Help Center/ Direct Connect/ Best Practices/ Accessing a VPC over Two Connections Through BGP Routes

Updated on 2023-08-08 GMT+08:00

View PDF

Accessing a VPC over Two Connections Through BGP Routes

Overview

Scenarios

Connect your on-premises network to the cloud over two connections that are terminated at two locations in the same region and use BGP routes to route traffic between your on-premises network and the VPC. You can set priorities for the virtual interfaces to determine the active and standby connections.

Typical Topology

Your on-premises network is connected to a VPC over two connections, with one is terminated at A and the other one terminated at B.

For details on how to create a VPC, see the Creating a VPC.

The following table lists the CIDR blocks used in this example.

**Table 1** CIDR blocks
Item	CIDR Block
Your on-premises network	10.1.123.0/24
Local and remote gateways (addresses for interconnection)	10.0.0.0/30 and 10.0.0.4/30
VPC	192.168.0.0/16

Figure 1 Accessing a VPC over two connections that use BGP routing

Advantages

Multi-cloud architecture: You can access Huawei Cloud from any location that is closer to your on-premises data center or the third-party cloud and use Direct Connect to connect different clouds for backup.
Secure and reliable: Computing is performed on the clouds with minimum data transmitted over the dedicated network connection, and your core data is still stored in your on-premises data center.

Constraints

Your on-premises network must use a single-mode fiber with a 1GE, 10GE, 40GE, or 100GE optical module to connect to the access devices in the cloud.
Auto-negotiation for the ports must be disabled. Port speed and full-duplex mode must be manually configured.
802.1Q VLAN encapsulation is supported on your on-premises network.
Your device supports BGP and does not use ASN 64512, which is used by Huawei Cloud.

Resource Planning

The following table describes the resource planning in the best practice.

**Table 2** Resource planning for accessing a VPC over two connections
Region	Resource	Description	Quantity	Price
EU-Dublin	VPC	VPC subnet: 192.168.0.0/16	1	Free
	Connection	Connection dc-connect1 is terminated at and associated with virtual gateway vgw-test and virtual interface vif-test1. Local subnet of virtual gateway vgw-test: 192.168.0.0/16 Local gateway of virtual interface vif-test1: 10.0.0.1/30 Remote gateway of virtual interface vif-test1: 10.0.0.2/30 Remote subnet of virtual interface vif-test1: 10.1.123.0/24	2	For details, see Direct Connect Pricing Details.
	Connection	Connection dc-connect2 is terminated at and associated with virtual gateway vgw-test and virtual interface vif-test2. Local subnet of virtual gateway vgw-test: 192.168.0.0/16 Local gateway of virtual interface vif-test2: 10.0.0.5/30 Remote gateway of virtual interface vif-test2: 10.0.0.6/30 Remote subnet of virtual interface vif-test2: 10.1.123.0/24	2	For details, see Direct Connect Pricing Details.

Operation Process

In this scenario, your on-premises network connects to the cloud over two connections that are terminated at two locations in the same region, and BGP routes are used to route traffic between your on-premises network and the VPC.

Procedure

Create two connections: dc-connect1 and dc-connect2.

Log in to the management console.
On the console homepage, click in the upper left corner and select the desired region and project.
Hover on to display Service List and choose Networking > Direct Connect.
In the navigation pane on the left, choose Direct Connect > Connections.
Click Create Connection.

On the Create Connection page, enter the equipment room details and select the Direct Connect location and port based on Table 3.

