Establish active/standby connections between a data center and Alibaba Cloud - Express Connect

This topic describes how to establish active/standby connections between a data center and Alibaba Cloud by using two Express Connect circuits. If the primary Express Connect circuit is up, data is transmitted only by using the primary Express Connect circuit. To ensure service availability, you can configure health checks to monitor the status of your Express Connect circuits. Probe packets are sent at the specified health check intervals to monitor Express Connect circuits. If the primary Express Connect circuit becomes down, the secondary Express Connect circuit takes over.

Scenario

The following example shows how to establish active/standby connections between a data center and Alibaba Cloud by using two Express Connect circuits.

A company has a data center in Shanghai and a virtual private cloud (VPC) in the China (Shanghai) region. The private CIDR block of the data center is 172.16.0.0/12, and the CIDR block of the VPC is 192.168.0.0/16. To eliminate single points of failure (SPOFs), the company plans to lease two Express Connect circuits from different connectivity providers to establish active/standby connections between the data center and Alibaba Cloud.

冗余专线主备接入架构图

The following table describes the configurations of the virtual border routers (VBRs) connected to the Express Connect circuits.

Configuration item	VBR1 (connected to Express Connect Circuit 1)	VBR2 (connected to Express Connect Circuit 2)
VLAN ID	1	1
Alibaba Cloud Side IPv4 Address	10.0.0.1	10.0.0.5
Data Center Side IPv4 Address	10.0.0.2	10.0.0.6
IPv4 Subnet Mask	255.255.255.252	255.255.255.252

Procedure

冗余专线主备接入配置流程

Step 1: Create two connections over Express Connect circuits

In this example, two dedicated connections are created. For more information, see Create and manage a dedicated connection over an Express Connect circuit.

When you apply for Express Connect Circuit 2, you may need to specify a redundant Express Connect circuit based on the access point.

If you want to connect the two Express Connect circuits to the same access point, set the Redundant Express Connect Circuit ID parameter to the ID of Express Connect Circuit 1. This way, the two Express Connect circuits are connected to different access devices.
If the two Express Connect circuits are connected to different access points, you do not need to specify a redundant Express Connect circuit. In this case, you do not need to configure the Redundant Express Connect Circuit ID parameter.
In this example, the Express Connect circuits are connected to different access points.

Step 2: Create VBRs and configure routes

You need to create a VBR for each Express Connect circuit and add a route to each VBR. Set the destination of both routes to the data center.

Log on to the Express Connect console.

Create a VBR for Express Connect Circuit 1.

In the top navigation bar, select a region and then click Virtual Border Routers (VBRs) in the left-side navigation pane.
On the Virtual Border Routers (VBRs) page, click Create VBR.

In the Create VBR panel, configure the following parameters and click OK.

Parameter	Description
Account	Specify the Alibaba Cloud account to which the VBR belongs. In this example, Current Account is selected.
Name	Enter a name for the VBR. In this example, VBR1 is entered.
Resource Group	Select the resource group to which the VBR belongs. You can also add the VBR to the resource group after you create the VBR by clicking Add to Resource Group in the Resource Group column of the VBR.
Tags	Tag Key: the key of the tag. You can select or enter a key. The tag key can be up to 64 characters in length. The tag key cannot start with `aliyun` or `acs:` and cannot contain `http://` or `https://`. Tag Value: the value of the tag. You can select or enter a value. The tag value can be up to 128 characters in length. The tag value cannot start with `aliyun` or `acs:` and cannot contain `http://` or `https://`. You can also add tags to the VBR in the Tags column after you create the VBR. After you add tags, you can modify, view, and delete the tags.
Express Connect Circuit	In this example, Dedicated Physical Connection is selected and Express Connect Circuit 1 is selected.
VLAN ID	Enter the virtual LAN (VLAN) ID of the VBR. In this example, 1 is entered.
Set VBR Bandwidth Value	Select the bandwidth of the VBR. In this example, 200Mb is selected.
Alibaba Cloud Side IPv4 Address	Enter an IPv4 address for the VBR to route network traffic between the VPC and the data center. In this example, 10.0.0.1 is entered.
Data Center Side IPv4 Address	Enter an IPv4 address for the gateway device in the data center to route network traffic between the data center and the VPC. In this example, 10.0.0.2 is entered.
IPv4 Subnet Mask	Enter the subnet mask of the specified IPv4 addresses. In this example, 255.255.255.252 is entered.

