Specify an ECS instance in a VPC as a backend server of ALB in a different region - Server Load Balancer

This topic describes how to add Elastic Compute Service (ECS) instances in a virtual private cloud (VPC) to an Application Load Balancer (ALB) instance in a different region. To add ECS instances in a VPC to an ALB instance in a different region, you must use transit routers of Cloud Enterprise Network (CEN). Transit routers are used to route network traffic from the ALB instance to the ECS instances.

Sample scenario

The following figure shows an example in this topic. A company created a VPC (VPC1) in the China (Chengdu) region and deployed an ALB instance in VPC1. The company created a VPC (VPC2) in the China (Hangzhou) region and created ECS instances in VPC2. The company wants to add the ECS instances in VPC2 to the ALB instance in VPC1.

To do this, the company uses a CEN instance and attaches both VPCs to the CEN instance. This allows the ECS instances in VPC2 to function as the backend servers of the ALB instance in VPC1.

Precautions

If you want to add ECS instances to an ALB instance in a different region, you must first add the ECS instances to a server group of the IP type.

The following table lists the regions where you can specify ECS instances in another region as backend servers of ALB.

Area	Region
China	China (Chengdu), China (Qingdao), China (Beijing), China (Guangzhou), China (Hangzhou), China (Ulanqab), China (Shanghai), China (Shenzhen), China (Zhangjiakou), and China (Hong Kong)
Asia Pacific	Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), and Singapore
Europe & Americas	Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley)

VPC1 and VPC2 must be attached to the same CEN instance.
When you associate Enterprise Edition transit routers with the VPCs, elastic network interfaces (ENIs) are automatically created. Then, the ENIs are attached to the vSwitch in each zone. The ENIs are used to forward network traffic from the VPCs to the Enterprise Edition transit routers. When you create the VPCs, you must specify at least one vSwitch in each zone of the Enterprise Edition transit routers. This way, network traffic can be routed from the VPCs to the transit routers. For more information, see Regions and zones that support Enterprise Edition transit routers.
You can add only internal-facing servers. Internet-facing servers are not supported.
You cannot add a backend server of the IP type to an ALB instance, a Network Load Balancer (NLB) instance, or a Classic Load Balancer (CLB) instance in the same VPC.
Make sure that no loops exist. ALB adds the ALICLOUD-ALB-TRACE HTTP header to each request to detect loops. If a loop is detected, ALB stops forwarding requests to backend servers and returns the 463 status code in case a network storm arises and exhausts all resources.
Enterprise Edition transit routers support inter-region data forwarding. Basic Edition transit routers do not support inter-region data forwarding.
For the same CEN instance, each region can have only one VPC in which one or more ALB instances use backend servers in VPCs in different regions.
- ALB instances in different VPCs within the same region cannot use the same transit router to access backend servers in VPCs in different regions.
- ALB instances in different VPCs within the same region cannot use different transit routers to access the same backend server in a VPC in a different region.
Network traffic between an ALB instance and its backend servers can be routed based only on the system route table. VPC custom route tables are not supported.

Prerequisites

A VPC (VPC1) is created in the China (Chengdu) region. Another VPC (VPC2) is created in the China (Hangzhou) region.
- Two vSwitches (VSW1 and VSW2) are created in VPC1. VSW1 is deployed in Zone A and VSW2 is deployed in Zone B.
- Two vSwitches (VSW3 and VSW4) are created in VPC2. VSW3 is deployed in Zone H and VSW4 is deployed in Zone I.
For more information, see Create and manage a VPC.
ECS instances are created in VPC1 to send connection requests. An ECS instance named ECS1 is created in VPC2 and an application is deployed on ECS1 to receive connection requests. For information about how to create an instance, see Create an instance by using the wizard.
An ALB instance is created in VPC1. For more information, see Create an ALB instance.
A CEN instance is created and a bandwidth plan is associated with the CEN instance. For more information, see Create a CEN instance and Work with a bandwidth plan.
A transit router is deployed in the China (Chengdu) region. Another transit router is deployed in the China (Hangzhou) region. For more information, see Create a transit router.

The following table describes how networks are planned. You can plan CIDR blocks based on your business requirements. Make sure that the CIDR blocks do not overlap with each other.

Region	VPC	vSwitch	vSwitch zone	CIDR block
China (Chengdu)	VPC1 Primary CIDR block: 172.16.0.0/12	VSW1	Zone A	172.16.0.0/24
China (Chengdu)	VPC1 Primary CIDR block: 172.16.0.0/12	VSW2	Zone B	172.16.6.0/24
China (Hangzhou)	VPC2 Primary CIDR block: 192.168.0.0/16.	VSW3	Zone H	192.168.8.0/24
China (Hangzhou)	VPC2 Primary CIDR block: 192.168.0.0/16.	VSW4	Zone I	192.168.7.0/24

Procedure

Step 1: Create a server group for the ALB instance

Create a server group of the IP type. Then, add the IP addresses of the ECS instances that you want to specify as backend servers to the server group.

