom route table of the VPC and click the route table ID.
On the details page of the route table, click the Route Entry List tab and then the Custom Route tab.

Click Add Route Entry. In the Add Route Entry dialog box, configure the parameters that are described in the following table and click OK.

Parameter	Description
Name	The name of the route.
Destination CIDR Block	The destination CIDR block to which you want to route network traffic. In this example, IPv4 CIDR Block is selected, and `172.16.0.0/12` is entered. 172.16.0.0/12 is the CIDR block of the data center.
Next Hop Type	The type of the next hop. In this example, Router Interface (to VBR) is selected. Then, click the General Routing tab, and select the router interface of the VBR-to-VPC connection between VBR 1 and the VPC from the drop-down list.

Repeat the preceding steps to configure a route that points to VBR 2 for the VPC.

Step 5: Configure routes to route network traffic from the data center to the VPC

Configure routes that point to the VPC for the VBRs and routes that point to the VBRs for the gateway device in the data center. This ensures that network traffic can be securely routed from the data center to the VPC.

Configure routes for the VBRs

Configure routes for the VBRs to route network traffic from the VBRs to the VPC (192.168.0.0/16) to the VPC.

Log on to the Express Connect console.
In the top navigation bar, select a region. In the left-side navigation pane, click Virtual Border Routers (VBRs).
On the Virtual Border Routers (VBRs) page, click the ID of VBR 1.
On the details page of the VBR, click the Routes tab and then the Custom Route Entry tab. Then, click Add Route.

In the Add Route panel, configure the parameters that are described in the following table and click OK.

Parameter	Description
Next Hop Type	The type of the next hop. In this example, VPC is selected.
Destination CIDR Block	The CIDR block of the VPC. In this example, `192.168.0.0/16` is entered.
Next Hop	The VPC.
Description	The description of the route.

Repeat the preceding steps to configure a route that points to the VPC for VBR 2.

Configure routes and health checks for the data center

Configure routes for the data center to route network traffic from the data center to the VBRs. Then, configure the return route of probe packets and health checks in the data center, and then configure the gateway device to route network traffic based on health check results to achieve network redundancy.

Configure the return route of probe packets in the data center.
The configuration commands may vary based on gateway devices. The following example is for reference only. For more information about the configuration commands, consult the vendor of your gateway device.
```
# Configure the return route of probe packets from the data center to the VPC.
ip route 192.168.0.0 255.255.0.0 10.100.0.1
ip route 192.168.0.0 255.255.0.0 10.100.0.5
```
Configure health checks in the data center. For more information, see Configure health checks if you connect a data center to Alibaba Cloud by creating a VBR-to-VPC connection.

Step 6: Test the connectivity

After you complete the preceding steps, you must test the connectivity of the Express Connect circuits.

Open the CLI on a computer in the data center.
Run the ping command to test the connectivity between the data center and an ECS instance in the VPC. The CIDR block of the VPC is 192.168.0.0/16.
If echo reply packets are returned, the ECS instance is reachable from the data center.
To check whether active/active connections are established between the data center and Alibaba Cloud over Express Connect circuits, run a command to query the routes of packets.
Note
Before you run a command, make sure that relevant commands are installed. The command varies based on the operating system. For more information, see the manual of your operating system.
- Windows: Run the tracert command.
- Linux: Run the traceroute command.