Help Center/ Enterprise Router/ Best Practices/ Using an Enterprise Router and a Transit VPC to Enable an On-Premises Data Center to Access Service VPCs/ Planning Networks and Resources
Updated on 2024-01-16 GMT+08:00
View PDF

Planning Networks and Resources

To use Enterprise Router and a transit VPC to build a central network and allow an on-premises data center to access the VPCs over Direct Connect, you need:
  • Network Planning: Plan CIDR blocks of VPCs and their subnets, Direct Connect connection, and enterprise router, as well as the routes of these resources.
  • Resource Planning: Plan the quantity, names, and settings of cloud resources, including VPCs, VPC peering connections, Direct Connect resources, and enterprise router.

Network Planning

Figure 1 shows the networking of allowing an on-premises data center to access the cloud by using an enterprise router, a transit VPC, and a Direct Connect connection. The VPCs communicate with each other over VPC peering connections. (Table 2 describes the resources for the networking.)

Figure 1 Networking with an enterprise router and a transit VPC
In this networking scheme, the service VPCs are connected over VPC Peering, and the on-premises data center accesses the services VPCs over Direct Connect and Enterprise Router.
  • A VPC peering connection connects each service VPC to the transit VPC, so that the service VPCs can communicate with each other. For details, see Path 1 in Table 1.
  • The on-premises data center accesses the service VPCs over a Direct Connect connection and an enterprise router. For details, see Path 2 in Table 1.
Table 1 Network traffic flows

No.

Path

Description

Path 1

Request traffic: from VPC-A to the on-premises data center
  1. In the route table of VPC-A, there is a route with the next hop set to Peer-A-T to forward the traffic to VPC-Transit.
  2. In the route table of VPC-Transit, there is a route with the next hop set to the enterprise router to forward traffic from VPC-Transit to the enterprise router.
  3. In the route table of the enterprise router, there is a route with the next hop set to the virtual gateway attachment to forward traffic from the enterprise router to the virtual gateway.
  4. The virtual gateway is associated with the virtual interface. Traffic from the virtual gateway is forwarded to the Direct Connect connection through the remote gateway of the virtual interface.
  5. Traffic is sent to the on-premises data center over the Direct Connect connection.

Response traffic: from the on-premises data center to VPC-A
  1. Traffic is forwarded to the virtual interface over the Direct Connect connection.
  2. The virtual interface is connected to the virtual gateway. Traffic from the virtual interface is forwarded to the virtual gateway through the local gateway of the virtual interface.
  3. Traffic is forwarded from the virtual gateway attachment to the enterprise router.
  4. In the route table of the enterprise router, there is a route with the next hop set to peering connection attachment VPC-T to forward the traffic to VPC-Transit.
  5. In the route table of VPC-Transit, there is a route with the next hop set to Peer-A-T to forward the traffic to VPC-A.

Path 2

Request traffic: from VPC-B to VPC-A
  1. In the route table of VPC-B, there is a route with the next hop set to Peer-B-T to forward the traffic to VPC-Transit.
  2. In the route table of VPC-Transit, there is a route with the next hop set to Peer-A-T to forward the traffic to VPC-A.

Response traffic: from VPC-A to VPC-B
  1. In the route table of VPC-A, there is a route with the next hop set to Peer-A-T to forward the traffic to VPC-Transit.
  2. In the route table of VPC-Transit, there is a route with the next hop set to Peer-B-T to forward the traffic to VPC-B.
Table 2 Networking with an enterprise router and a transit VPC

