Express Connect：Establish active/standby connections between a data center and Alibaba Cloud by using an ECR

Scenario

The following figure shows the scenario in this example. A company has a data center in Shanghai and creates a VPC in the China (Shanghai) region. Business-critical systems such as database clusters are deployed in the data center, and cloud resources such as Elastic Compute Service (ECS) instances that host specific business systems are deployed in the VPC. To ensure stable connections between the cloud and on-premises networks, the company needs to lease two Express Connect circuits to connect the customer-premises equipment (CPE) and virtual border routers (VBRs) and use an ECR to connect the data center and VPC. The data center is connected to the VPC by using an active Express Connect circuit and a standby Express Connect circuit. The Border Gateway Protocol (BGP) dynamic routing and Bidirectional Forwarding Detection (BFD) features are used to accelerate route convergence between the data center and VPC. This improves network availability.

The following table describes how CIDR blocks are allocated in this example. You can allocate CIDR blocks based on your business requirements. Make sure that the CIDR blocks do not overlap with each other.

Prerequisites

Before you start, make sure that the following prerequisites are met:

• A VPC is created in the China (Shanghai) region, and cloud resources such as ECS instances that host your business systems are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

• You understand the security group rules of the Elastic Compute Service (ECS) instances in the virtual private cloud (VPC). Make sure that the rules allow the ECS instances to communicate with the data center. For more information, see View security group rules and Add a security group rule.

• An ECR is created. For more information, see Create and manage ECRs.

Procedure

Step 1: Create two connections over Express Connect circuits

In this example, two dedicated connections over Express Connect circuits are created to provide powerful disaster recovery capabilities in high-reliability mode. For more information, see Powerful disaster recovery.

Step 2: Create VBRs

Create a VBR for each Express Connect circuit. The VBRs serve as bridges for data exchange between the data center and VPC.

1. Log on to the Express Connect console.

2. In the top navigation bar, select a region. In the left-side navigation pane, click Virtual Border Routers (VBRs).

3. On the Virtual Border Routers (VBRs) page, click Create VBR. In the Create VBR panel, configure the parameters that are described in the following table and click OK.

   Parameter	Description
   Account	The Alibaba Cloud account to which the VBR belongs. In this example, Current Account is selected.
   Name	The name of the VBR. In this example, VBR1 is used.
   Express Connect Circuit	The type of the connection over the Express Connect circuit. In this example, Dedicated Physical Connection and Express Connect Circuit 1 are selected.
   VLAN ID	The VLAN ID of the VBR. In this example, 110 is used.
   Set VBR Bandwidth Value	The bandwidth of the VBR. In this example, 200Mb is selected.
   IPv4 Address (Alibaba Cloud Gateway)	The IPv4 address for the VBR to route network traffic between the VPC and data center. In this example, 172.16.1.2 is used.
   IPv4 Address (Data Center Gateway)	The IPv4 address for the gateway device in the data center to route network traffic between the data center and VPC. In this example, 172.16.1.1 is used.
   Subnet Mask (IPv4)	The subnet mask of the specified IPv4 addresses. In this example, 255.255.255.252 is used.

4. Repeat the preceding steps to create VBR2 for the other Express Connect circuit.

   The following table describes the parameters.

   Parameter	Description
   Account	The Alibaba Cloud account to which the VBR belongs. In this example, Current Account is selected.
   Name	The name of the VBR. In this example, VBR2 is used.
   Express Connect Circuit	The type of the connection over the Express Connect circuit. In this example, Dedicated Physical Connection and Express Connect Circuit 2 are selected.
   VLAN ID	The VLAN ID of the VBR. In this example, 120 is used.
   Set VBR Bandwidth Value	The bandwidth of the VBR. In this example, 200Mb is selected.
   IPv4 Address (Alibaba Cloud Gateway)	The IPv4 address for the VBR to route network traffic between the VPC and data center. In this example, 172.16.2.2 is used.
   IPv4 Address (Data Center Gateway)	The IPv4 address for the gateway device in the data center to route network traffic between the data center and VPC. In this example, 172.16.2.1 is used.
   Subnet Mask (IPv4)	The subnet mask of the specified IPv4 addresses. In this example, 255.255.255.252 is used.

Step 3: Enable BFD for the VBRs

Enable BFD for the VBRs to accelerate route convergence.