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance resides. In this example, China (Chengdu) is selected.
In the left-side navigation pane, choose ALB > Server Groups.

On the Server Groups page, click Create Server Group, configure the parameters, and then click Create.

Parameter	Description
Server Group Type	Select the type of server group that you want to create. In this example, IP is selected.
Server Group Name	Enter a name for the server group.
VPC	Select a VPC from the drop-down list. In this example, VPC1 is selected.
Backend Server Protocol	Select a backend protocol. In this example, HTTP is selected.
Scheduling Algorithm	Select a scheduling algorithm. Valid values: Round-Robin, Weighted Round Robin, Source IP Hashing, Four-Element Hashing, and QUIC ID Hashing. Default value: Weight Round Robin. In this example, the default scheduling algorithm is used.
Resource Group	Select a resource group for the server group.
Session Persistence	Specify whether to enable or disable session persistence. In this example, session persistence is disabled, which is the default setting.
Health Check Settings	Specifies whether to enable heath checks. In this example, health checks are enabled, which is the default setting.
Advanced Settings	In this example, the default advanced settings are used. For more information, see Create and manage server groups.

On the Server Groups page, find the server group that you want to manage and click Modify Backend Server in the Actions column.
On the Backend Servers tab, click Add IP Address.
In the Add Backend Server panel, enter the private IP address of ECS1, turn on Remote IP, and then click Next.
- If you enable the remote IP address feature, IP addresses that fall into the following CIDR blocks are supported:
  - 10.0.0.0/8
  - 100.64.0.0/10
  - 172.16.0.0/12
  - 192.168.0.0/16
- If you do not enable the remote IP address feature, only IP addresses that fall into the CIDR block of the VPC in which the server group is created are supported.
Specify the port and weight of the IP address and click OK. In this example, the port is set to 80, and the default weight is used.

Step 2: Configure a listener for the ALB instance

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance resides. In this example, China (Chengdu) is selected.
On the Instances page, find the ALB instance that is created in VPC1 and click Create Listener in the Actions column.

In the Configure Listener step, set the following parameters and click Next.

Parameter	Description
Listener Protocol	Select a listener protocol. In this example, HTTP is selected.
Listener Port	Enter the port on which the ALB instance listens. The ALB instance listens for requests on the specified port and then forwards the requests to backend servers. Valid values: 1 to 65535. In this example, `80` is specified.
Listener Name	Enter a name for the listener.
Advanced Settings	In this example, the default advanced settings are used.

In the Select Server Group step, select IP from the Server Group drop-down list, select the server group that you created in Step 1, and then click Next.
In the Configuration Review step, confirm the configurations and click Submit.

Step 3: Attach the VPCs to the CEN instance

Log on to the CEN console.
On the Instances page of the CEN console, click the ID of the CEN instance that you created.
On the Basic Settings > Transfer Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connect with Peer Network Instance page, set the following parameters and click OK.

Parameter	Description
Network Type	In this example, VPC is selected.
Region	Select the region where the network instance is created. In this example, China (Chengdu) is selected.
Transit Router	The transit router deployed in the selected region is selected by default.
Resource Owner ID	Specify whether the network instance belongs to the current account Alibaba Cloud account. In this example, Current Account is selected.
Billing Method	In this example, the default value Pay-As-You-Go is selected.
Attachment Name	Enter a name for the connection.
Network Instance	Select the ID of the VPC that you want to attach to the CEN instance. In this example, VPC1 is selected.
vSwitch	Select vSwitches that are deployed in zones supported by Enterprise Edition transit routers. In this example, VSW1 and VSW2 are selected.
Advanced Settings	The advanced features are selected by default. In this example, the default advanced settings are used.

After you attach VPC1 to the CEN instance, click Create More Connections and repeat Substep 4 of Step 3: Attach the VPCs to the CEN instance to attach VPC2 to the CEN instance.
In this example, the following configurations are used. The default settings are used for parameters that are not described in this section.
- Region is set to China (Hangzhou).
- Network Instance is set to VPC2.
- VSwitch is set to VSW3 in Hangzhou Zone H and VSW4 in Hangzhou Zone I.

Step 4: Create an inter-region connection

Log on to the CEN console.
On the Instances page of the CEN console, click the ID of the CEN instance that you created.
On the Basic Settings > Transfer Router tab, find the transit router that you want to manage to and click Create Connection in the Actions column.
You can choose the transit router that is associated with VPC1 or the transit router that is associated with VPC2. In this example, the transit router associated with VPC1 is used.

On the Connect with Peer Network Instance page, configure the inter-region connection and click OK.

Parameter	Description
Network Type	Select Inter-region Connection.
Region	Select the region where the specified transit router is deployed. In this example, China (Chengdu) is selected.
Transit Router	The transit router deployed in the selected region is displayed.
Attachment Name	Specify a name for the inter-region connection.
Peer Region	Select the region where the peer transit router is deployed. In this example, China (Hangzhou) is selected.
Bandwidth Allocation Mode	In this example, Allocate from Bandwidth Plan is selected.
Bandwidth Plan	Select a bandwidth plan that is associated with the CEN instance.
Bandwidth	Specify a valid bandwidth value. Unit: Mbit/s.
Advanced Settings	In this example, the default advanced settings are used.

