how to use Express Connect circuits and IPsec-VPN gateways to establish active/standby connections to access cloud computers over private networks - Elastic Desktop Service

This topic describes how to use an Express Connect circuit and an IPsec-VPN gateway to connect a data center and Alibaba Cloud networks. This way, end users can establish active/standby connections to access cloud computers over private networks.

Background information

Before you begin, read Access a cloud computer over a private network and familiarize yourself with private networks.

After you complete network settings described in this topic, the following effects are achieved:

If an Express Connect circuit and virtual private network (VPN) connections are normal, traffic generated between the data center and cloud computers is forwarded by using the Express Connect circuit.
If the Express Connect circuit is abnormal, traffic generated between the data center and cloud computers is forwarded by using VPN connections.

Related services:

Express Connect circuits
Express Connect provides a secure and convenient method to connect a data center and Alibaba Cloud. You can lease an Express Connect circuit from a third-party Express Connect partner and use the circuit to connect the data center to an Alibaba Cloud access point. Connections over the Express Connect circuit are not exposed to the Internet. Compared with Internet-based connections, connections over the Express Connect circuit feature higher security and reliability, faster network connection, and lower network latency. For more information, see What is a connection over an Express Connect circuit?
IPsec-VPN gateways
VPN Gateway is an Internet-based service for network connections. You can use the service to establish secure and reliable connections between a data center and an Alibaba Cloud virtual private cloud (VPC) over encrypted channels. For more information, see VPN gateways.

Preparations

Before you begin, read the Access a cloud computer over a private network topic and complete the following preparations:

Create a Cloud Enterprise Network (CEN) instance. For more information, see Create a CEN instance.
Create a VPC and attach it to the CEN instance. For more information, see Create a VPC and a vSwitch or Attach a network instance to a CEN instance.
Create an office network and attach its VPC to the CEN instance. For more information, see Create and manage convenience office networks and Create and manage an enterprise AD office network.
Important
- Before you create an office network, you must plan the IPv4 CIDR block of the office network to prevent CIDR block conflicts between the office network and the CEN instance or between the office network and your data center. For more information, see Plan a CIDR block.
- If you create a convenience office network, attach the convenience office network to the CEN instance.
- If you deploy your AD system on an Elastic Compute Service (ECS) instance, you must attach the VPC of the AD server to the CEN instance. If you deploy your AD system on a local server, you must connect the local network to the cloud network. You can create an enterprise AD office network and implement connectivity between the local server and the cloud, and then configure the AD domain.
Create a cloud computer and an account. Then, assign the cloud computer to the account.
- For more information about how to create an account, see Create a convenience account or Create and manage an enterprise AD office network.
- For more information about how to create and assign cloud computers, see Create cloud computers and Assign cloud computers to users.
Obtain an Alibaba Cloud Workspace terminal to connect to and use cloud computers.
Note
The Express Connect and IPsec-VPN solution supports the Windows client and macOS client of Alibaba Cloud Workspace.

CIDR block planning

Complete the following network planning and gateway configurations:

Configure routing protocols for a data center and network instances. In this topic, the following routing protocols are used:
- Use static routing between a data center gateway and VPN gateway.
- Use Border Gateway Protocol (BGP) between the data center gateway and a Virtual Border Router (VBR).
  Note
  In scenarios in which a VPN gateway works as a standby connection and an Express Connect circuit works as an active connection, take note of the following items:
  - If the VPN gateway is associated with an independent VPC, such as a user VPC, the VBR must use the BGP protocol. The VPN gateway can use static routing or the BGP protocol.
  - If the VPN gateway is associated with a business VPC, such as an office network VPC, the VBR and VPN gateway must use the BGP protocol.

When you plan networks for the data center and network instances, make sure that the CIDR blocks of the data center do not overlap with the CIDR blocks of the network instances. The following table describes sample CIDR blocks. The actual CIDR blocks that you use shall prevail.

