Scenario

Layer 2 connection gateways (L2CGs) allow communication between HUAWEI CLOUD and on-premises data centers at a Layer 2 network, while Direct Connect allows communication at Layer 3. L2CGs and switches perform VXLAN tunnel encapsulation.

If your on-premises data center can communicate with HUAWEI CLOUD at Layer 3 through Direct Connect and want to migrate services to the cloud at a Layer network, you can use a L2CG.

Requirements:

• Servers migrated to the cloud can communicate with on-premises servers at Layer 2.
• The Layer 2 network extended to the cloud can communicate with the on-premises data center at Layer 3.
• The Layer 2 network reconstructed at the on-premises data center can communicate with the cloud at Layer 3.

L2CGs are currently available for open beta test in CN East-Shanghai1 and CN South-Guangzhou. You can use this function after obtaining the open beta test permissions.

Typical Topology

In Figure 1, the subnet A in the on-premises data center connects to subnet B on the cloud through Direct Connect.

Figure 1 Network topology

If you want to migrate subnet A to the cloud at a Layer 2 network, add a subnet D to the on-premises data center, which will be used as the tunnel network configured on the switch. Add a subnet B on the cloud as the tunnel network on the cloud, and create a L2CG using subnet B. The L2CG will work together with Direct Connect to enable the communication between the cloud and on-premises tunnel networks.

Figure 2 shows the network topology after the reconstruction using L2CG.

Figure 2 Network topology

The subnet planning details are as follows:

Notes and Constraints

• A maximum of six Layer 2 connections can use the same L2CG to connect cloud and on-premises networks.
• Forwarding unknown unicast, broadcast, and multicast (except VRRP) IP packets from your data center to the cloud is not allowed.
• On-premises servers cannot use VPC peering connections, load balancers, route tables, and NAT gateways on the cloud.
• A VPC can be attached to multiple L2CGs. However, each L2CG can only be attached to one VPC.
• The remote tunnel VNI and tunnel IP address of each Layer 2 connection using the same L2CG must be unique.
• A subnet that has been associated with a Layer 2 connection cannot be used by any other Layer 2 connection or L2CG.
• Each Layer 2 connection of a L2CG requires two IP addresses (interface IP address and tunnel IP address) in the Layer 2 subnet. The two IP addresses must be different from the used IP addresses of your data center.
• Each L2CG gateway requires three IP addresses in the tunnel subnet.

Prerequisites

The switch of your on-premises data center should support VXLAN and have licenses.

The recommended switch models are as follows:

• Huawei CE58, CE68, CE78, and CE88 series switches support VXLAN. By default, VXLAN is disabled on these switches. To use the VXLAN function, apply for and purchase the license from the switch supplier.
• Huawei CE128 series
  

  The switch needs to be configured with jumbo frames to allow packets with more than 1500 bytes to pass through.

Procedure

The overall operation process is as follows:

Figure 3 Operation process

1. Determine subnets.
   Determine subnets based on your service requirements. Table 1 is used as an example.

   

   • The subnets shown in the examples are for demonstration purposes. Adjust them according to actual subnets.
   • It is not recommended that the tunnel network be too large. The tunnel IP address is assigned from this tunnel network to establish a VXALN tunnel with the L2CG on HUAWEI CLOUD. Figure 2 shows the example.
2. Configure the on-premises switch.

   Configure the VXLAN tunnel on the on-premises switch. In this example, subnet D is the tunnel network configured on the switch.

   • Source address: Tunnel IP address (192.168.0.98) on the cloud
   • Destination address: On-premises tunnel IP address (200.51.51.100)
   • Tunnel VNI: 5530

   For details about how to configure on-premises switches, see Configuring a Tunnel Gateway in Your Data Center.

3. Modify the Direct Connect connection.

   Modify the virtual interface of the Direct Connect connection and add the CIDR block of tunnel subnet D (200.51.51.0/24) to enable the communication between the on-premises and cloud networks.

4. Create a L2CG.

   Buy a L2CG and set the following parameters:

   • Tunnel Connection: Select Direct Connect.
   • Connection Gateway: Select an existing Direct Connect gateway.
   • Tunnel Subnet: Select subnet B (192.168.0.0/24).
   • Tunnel IP Address: Specify this parameter value to the local tunnel IP address (192.168.0.98) of the L2CG.
   Figure 4 Buying a L2CG
   

   Click Next and then Submit. This operation takes 3 to 6 minutes to complete.

5. Create a subnet and a Layer 2 connection.
   

   After a subnet is created, communication at Layer 3 will be interrupted due to the conflict between the cloud and on-premises routes. Communication at Layer 3 will be restored only after Layer 2 connections are created.

   1. Create a Layer 2 connection.

      Create a subnet (192.168.3.0/24), which corresponds to subnet A (192.168.3.0/24) on the cloud in Figure 2.

      

      • Subnets A, B, and D cannot overlap.
      • If possible, make the range /28 for subnet D.
      • The CIDR block of the VPC on the cloud depends on the number of required L2CGs. Each L2CG needs three IP addresses from the tunnel subnet.
   2. Create a Layer 2 connection.
      • Layer 2 Connection Subnet: Select subnet A (192.168.3.0/24) created in 4.a.
      • Remote Access Information: Enter the tunnel VNI (5530) and tunnel IP address (200.51.51.100).
      Figure 5 Creating a Layer 2 connection
      
   3. Click Create. If the connection status changes to Connected, the layer 2 connection is created successfully.
      Figure 6 Layer 2 connection details
      
6. Communicate at a Layer 2 network.

   Buy an ECS using the Layer 2 connection subnet A on the cloud, log in to the ECS, and ping the IP address of an on-premises server.

   Figure 7 Accessing the on-premises server
   
7. Communicate at a Layer 3 network.

   Two Layer 2 connections need to be created using the L2CG to implement Layer 3 communication between the cloud and on-premises networks. Figure 8 shows the network topology.

   In addition to the Layer 2 connection created in 4.b, you need to create another Layer 2 connection.

   Figure 8 Communication at a Layer 3 network
   
   1. Add a Layer 2 subnet on the switch and divert the traffic of the Layer 2 subnet to the new tunnel. (A new tunnel can have the same IP address as an existing tunnel but their tunnel numbers must be different.) For details about how to configure a switch, see 2.
   2. Create subnet C (192.168.5.0/24).
   3. Create a Layer 2 connection. A maximum of six Layer 2 connections can be created. After the creation is successful, the page shown in Figure 9 is displayed.
      Figure 9 Layer 2 connection details
      

      After the creation is successful, the cloud and on-premises networks can communicate at Layer 3.

      Figure 10 Communication at Layer 3
      
8. Migrate services.

   You can use Server Migration Service (SMS) to migrate services.

Common Questions

• If the subnets to be connected at Layer 2 are not on the same network, the VPC of the L2CG must support the multiple CIDR block. In this case, you need to use a tool to create subnets across CIDR blocks. If you need help, submit a service ticket.
• If the system IP addresses 192.168.1.253 and 192.168.0.254 on the cloud have been used, but servers with these IP addresses need to be migrated to the cloud, you need to use a tool to change the system IP addresses on the cloud. If you need help, submit a service ticket.