Cloud Service

Description

VPC
Two service VPCs are required to run your workloads. In this example, the two VPCs are VPC-A and VPC-B.
  • The CIDR block of each service VPC cannot be the same as the CIDR block of the on-premises network.
  • The CIDR blocks of VPC subnets connected over a VPC peering connection cannot overlap. In this example, the subnet CIDR blocks of VPC-A, VPC-B, and VPC-Transit must be different.
  • Each VPC has a default route table.
  • The routes in the default route tables are described as follows:
    • VPC-A: The traffic is forwarded from VPC-A to VPC-Transit over the VPC peering connection Peer-A-T. Two routes are required, and the destination of one route is the CIDR block of VPC-B and that of the other route is the CIDR block of the on-premises network. For details, see Table 3.
    • VPC-B: The traffic is forwarded from VPC-B to VPC-Transit over the VPC peering connection Peer-B-T. Two routes are required, and the destination of one route is the CIDR block of VPC-A and that of the other route is the CIDR block of the on-premises network. For details, see Table 3.
One transit VPC, which will be attached to the enterprise router. In this example, the transit VPC is VPC-Transit.
  • A transit VPC is used to forward traffic between service VPCs and between each service VPC and the on-premises data center. No workloads are running in this VPC.
  • The CIDR block of the transit VPC cannot be the same as the CIDR block of the on-premises network.
  • The CIDR blocks of VPC subnets connected over a VPC peering connection cannot overlap. In this example, the subnet CIDR blocks of VPC-A, VPC-B, and VPC-Transit must be different.
  • The VPC has a default route table.
  • The routes in the default route table of the VPC are described as follows:
    • Two routes are required with the next hop set to each VPC peering connection (Peer-A-T and Peer-B-T) and destination set to the CIDR block of each service VPC to forward the traffic between VPC-A and VPC-B.
    • One route is required with the next hop set to the enterprise router and destination set to the CIDR block of the on-premises network to forward the traffic from VPC-A and VPC-B to the virtual gateway and then to the on-premises data center.

Direct Connect
  • One connection links your on-premises data center to the cloud.
  • One virtual gateway is attached to the enterprise router.
  • One virtual interface connects the virtual gateway with the connection.

Enterprise Router
Add attachments to the enterprise router and configure the required routes.
  • VPC
    • Associate the transit VPC with the default route table of the enterprise router. You need to manually add routes to the default route table of the enterprise router because Auto Add Routes is not enabled.
    • Manually add static routes to the default route table of the enterprise router because Default Route Table Propagation is not enabled. For details about the route, see Table 4.
  • Direct Connect
    • Associate the virtual gateway attachment with the default route table of the enterprise router.
    • Propagate the virtual gateway attachment to the default route table of the enterprise router. The route table automatically learns the route information of the virtual gateway attachment. For details, see Table 4.

ECS

There is an ECS in each service VPC. In this example, the two ECSs are used to verify network connectivity between service VPCs and between service VPCs and the on-premises data center.

If you have multiple ECSs associated with different security groups, you need to add rules to the security groups to allow network access.
Table 3 VPC route table

VPC

Destination

Next Hop

Route Type

VPC-A

172.17.0.0/16

VPC peering connection: Peer-A-T

Static route (custom)

10.10.0.0/16

VPC peering connection: Peer-A-T

Static route (custom)

VPC-B

172.16.0.0/16

VPC peering connection: Peer-B-T

Static route (custom)

10.10.0.0/16

VPC peering connection: Peer-B-T

Static route (custom)

VPC-Transit

172.17.0.0/16

VPC peering connection: Peer-B-T

Static route (custom)

172.16.0.0/16

VPC peering connection: Peer-A-T

Static route (custom)

10.10.0.0/16

Enterprise router

Static route (custom)

When attaching a VPC to an enterprise router, do not enable Auto Add Routes. You need to manually add routes in the route table of VPC-Transit.

Table 4 Enterprise router route table

Destination

Next Hop

Route Type

VPC-A CIDR block: 172.16.0.0/16

VPC-Transit attachment: er-attach-VPCtransit

Static route

VPC-B CIDR block: 172.17.0.0/16

VPC-Transit attachment: er-attach-VPCtransit

Static route

Local and remote gateways: 10.0.0.0/30

Virtual gateway attachment: vgw-demo

Propagated route

CIDR block of the on-premises network: 10.10.0.0/16

Virtual gateway attachment: vgw-demo

Propagated route

Resource Planning

An enterprise router, a Direct Connect connection, VPCs, and ECSs are in the same region but can be in different AZs.

The following resource details are only examples. You can modify them as required.

Table 5 Resource details

Resource

Description

VPC

Three VPCs are required. Table 6 describes the three VPCs and their settings.