Item	CIDR block	Description
Office network VPC	172.16.0.0/12	The IP address of a cloud computer and private gateway.
User VPC	192.168.0.0/24	The CIDR block that is used for the VPC that you created to establish VPN connections.
VBR	10.0.0.1/30	Virtual local area network (VLAN) ID: 0 IPv4 Address (Alibaba Cloud Gateway): 10.0.0.1/30 IPv4 Address (Data Center Gateway): 10.0.0.2/30 BGP Autonomous System Number (ASN): 45104
Data center	192.168.1.1/24	The Alibaba Cloud Workspace client uses this CIDR block to establish connections.
Data center gateway	10.0.0.2/30	Public IP address: 115.XX.XX.154 IP address of the port that is used to connect to an Express Connect circuit: 10.0.0.2/30 BGP ASN: 65001

Check whether the data center gateway supports standard IKEv1 and IKEv2 protocols to connect the data center gateway to the Alibaba Cloud VPN gateway. To check whether the gateway supports the IKEv1 and IKEv2 protocols, contact your gateway manufacturer.
Assign a static public IP address to the data center gateway.

Step 1: Deploy an Express Connect circuit

Create a connection over an Express Connect circuit.
You must apply for an Express Connect circuit in a region. For more information, see Create and manage a dedicated connection over an Express Connect circuit or Overview of hosted connections.

Create a VBR. For more information, see Create and manage a VBR.

Parameters

Parameter	Description
Account	Specify the Alibaba Cloud account for which a VBR is created. By default, Current Account is selected. If you use the default setting, the VBR that you create belongs to the account that you use to log on to the console.
Name	Enter a name for the VBR.
Resource Group	Select the resource group to which the VBR belongs. Alternatively, you can add the VBR to a resource group in the following way: After the VBR is created, find the VBR and click Add to Resource Group in the Resource Group column.
Tags	Tag Key: You can select or enter a key. The tag key can be up to 64 characters in length. The tag key cannot start with `aliyun` or `acs:` and cannot contain `http://` or `https://`. Tag Value: You can select or enter a value. The tag value can be up to 128 characters in length. The tag value cannot start with `aliyun` or `acs:` and cannot contain `http://` or `https://`. You can also add tags to the VBR in the Tags column after the VBR is created. After you add tags, you can modify, view, and delete the tags.
Express Connect Circuit	Select the type of Express Connect circuit that you want to associate with the VBR. Then, select an Express Connect circuit that is enabled and functions as expected from the drop-down list. Valid values: Dedicated Physical Connection: a dedicated Express Connect circuit. Shared Physical Connection: a hosted Express Connect circuit.
VLAN ID	Enter the VLAN ID of the VBR. Valid values: 0 to 2999. Take note of the following items when you enter the VLAN ID: If VLAN ID is set to 0, the switch port of the VBR is a Layer 3 router interface instead of a VLAN subinterface. When a Layer 3 router interface is used, each Express Connect circuit is associated with a VBR. If VLAN ID is set to a value from 1 to 2999, the switch port of the VBR is a Layer 3 VLAN subinterface. When a Layer 3 VLAN subinterface is used, each VLAN ID is associated with a VBR. In this case, the Express Connect circuit with which the VBR is associated can be used to connect to VPCs that belong to different Alibaba Cloud accounts. VBRs in different VLANs are isolated from each other at Layer 2. Before you configure this parameter, take note of the following rules: To configure the VLAN ID parameter for a dedicated connection over an Express Connect circuit, make sure that the trunking feature is enabled for the Layer 2 or Layer 3 devices that are used to connect the Express Connect circuit, VBR, and gateway device in the data center. This way, data can be transmitted from and to the VLAN based on the specified ID. The VLAN ID that you specify is preserved in the packets sent to the destination VLAN and not modified during data transmission. If the trunking feature is disabled, the connection may fail. We recommend that you set the VLAN ID parameter to `0` unless your Internet service provider has specific rules or limits on the VLAN ID configuration. If you set the VLAN ID parameter to `0` when you create a VBR for a dedicated connection, you cannot create other VLAN subinterfaces on the VBR. You do not need to configure the VLAN ID parameter when you create a VBR for a hosted connection. The VLAN ID parameter is already configured. Therefore, ignore the VLAN ID parameter.
Set VBR Bandwidth Value	Set the bandwidth of the VBR. You do not need to configure this parameter when you create a VBR for a hosted connection. The bandwidth is already set when the hosted connection is created.
IPv4 Address (Alibaba Cloud Gateway)	Specify an IPv4 address for the VBR to route traffic between the VPC and your data center. The IPv4 addresses that are specified by the IPv4 Address (Alibaba Cloud Gateway) and IPv4 Address (Data Center Gateway) parameters must belong to the same CIDR block.
IPv4 Address (Data Center Gateway)	Specify an IPv4 address for the gateway device in the data center. Note To allow services in the VPC to access a specific gateway IP address, you must add a route to the route table of the VBR. Set the destination CIDR block to the CIDR block to which the specified gateway IP address belongs and set the next hop to the Express Connect circuit. For information about how to add routes to a route table, see the Add a custom route section of the "Add and manage routes" topic.
Subnet Mask (IPv4)	Enter the subnet mask of the IPv4 addresses that you specify for the VBR and the gateway device in the data center. You can enter a longer subnet mask because only two IP addresses are required.
Support IPv6	Select whether to enable IPv6 for the VBR. Disable (default): disables IPv6. Enable: enables IPv6. If you select this option, you cannot disable IPv6 after the VBR is created. Configure the following parameters of the VBR: IPv6 Address (Alibaba Cloud Gateway): Enter an IPv6 address for the VBR to route network traffic between the VPC and the data center. The values of the IPv6 Address (Alibaba Cloud Gateway) and IPv6 Address (Data Center Gateway) parameters must belong to the same CIDR block. IPv6 Address (Data Center Gateway): Enter an IPv6 address for the gateway device in the data center to route network traffic between the VPC and the data center. Subnet Mask (IPv6): Enter the subnet mask of the IPv6 addresses that you specified for the VBR and the gateway device in your data center.