**Table 3** Parameters required for creating a connection
Parameter	Description
Billing Mode	Specifies how you are charged for the connection. Currently, only Yearly/Monthly is supported.
Region	Specifies the region where the connection resides. You can also change the region in the upper left corner of the console.
Connection Name	Specifies the name of your connection.
Location	Specifies the Direct Connect location where your leased line can be connected to.
Carrier	Specifies the carrier that provides the leased line.
Port Type	Specifies the type of the port that the leased line is connected to. There are four types of ports: 1GE, 10GE, 40GE, and 100GE.
Leased Line Bandwidth	Specifies the bandwidth of the leased line in the unit of Mbit/s.
Your Equipment Room Address	Specifies the address of your equipment room. The address must be specific to the floor your equipment room is on, for example, XX Equipment Room, XX Building, No. XX, Huajing Road, Pudong District, Shanghai.
Tag	Identifies the connection. A tag consists of a key and a value. You can add 10 tags to a connection. Tag keys and values must meet the requirements listed in Table 4. NOTE: If a predefined tag has been created on TMS, you can directly select the corresponding tag key and value. For details about predefined tags, see Predefined Tag Overview.
Description	Provides supplementary information about the connection.
Contact Person/Phone Number/Email	Specifies who is responsible for your connection. If you do not provide any contact information, we will contact the person in your account information.
Required Duration	Specifies how long the connection will be used for.
Auto-renew	Specifies whether to automatically renew the subscription to ensure service continuity. For example, if you select this option and the required duration is three months, the system automatically renews the subscription for another three months.
Enterprise Project	Provides a cloud resource management mode where cloud resources and members are centrally managed by project.

**Table 4** Tag key and value requirements
Parameter	Requirements
Key	Cannot be left blank. Must be unique for each resource. Can contain a maximum of 36 characters. Can contain only letters, digits, hyphens, underscores, and Unicode characters from \u4e00 to \u9fff.
Value	Can be left blank. Can contain a maximum of 43 characters. Can contain only letters, digits, period, hyphens, underscores, and Unicode characters from \u4e00 to \u9fff.

Click Next.
Confirm the connection information and click Pay Now.
Confirm the order, select a payment method, and click Confirm.
Repeat steps 1.d to 1.i to create connection dc-connect2 and select Langfang-Huawei as its location.

Create a virtual gateway named vgw-test.

In the navigation pane on the left, choose Direct Connect > Virtual Gateways.
Click Create Virtual Gateway.

Configure the parameters based on Table 5.

**Table 5** Parameters required for creating a virtual gateway
Parameter	Description
Name	Specifies the virtual gateway name. The name can contain 1 to 64 characters.
Enterprise Project	Provides a cloud resource management mode where cloud resources and members are centrally managed by project.
VPC	Specifies the VPC to be associated with the virtual gateway.
Local Subnet	Specifies the CIDR blocks of the subnets in the VPC to be accessed using Direct Connect. You can add one or more CIDR blocks. If there are multiple CIDR blocks, separate every entry with a comma (,).
Description	Provides supplementary information about the virtual gateway.

Click OK.

Create two virtual interfaces: vif-test1 and vif-test2.

Associate virtual interface vif-test1 with virtual gateway vgw-test and connection dc-connect1 and virtual interface vif-test2 with virtual gateway vgw-test and connection dc-connect2.

In the navigation pane on the left, choose Direct Connect > Virtual Interfaces.
Click Create Virtual Interface.

Configure the parameters based on Table 6.

**Table 6** Parameters required for creating a virtual interface
Parameter	Description
Region	Specifies the region where the connection resides. You can also change the region in the upper left corner of the console.
Name	Specifies the virtual interface name. The name can contain 1 to 64 characters.
Virtual Interface Priority	Specifies whether the virtual interface will be used prior to other virtual interfaces. There are two options: Preferred and Standard. If multiple virtual interfaces are associated with one Direct Connect device, load is balanced among virtual interfaces with the same priority, while virtual interfaces with different priorities are working in active/standby pairs. For details, see Active/Standby Connections.
Connection	Specifies the connection you can use to connect your on-premises network to Huawei Cloud.
Virtual Gateway	Specifies the virtual gateway that the virtual interface connects to.
VLAN	Specifies the ID of the VLAN for the virtual interface. Standard connections: You need to configure the VLAN. Hosted connections: The VLAN will be allocated by the carrier or partner. You do not need to configure the VLAN.
Bandwidth	Specifies the bandwidth that can be used by the virtual interface, in Mbit/s. The bandwidth cannot exceed that of the connection.
Enterprise Project	Provides a cloud resource management mode where cloud resources and members are centrally managed by project.
Local Gateway	Specifies the gateway on the Huawei Cloud network.
Remote Gateway	Specifies the gateway on your on-premises network. The remote gateway must be in the same IP address range as the local gateway. Generally, a subnet with a 30-bit mask is recommended.
Remote Subnet	Specifies the subnets and masks of your on-premises network. If there are multiple subnets, use commas (,) to separate them.
Routing Mode	Specifies whether static routing or dynamic routing is used to route traffic between your on-premises network and the cloud network. If there are or will be two or more connections, select BGP routing to achieve higher availability.
BGP ASN	Specifies the ASN of the BGP peer. This parameter is required when BGP routing is selected.
BGP MD5 Authentication Key	Specifies the password used to authenticate the BGP peer using MD5. This parameter is mandatory when BGP routing is selected, and the parameter values on both gateways must be the same. The key contains 8 to 255 characters and must contain at least two types of the following characters: Uppercase letters Lowercase letters Digits Special characters ~!, .:;-_"(){}[]/@#$ %^&*+\\|=
Description	Provides supplementary information about the virtual interface.