  • Service VPCs: Two VPCs are used to run workloads. Each service VPC is connected to the transit VPC over a VPC peering connection and is not attached to the enterprise router.
  • Transit VPC: One transit VPC is attached to the enterprise router and used to forward traffic between service VPCs and between each service VPC and the on-premises data center. No workloads are running in this VPC.
NOTICE:
  • The CIDR block of each service VPC and that of the transit VPC cannot be the same as the CIDR block of the on-premises network.
  • The CIDR block of each service VPC and that of the transit VPC cannot overlap.
  • The transit VPC is attached to the enterprise router. There are some constraints on attaching a VPC to an enterprise router.

VPC peering connection

Two VPC peering connections are required to connect VPC-A, VPC-B, and VPC-Transit. Table 7 describes the two VPC peering connections and their settings.

Direct Connect connection

A connection, a virtual gateway, and a virtual interface are required. Table 8 describes the required Direct Connect resources and their settings.

Enterprise router

An enterprise router is required and two network instances will be attached to the enterprise router. Table 9 describes the enterprise router and its settings.

ECS

Two ECSs are required, with each in a service VPC. Table 10 describes the two ECSs and their settings.
Table 6 VPC details

VPC

VPC CIDR Block

Subnet

Subnet CIDR Block

Associated Route Table

VPC Description

VPC-A

172.16.0.0/16

subnet-A01

172.16.1.0/24

Default route table

Service VPC, not connected to the enterprise router

VPC-B

172.17.0.0/16

subnet-B01

172.17.1.0/24

Default route table

Service VPC, not connected to the enterprise router

VPC-Transit

192.168.0.0/24

subnet-Transit

192.168.0.0/24

Default route table

Transit VPC, connected to the enterprise router
Table 7 VPC peering connection details

VPC Peering Connection

Local VPC

Peer VPC

Description

Peer-A-T

VPC-A

VPC-Transit

Connects VPC-A and VPC-Transit.

Peer-B-T

VPC-B

VPC-Transit

Connects VPC-B and VPC-Transit.
Table 8 Direct Connect resource details

Resource

Example Settings

Connection

Create a connection based on site requirements.

Virtual gateway
  • Name: vgw-demo
  • Attach To: enterprise router
  • BGP ASN: The ASN is the same as or different from that of the enterprise router. In this example, retain the default value 64512.

Virtual interface
  • Name: vif-demo
  • Virtual Gateway: vgw-demo
  • Local Gateway: 10.0.0.1/30
  • Remote Gateway: 10.0.0.2/30
  • Remote Subnet: 10.10.0.0/16
  • Routing Mode: BGP
  • BGP ASN: ASN of the on-premises data center, which must be different from the ASN of the virtual gateway on the cloud. In this example, 65525 is used.
Table 9 Enterprise router details

Resource

Example Settings

Enterprise router
  • Name: er-demo
  • ASN: 64512
  • Default Route Table Association: Enable
  • Default Route Table Propagation: Disable

    You need to manually add a route for the VPC attachment in the route table of the enterprise router. There is no need to enable this option.

  • Auto Accept Shared Attachments: Enable

    If you want to connect VPCs of different accounts using an enterprise router, enable this function. For details, see Sharing Overview.

  • Association/Propagation route table: default route table
  • Attachments:
    • er-attach-VPCtransit
    • er-attach-VGW

Attachments
  • Attachment name: er-attach-VPCtransit
    • Attachment type: VPC attachment
    • VPC: VPC-Transit
    • Subnet: subnet-Transit
    • Auto Add Routes: There is no need to enable this option.

      If this option is enabled, Enterprise Router automatically adds routes (with this enterprise router as the next hop and 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as the destinations) to all route tables of the VPC. In this example, the CIDR block of each service VPC needs to be added as the route destination.

  • Attachment name: er-attach-VGW
    • Attachment type: virtual gateway attachment
    • Virtual gateway: vgw-demo
Table 10 ECS details

ECS

VPC

Subnet

Private IP Address

Image

Security Group

ECS Description

ECS-A

VPC-A

subnet-A01

172.16.1.25

Public image:

CentOS 8.2 64bit

sg-demo

(general-purpose web server)

This ECS is used to run workloads.

ECS-B

VPC-B

subnet-B01

172.17.1.113

This ECS is used to run workloads.