Create a BGP group. For more information, see Create a BGP group.

Parameters

Parameter	Description
Protocol Type	Select a protocol. Valid values: IPv4 IPv6 Note This parameter is available only if you enable IPv6 for the VBR that you created.
Name	Enter a name for the BGP group.
Peer ASN	Specify the ASN of the data center.
BGP Key	Specify the key of the BGP group.
BGP Route Quota	Specify the maximum number of routes supported by a BGP peer. Maximum value: 110. You can go to the Quota Management page to apply for a quota increase. For more information, see Manage resource quotas.
Description	Specify the description of the BGP group.
Local ASN	Specify the local ASN. Valid values: 45104, 64512 to 65534, and 4200000000 to 4294967294. 65025 is a reserved by Alibaba Cloud. Note The local AS number of the BGP group must be the same as the ASN of the Express Connect router (ECR) that is associated with the BGP group.

Create a BGP peer. For more information, see Create a BGP peer.

Parameters

Parameter	Description
BGP Group	Select the BGP group to which you want to add the BGP peer.
BGP Peer IP	Specify the IP address of the BGP peer. By default, enter the IPv4 address of the BGP peer. If you enabled IPv6 for the BGP group, enter the IPv6 address of the BGP peer.
Enable BFD	Specify whether to enable BFD. BFD is used to detect network connectivity. You can enable BFD for BGP to accelerate route convergence. This ensures that your business can run as expected.
BFD Hop Count	The maximum number of network devices that a packet can traverse from the source to the destination. This parameter is required only if you enable BFD for the BGP peer. The parameter specifies the maximum number of network devices that a packet can traverse from the source to the destination. Specify an appropriate value based on your network topology. Valid values: 1 to 255. Important If you use BFD in a multi-cloud environment or a fiber-optic direct connection network without any bridge device, you need to change the default BFD hop count from 255 to 1.

Step 2: Deploy a VPN gateway

Add a destination-based route. You must use the VPN gateway to advertise the route of the data center to the user VPC. For more information, see Create a destination-based route.Create a destination-based route

Parameters

Parameter	Description
Destination CIDR Block	The private CIDR block of the data center that you want to access.
Next Hop Type	The type of the next hop. Select IPsec-VPN connection.
Next Hop	The IPsec-VPN connection that you created.
Advertise to VPC	Specifies whether to advertise the route to the VPC route table. Valid values: Yes (recommended) No If you select No, you must manually advertise the route to the VPC route table. For more information, see the Advertise a destination-based route section of this topic. Important If you create a route with the same destination CIDR block in both the policy-based route table and the destination-based route table, and advertise both routes to the same VPC route table, when you withdraw the route in the destination-based route table, the route in the policy-based route table is also withdrawn.
Weight	The weight of the destination-based route. If you use the same VPN gateway to establish active and standby IPsec-VPN connections, you can configure route weights to specify which destination-based route is active. A value of 100 specifies the active destination-based route, whereas a value of 0 specifies the standby destination-based route. You can configure health checks to automatically check the connectivity of IPsec-VPN connections. If the IPsec-VPN connection associated with the active destination-based route is down, the system automatically switches to the IPsec-VPN connection associated with the standby destination-based route. For more information about health checks, see the "Health checks" section of the Create and manage IPsec-VPN connections in single-tunnel mode topic. 100(Active): The destination-based route is active. This is the default value. 0(Standby): The destination-based route is standby. Note The active and standby destination-based routes must point to the same destination CIDR block but are associated with different IPsec-VPN connections. In addition, the active and standby destination-based routes must have different weights. If you want to modify the weight of the active destination-based route, you must delete the standby destination-based route. After the weight of the active destination-based route is modified, reconfigure the standby destination-based route. If you want to modify the weight of the standby destination-based route, you must delete the active destination-based route. After the weight of the standby destination-based route is modified, reconfigure the active destination-based route.