Step 5: Add routes to the system route table of VPC1

Check whether the system route table of VPC1 contains a route that points to the VPC1 connection. If no routes point to the VPC1 connection, perform the following operations to add a route that points to the VPC1 connection:

Note

Network traffic between an ALB instance and its backend servers can be routed based only on the system route table. VPC custom route tables are not supported.

Log on to the VPC console.
On the VPCs page, click the ID of VPC1.
On the details page of VPC1, click the Resources tab and then click the number below Route Table.
On the Route Tables page, find the route table whose Route Table Type is System and click its ID.
On the details page of the route table, choose Route Entry List > Custom Route and click Add Route Entry.

In the Add Route Entry panel, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Name	Enter a name for the route.
Destination CIDR Block	Enter a destination CIDR block. In this example, the CIDR block of ECS1 is entered, which is `192.168.7.0/24`.
Next Hop Type	Select a type of next hop. In this example, Transit Router is selected.
Transit Router	Select a transit router. In this example, the transit router that is associated with VPC1 is selected.

Step 6: Configure back-to-origin routes

View the back-to-origin route of the ALB instance. Add the back-to-origin route to the system route table of VPC2 and the route table of the transit router that is associated with VPC1.

Perform the following operations to view the back-to-origin route of an ALB instance:
1. Log on to the ALB console.
2. In the top navigation bar, select the region where the ALB instance resides. In this example, China (Chengdu) is selected.
3. On the Instances page, click the ID of the ALB instance that is created in VPC1.
4. Click the Instance Details tab, and then click View next to Back-to-origin Route.

Perform the following operations to add the back-to-origin route of ALB to the system route table of VPC2:

Log on to the VPC console.
On the VPCs page, click the ID of VPC2.
On the details page of VPC2, click the Resources tab and then click the number below Route Table.
On the Route Tables page, find the route table whose Route Table Type is System and click its ID.
On the details page of the route table, choose Route Entry List > Custom Route and click Add Route Entry.

In the Add Route Entry panel, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Name	Enter a name for the route.
Destination CIDR Block	Enter a destination CIDR block. In this example, the destination CIDR block of the back-to-origin route of the ALB instance is entered, which is obtained from Substep 1 of Step 6. If the ALB instance has multiple back-to-origin routes, repeat the preceding operations to add all back-to-origin routes. In this example, the following routes are configured for VPC2: 100.XX.XX.0/25 100.XX.XX.128/25 100.XX.XX.64/26 100.XX.XX.128/26 100.XX.XX.192/26 100.XX.XX.0/26
Next Hop Type	Select a type of next hop. In this example, Transit Router is selected.
Transit Router	Select a transit router. In this example, the transit router that is associated with VPC2 is selected.

Perform the following operations to add the back-to-origin route of ALB to the transit router associated with VPC1:

Log on to the CEN console.
On the Instances page of the CEN console, click the ID of the CEN instance that you created.
On the Basic Settings > Transfer Router tab, click the ID of the transfer router that is associated with VPC1.
On the Route Table tab, click the ID of the route table to which you want to add the back-to-origin route, click the Route Entry tab, and then click Add Route Entry.

In the Add Route Entry dialog box, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Route Table	The current route table is selected by default.
Transit Router	The current transit router is selected by default.
Name	Enter a name for the route.
Destination CIDR Block	Enter the destination CIDR block of the route. In this example, the destination CIDR block of the back-to-origin route of the ALB instance is entered, which is obtained from Substep 1 in Step 6. If the ALB instance has multiple back-to-origin routes, repeat the preceding operations to add all back-to-origin routes. In this example, the following routes are added to the transit router associated with VPC1: 100.XX.XX.0/25 100.XX.XX.128/25 100.XX.XX.64/26 100.XX.XX.128/26 100.XX.XX.192/26 100.XX.XX.0/26
Blackhole Route	The default value No is selected.
Next Hop	Select a next hop. In this example, the transit router that is associated with VPC1 is selected.
Description	Enter a description for the route.

Step 7: Check the security group rules of the ECS instances

Packets are sent from the CIDR block of the back-to-origin route to the ECS instances. Make sure that the security group rules of the ECS instances allow access from the CIDR block. In the example, you must add an inbound rule to the security group of the ECS instance to allow access from the back-to-origin CIDR block (100.64.0.0/10) of ALB. Otherwise, the access to backend services across regions fails. For more information, see Add a security group rule.

Step 8: Test network connectivity

Log on to the ECS instance that is deployed in VPC1. For more information, see Connection method overview.
Run the wget http://domain name of the ALB instance command to check whether the ECS instance in VPC1 can access ECS1 in VPC2 through ALB.
You can view the domain name of the ALB instance on the Instances page of the ALB console.
If you can receive echo reply packets, the connection is established, as shown in the following figure.