Click Create Now.
Repeat steps 3.a to 3.d to create virtual interface vif-test2.
- When you create virtual interface vif-test2, select connection dc-connect2, and set Local Gateway to 10.0.0.5/30 and Remote Gateway to 10.0.0.6/30.
- Set different BGP ASNs and BGP MD5 authentication keys for the two virtual interfaces.
- The default security group rule denies all the inbound traffic. Ensure that security group rules in both directions are correctly configured to ensure normal communications.

Wait for route propagation on the cloud.

Direct Connect automatically propagates the routes after a connection is established between your on-premises network and the cloud network.

Configure a static route on your device.

(Here is a static route on a Huawei device.)

bgp 64510
peer 10.0.0.1 as-number 64512
peer 10.0.0.1 password simple Qaz12345678
peer 10.0.0.5 as-number 64512
peer 10.0.0.5 password simple Qaz12345678
network 10.1.123.0 255.255.255.0

Active/Standby Connections

By default, BGP automatically selects the active and standby connections. To specify the active connection, perform the following operations:

Setting the active connection for connecting to the cloud

To set the connection terminated at as the active one, you can set Local_Pref.

The following is an example configuration:

bgp 64510 
peer 10.0.0.1 as-number 64512 
peer 10.0.0.1 password simple Qaz12345678 
peer 10.0.0.5 as-number 64512 
peer 10.0.0.5 password simple Qaz12345678 
peer 10.0.0.5 route-policy slave_direct_in import 
peer 10.0.0.5 route-policy slave_direct_out export 
network 10.1.123.0 255.255.255.0 
route-policy  slave_direct_in  permit node 10 
apply local-preference 90

Setting the active connection for connecting to the on-premises data center
Assume that the connection terminated at is expected to be the active connection. There are two ways to configure this:
- Method 1: Setting the priority of each virtual interface
  Set the priority of the virtual interface associated with the connection terminated at to Preferred, and that of the virtual interface associated with the connection terminated at to Standard. To switch the active connection, you only need to change the priority of each virtual interface on their basic information page.
  
  For details, see Creating a Virtual Interface.
- Method 2: Setting AS_Path
  The following is an example configuration:
```
bgp 64510 
peer 10.0.0.1 as-number 64512 
peer 10.0.0.1 password simple Qaz12345678 
peer 10.0.0.5 as-number 64512 
peer 10.0.0.5 password simple Qaz12345678 
peer 10.0.0.5 route-policy slave_direct_in import 
peer 10.0.0.5 route-policy slave_direct_out export 
network 10.1.123.0 255.255.255.0 
route-policy  slave_direct_out  permit node 10 
apply as-path 64510 additive
```

For the routes on the cloud, select the nearest Direct Connect gateway based on the location of the AZ.

Connectivity Verification

Ping an on-premises server from an ECS to verify that the ECS can communicate with the on-premises server normally.

Disable any connection port and run the ping command again. If the ECS can still communicate with the on-premises server normally, the on-premises data center can access the cloud privately.

To view the specific path of a route, run the tracert command. The command varies according to the device type. For details, contact the device vendor.

Helpful Links

For details about how to troubleshoot connection faults, see Network and Connectivity and Routing.
For common problems about establishing network connectivity using Direct Connect, see Leased Line Construction.
For common problems about Direct Connect interconnection, see Interconnection with Cloud.

Previous topic: Accessing a VPC over a Single Connection Through BGP Routes

Next topic: Connecting to Multiple VPCs that Do Not Need to Communicate with Each Other