Load the VPN configurations in the data center gateway.
1. Log on to the VPC console.
2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
3. In the top navigation bar, select the region of the IPsec-VPN connection.
4. On the IPsec Connections page, find the IPsec-VPN connection and click Generate Peer Configuration in the Actions column.
5. Load the IPsec-VPN connection configurations that you downloaded to the data center gateway.
  For more information, see Configure an H3C firewall.

Step 3: Configure a CEN instance

After you configure the VBR and VPN gateway, attach the VBR to the CEN instance to which the office network VPC and user VPC are attached. This way, the data center and the office network VPC are connected.

Log on to the CEN console.

Attach the VBR to a CEN instance.

Make sure that a CEN instance is created and the office network VPC and user VPC are attached to the CEN instance.

On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Settings > Transfer Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, configure parameters and click OK.

Parameter	Description
Network Type	Select Virtual Border Router (VBR).
Region	Select the region where the network instance is deployed.
Transit Router	The transit router in the selected region is displayed. If no transit router is available in the selected region, the system automatically creates a transit router.
Resource Owner ID	Select the Alibaba Cloud account that owns the network instance. If the network instance and the transit router that you want to connect belong to the same Alibaba Cloud account, select Current Account. If the network instance and the transit router that you want to connect belong to different Alibaba Cloud accounts, select Different Account, and enter the ID of the Alibaba Cloud account to which the network instance belongs.
Network Instance	Select the ID of the network instance that you want to connect.

Configure health checks for the Express Connect circuit in the CEN console. For more information, see Configure health checks.

Probe packets are sent during health checks based on the probe interval that you specify. If the specified number of probe packets are consecutively lost within a period of time, the CEN instance routes traffic over VPN connections.

Parameters

Parameter	Description
Instances	Select the CEN instance to which the VBR is attached.
Virtual Border Router (VBR)	Select the VBR that you want to monitor.
Source IP	You can use one of the following methods to configure a source IP address: Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block. We recommend that you select this option. Custom IP Address: You can specify an available IP address that falls within the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The specified IP address must not conflict with the destination IP address, the IP address of the VBR on the Alibaba Cloud side, or the IP address of the VBR on the customer side. Note Take note of the following rules if you select Automatic IP Address: In each of the following regions, at most 16 VBRs can be automatically assigned a source IP address: Click to view the regions US (Silicon Valley), China (Hong Kong), US (Virginia), China (Beijing), China (Shanghai), China (Shenzhen), Singapore, China (Hangzhou), China (Heyuan), China (Chengdu), China (Zhangjiakou), Germany (Frankfurt), Malaysia (Kuala Lumpur), and UK (London), China (Qingdao), Indonesia (Jakarta), China (Hohhot), China (Guangzhou), China (Ulanqab), China (Nanjing-Local Region), and Japan (Tokyo) In the Philippines (Manila), South Korea (Seoul), China (Fuzhou-Local Region), or Thailand (Bangkok) region, at most eight VBRs can be automatically assigned a source IP address. No matter which method you select, the CEN instance advertises a route whose destination CIDR block is the source IP address of the health check and the subnet mask is 32 bits in length to the VBR after the health check is configured. If the VBR and data center use the BGP dynamic routing protocol, the route is advertised to the data center over BGP.
Destination IP	Set the destination IP address to the IP address of the VBR on the customer side.
Probe Interval (Seconds)	Enter a time interval at which probe packets are sent during the health check. Unit: seconds. Valid values: 2 to 3. Default value: 2.
Probe Packets	Enter the number of consecutive probe packets that are sent during the health check. Unit: packets. Valid values: 3 to 8. Default value: 8.
Change Route	Specifies whether to allow the health check feature to switch to the standby route. This feature is enabled by default. If a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit. If you disable this feature, health checks perform only probing. The health check feature does not switch to the standby route even if an error is detected on the Express Connect circuit. Warning Before you turn off Change Route, make sure that network traffic can be switched to a standby route by using other mechanisms. Otherwise, network connections are interrupted if the Express Connect circuit fails.
Description	Enter a description for the health check.