1. Log on to the Express Connect console.

2. In the top navigation bar, select a region. In the left-side navigation pane, click Virtual Border Routers (VBRs).

3. On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click Edit in the Actions column.

4. In the Edit VBR panel, configure the parameters and click OK.

   The following table describes the parameters related to BFD. Use default values for other parameters.

   Parameter	Description
   Submission Interval	The time interval at which BFD packets are sent. Unit: millisecond. Default value: 1000. In this example, the default value is used.
   Reception Interval	The time interval at which BFD packets are received. Unit: millisecond. Default value: 1000. In this example, the default value is used.
   Detection Time Multiplier	The detection time multiplier that is used to determine the maximum number of lost packets. Default value: 3. In this example, the default value is used.

5. On the Virtual Border Routers (VBRs) page, click the ID of the VBR for which you want to configure BGP routing.

6. On the details page of the VBR, click the BGP Peers tab.

7. Find the BGP peer that you want to manage and click Edit in the Actions column.

8. In the Modify BGP Peer panel, select Enable BFD, configure the BFD Hop Count parameter, and then click OK.

   Note

   BFD supports single-hop and multi-hop authentication. You can specify hops based on your network configurations.

Step 5: Associate the VBRs and VPC with the ECR

After the connections over Express Connect circuits are established, you must associate the VBRs and VPC with the ECR to connect the data center and VPC.

1. Log on to the Express Connect console.

2. In the left-side navigation pane, click Express Connect Router (ECR). On the Express Connect Router (ECR) page, find the ECR that you want to manage and click the name of the ECR. The details page of the ECR appears.

3. Click the VBR tab. On the VBR tab, click Associate VBR.

4. In the Associate VBR dialog box, configure the parameters that are described in the following table and click OK.

   Parameter	Description
   Resource Owner	The type of the account to which the VBR belongs. Valid values: Current Account: The VBR and the ECR belong to the same account. Another Account: If you want to associate a VBR with the ECR across accounts, you must authorize the ECR that belongs to the current Alibaba Cloud account to access the VBR that belongs to another Alibaba Cloud account. For more information, see the Authorize an ECR to access a VBR across accounts section of the "Authorize an ECR to access resources across accounts" topic.
   Region	The region in which the VBR resides.
   Peer Account UID	The ID of the Alibaba Cloud account to which the VBR belongs. Note This parameter is required if you set the Resource Owner parameter to Another Account.
   Network Instance	The name or ID of the VBR.
   Allow Business Access Between Data Centers	Specifies whether to allow data centers to access each other. Note By default, this feature is disabled. If you want to use the feature, contact your Alibaba Cloud account manager to apply for enabling the feature.

5. Click the VPC tab. On the VPC tab, click Associate VPC.

6. In the Associate VPC dialog box, configure the parameters that are described in the following table and click OK.

   Parameter	Description
   Resource Owner	The type of the account to which the VPC belongs. Valid values: Current Account: The VPC and the ECR belong to the same account. Another Account: If you want to associate a VPC with the ECR across accounts, you must authorize the ECR that belongs to the current Alibaba Cloud account to access the VPC that belongs to another Alibaba Cloud account For more information, see the Authorize an ECR to access a VPC across accounts section of the "Authorize an ECR to access resources across accounts" topic.
   Region	The region in which the VPC resides.
   Peer Account UID	The ID of the Alibaba Cloud account to which the VPC belongs. Note This parameter is required if you set the Resource Owner parameter to Another Account.
   VPC ID	The ID of the VPC.
   Allowed Route Prefixes	The route prefixes that you want to advertise to the local network by using the ECR. After you specify a CIDR block, the route of the VPC is not advertised to the local network. Note You can advertise the allowed route prefixes by using Border Gateway Protocol (BGP).

Step 6: Test the network connectivity

1. Open the CLI on a computer of the data center.

2. Run the ping command to test the connectivity between the data center and an ECS instance in the VPC. The CIDR block of the VPC is 192.168.20.0/24. If echo reply packets are returned, the destination is reachable.

3. You can use the failure drill feature of Express Connect to simulate scenarios in which the active route is disconnected. This feature allows you to check whether the network traffic can be automatically switched to the standby route under this circumstance. For more information, see Use the failure drill feature.