Add a route that points to the data center to VBR1.

In the top navigation bar, select a region and then click Virtual Border Routers (VBRs) in the left-side navigation pane.
On the Virtual Border Routers (VBRs) page, click the ID of VBR1.
On the details page of VBR1, click the Routes tab and click Add Route.

In the Add Route panel, configure the following parameters and click OK.

Parameter	Description
Next Hop Type	In this example, Physical Connection Interface is selected.
Destination CIDR Block	Enter the CIDR block of the data center. In this example, 172.16.0.0/12 is entered.
Next Hop	Select the interface of the Express Connect circuit. In this example, the interface of Express Connect Circuit 1 is selected.
Description	Enter a description for the route.

Repeat the preceding steps to create VBR2 for Express Connect Circuit 2 and add a route to VBR2. Set the destination of the route to the data center.

Step 3: Connect the transit router to the VPC and the VBRs

Connect the transit router in the China (Shanghai) region to the VPC that you want to connect to the data center. Then, connect the transit router to the VBRs that are associated with the Express Connect circuits. This way, the VPC and the data center can communicate with each other.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Settings > Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, configure the following parameters and click OK.

Note

When you perform this operation for the first time, the system automatically creates a service-linked role named AliyunServiceRoleForCEN. This role allows the transit router to create an elastic network interface (ENI) in a vSwitch of the VPC. For more information, see AliyunServiceRoleForCEN.

Parameter	Description
Instance Type	The type of network instance. In this example, VPC is selected.
Region	The region in which the VPC is deployed. In this example, China (Shanghai) is selected.
Transit Router	The system automatically displays the transit router in the selected region.
Resource Owner ID	The Alibaba Cloud account to which the VPC belongs. In this example, Current Account is selected.
Billing Method	By default, transit routers use the pay-as-you-go billing method. For more information, see Billing rules.
Attachment Name	The name of the VPC connection. In this example, `VPC-test` is used.
Tag	Tag Key: the key of the tag. You can select or enter a key. The tag key can be up to 64 characters in length. The tag key cannot start with `aliyun` or `acs:` and cannot contain `http://` or `https://`. Tag Value: the value of the tag. You can select or enter a value. The tag value can be up to 128 characters in length. The tag value cannot start with `aliyun` or `acs:` and cannot contain `http://` or `https://`.
Network Instance	The ID of the VPC. In this example, the VPC that you created is selected.
VSwitch	The vSwitch in a zone that supports transit routers. In this example, the vSwitch in the corresponding zone is selected.
Advanced Settings	By default, the following advanced features are enabled: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically Create Route That Points to Transit Router and Add to All Route Tables of Current VPC. In this example, the default settings are used.

On the Connection with Peer Network Instance page, click Create More Connections.

On the Connection with Peer Network Instance page, configure the following parameters and click OK to create a connection for VBR1.

Parameter	Description
Instance Type	The type of the network instance. In this example, Virtual Border Router (VBR) is selected.
Region	The region in which the VBR is deployed. In this example, China (Shanghai) is selected.
Transit Router	The system automatically displays the transit router in the selected region.
Resource Owner ID	The Alibaba Cloud account to which the VBR belongs. In this example, Current Account is selected.
Attachment Name	The name of the VBR connection. In this example, `VBR-test` is used.
Network Instance	The ID of the VBR. In this example, VBR1 is selected.
Advanced Settings	By default, the following advanced features are enabled: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Propagate Routes to VBR. In this example, the default settings are used.