Step 4: Configure the data center gateway

The following sample code is provided only for reference. The configuration commands in the code are subject to device manufacturers.

# Configure BGP dynamic routing, establish a BGP peering connection to the VBR, and then advertise the route of the data center to Alibaba Cloud. 
interface GigabitEthernet 0/12                     # The port is used to connect the data center gateway to the Express Connect circuit.
no switchport ip address 10.0.0.2 255.255.255.252  # The IP address of the port. The IP address must be the same as the IPv4 address of the data center gateway specified when you configure the VBR.

router bgp 65001 bgp
router-id 10.0.0.2
network 192.168.1.1 mask 255.255.0.0    # The private CIDR block of the data center advertised to Alibaba Cloud.
neighbor 10.0.0.1 remote-as 45104      # The peer relationship with the VBR.

# Configure the priority of the static route pointing to the office network VPC over the VPN gateway. The priority must be lower than that of the BGP route.
ip route 192.168.0.0 255.240.0.0 <Public IP address of the VPN gateway> preference 255

# Configure a backhaul route for probe packets.
ip route <Source IP address for health checks> 255.255.255.255 10.0.0.1

Step 5: Test the network connectivity

Open Command Prompt on a local computer in the data center.
Run the ping command to connect to the IP address of a cloud computer in the CIDR block used by the office network VPC. If response packets are returned, the data center is connected to the office network VPC.
If no cloud computer is available in the office network, create a cloud computer. For more information, see Create cloud computers.
Note
After the cloud computer is created, you can view the IP address of the cloud computer in the IP Address column on the Cloud Computers page.
On the data center gateway, disable the port of the Express Connect circuit and close the Express Connect circuit connection. Run the ping command on the Alibaba Cloud Workspace client again to test the network connectivity between the data center and the office network VPC. If response packets are returned, the standby IPsec-VPN connection can work as expected.

Step 6: Configure routing and DNS for cloud services

Configure routing for cloud services.
The CIDR block of the cloud services in Alibaba Cloud that can be accessed over a VPC is 100.64.0.0/10. This CIDR block is a reserved CIDR block defined in RFC 6598. To ensure that you can call the EDS API from the Alibaba Cloud Workspace client as expected, configure a route for the CIDR block 100.64.0.0/10 in the data center network to forward requests destined for the CIDR block to the user VPC in the cloud
(Optional) Before you configure Domain Name System (DNS), run the following command to test whether the domain name can be resolved:
```
nslookup ecd-vpc.cn-hangzhou.aliyuncs.com
```
If an IP address is returned, the domain name can be resolved. In this case, you can skip the next step. If no IP address is returned, perform the following step to configure DNS.
(Optional) Configure DNS.
To access cloud computers over a private network, DNS is required to resolve the domain names involved in the EDS API and streaming gateways that reside in the private network. In this example, use the following IP addresses for your DNS server:
- 100.100.2.136
- 100.100.2.138
You can use one of the following methods to configure DNS addresses:
- Add the preceding DNS addresses to the Dynamic Host Configuration Protocol (DHCP) service of the data center.
- Configure transit routers on the DNS server of the data center to route domain name resolution requests that end with aliyuncs.com to 100.100.2.136 or 100.100.2.138.

Step 7: Check whether the cloud computer can be connected over a private network

Note

In this section, the Windows client of Alibaba Cloud Workspace V7.2.2 is used as an example to check whether the cloud computer can be connected over the private network. The actual type of the Alibaba Cloud Workspace client that you use shall prevail.

Launch the Windows client.
In the lower part of the logon page, choose More > Connection Type and select Alibaba Cloud VPC.
Enter the logon credentials, including an office network ID or organization ID, username, and password, sent to your email address. Then, click the Next icon to proceed.
Find the cloud computer from the resource list. Then, start and connect to it.
Note
If errors such as network request timeout occur, network connectivity is not established. Check whether the preceding network settings are correctly configured. Then, re-log on to the client and connect to the cloud computer.