Repeat Step 5 and Step 6 to create a connection for VBR2.
After the connections are created, you can view information about the connections on the Intra-region Connections tab of the VBR details page. For more information, see View network instance connections.

Step 4: Configure health checks on the Alibaba Cloud side

After you configure health checks, Alibaba Cloud sends a probe packet every 2 seconds over the Express Connect circuits from the source IP address to the destination IP address in the data center. If no responses are returned for eight consecutive probe packets over one of the Express Connect circuits, the other Express Connect circuit automatically takes over.

Log on to the CEN console.
In the left-side navigation pane, click Health Checks.
On the Health Checks page, select the region in which a VBR is deployed. Then, click Set Health Check.
In this example, China (Shanghai) is selected, which is the region of VBR1.

In the Set Health Check dialog box, configure the following parameters and click OK.

Parameter	Description
Instances	The CEN instance to which the VBR is attached.
Virtual Border Router (VBR)	The VBR that you want to monitor. In this example, VBR1 is selected.
Source IP Address	The source IP address. You can select one of the following methods to specify the source IP address: Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block. We recommend that you select this option. Note If you select this option and an ACL policy is configured on the peer , you must modify the ACL policy to allow this CIDR block. Otherwise, the health check fails. Custom IP Address: You need to specify an idle IP address within the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The specified IP address cannot be the IP address with which you want to communicate, the IP address of the VBR on the Alibaba Cloud side, or the IP address of the VBR on the user side.
Destination IP	The IP address of the VBR on the user side.
Probe Interval (Seconds)	The interval at which probe packets are sent for the health check. Unit: seconds. Default value: 2. Valid values: 2 to 3.
Probe Packets	The number of probe packets that are sent for health checks. Unit: packet. Default value: 8. Valid values: 3 to 8.
Change Route	Specifies whether to allow the health check feature to switch to the redundant route. By default, Change Route is turned on. This indicates that the health check feature can switch to the redundant route. If a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit. If you turn off Change Route, the health check feature does not switch to the redundant route. Only probing is performed. The health check feature does not switch to the redundant route even if an error is detected on the Express Connect circuit. Warning Before you turn off Change Route, make sure that the system can switch to a redundant route by using other mechanisms. Otherwise, network connections are interrupted if the Express Connect circuit is down.

Note

The system sends probe packets at the specified intervals. If the number of consecutively dropped packets reaches the specified value, the health check fails.

Repeat Step 3 to Step 4 to configure health checks for VBR2.

Step 5: Specify the primary and secondary Express Connect circuits

To specify the primary and secondary Express Connect circuits, you need to configure routing policies in CEN. In this example, the primary Express Connect circuit is connected to VBR1. The secondary Express Connect circuit is connected to VBR2.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Navigate to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.
On the details page of the transit router, click the Route Table tab.
In the left-side area of the route table details page, click the ID of the default route table.
On the details page of the default route table, click the Routing Policies tab.
On the Routing Policies tab, click Add Route Map.

On the Add Routing Policy page, configure the following parameters and click OK.

Parameter	Description
Policy Priority	Enter a priority for the routing policy. Valid values: 1 to 100 A smaller value specifies a higher priority. In this example, 20 is used.
Description	Enter a description for the routing policies.
Associated Route Table	Select a route table to associate with the routing policy. You can associate a routing policy with the system route table or a custom route table. In this example, the default route table is selected.
Policy Direction	Select the direction in which the routing policy applies. Ingress Regional Gateway: Routes are advertised to the transit router deployed in the current region. For example, routes are advertised from network instances deployed in the current region or transit routers deployed in other regions to the transit router deployed in the current region. Egress Regional Gateway: Routes are advertised from the transit router deployed in the current region. For example, routes are advertised from the transit router deployed in the current region to network instances deployed in the current region or transit routers deployed in other regions. In this example, Ingress Regional Gateway is selected.
Match Conditions	Select a match condition for the routing policy. In this example, Source Instance ID List is selected and the ID of VBR1 is selected. This way, the routing policy applies to all routes of VBR1. Click Add Match Condition to add multiple match conditions. For more information, see the "Table 2. Match conditions" section of the Routing policy overview topic.
Policy Action	Set the Policy Action parameter to Allow. Click Add Action Object, select Route Priority, and then set a priority for routes. A smaller value indicates a higher priority. In this example, Route Priority is set to 10. Note In this example, You do not need to configure the Associated Policy Priority parameter for VBR1.

Repeat the preceding steps to specify the Express Connect circuit that is associated with VBR2 as the secondary Express Connect circuit.

The following table describes the key parameters. Use the same values as VBR1 for parameters that are not included in the table.

Parameter	Description
Policy Priority	A smaller value indicates a higher priority. The priority value of the routing policy for VBR 2 must be greater than that of the routing policy for VBR 1. In this example, 30 is used.
Match Conditions	In this example, Source Instance ID Lists is selected and the ID of VBR2 is selected. This way, the routing policy applies to all routes of VBR2.
Policy Action	Set the Policy Action parameter to Allow and set a priority for routes. A smaller value indicates a higher priority. The priority value of routes for VBR 2 must be greater than that of routes for VBR 1. In this example, Route Priority is set to 20. In this example, you do not need to configure the Associated Policy Priority parameter for VBR2.

After you create the routing policies, you can view two 172.16.0.0/12 routes on the Network Routes tab, which are destined for the data center. One of the routes is the secondary route.

Step 6: Configure routes and health checks on the data center side

You need to configure routes and health checks on the data center side, and then configure the gateway device to route network traffic based on the health check results to achieve network redundancy.

Important

Before you configure health checks in the data center, you must configure the return route of probe packets in the data center to make sure that the probe packets returned from the data center can be routed as expected.
Do not use the peer IP address of a VBR as the source IP address of health checks in the data center. You must use an idle IP address from the connected VPC as the source IP address of health checks and send probe packets to check whether the source IP address is valid.

Configure routes in the data center.
The configuration commands may vary based on the gateway device. The following example is only for reference.
```
ip route 192.168.0.0 255.255.0.0 10.0.0.1 preference 10
ip route 192.168.0.0 255.255.0.0 10.0.0.5 preference 20
```
Configure health checks on the data center side.
You can configure Bidirectional Forwarding Detection (BFD) or Network Quality Analyzer (NQA) on the gateway device in the data center to verify the reachability of routes that are destined for the VBRs. For more information about the configuration commands, consult the vendor of your gateway device. BFD can detect a link failure within milliseconds. Therefore, we recommend that you configure BFD on your gateway device.
Configure the gateway device to route network traffic based on the health check results.
Configurations may vary based on the gateway device. For more information, consult the vendor of your gateway device.

Step 7: Test the network connectivity

After you complete the preceding steps, you need to verify the connectivity of the Express Connect circuits.

Open the CLI on a computer in the data center.
Run the ping command to verify the connectivity between the data center and an ECS instance in the VPC whose CIDR block is 192.168.0.0/16.
If you can receive echo reply packets, the connection is established.
Disable the primary Express Connect circuit and run the ping command to verify the connectivity between the data center and an ECS instance in the VPC whose CIDR block is 192.168.0.0/16.
If echo reply packets are returned, the secondary Express Connect circuit can serve your workloads when the primary Express Connect is down.

References

For more information about how to troubleshoot connectivity issues between a data center and an ECS instance, see Troubleshooting.
For more information about Express Connect circuit installation, see FAQ about installing an Express Connect circuit.
For more information about how to resolve issues in Express Connect circuit connections, see FAQ about connections over Express Connect circuits.