Connecting an On-Premises Data Center to a VPC over Two Connections in an Active/Standby Pair (Virtual Gateway)

Solution Overview

Scenario

You need two connections that are terminated at different Direct Connect locations in the same region to access the same VPC. The two connections work in an active/standby pair.

In this case, it is recommended that you use BGP routing. For the connections from the cloud, you can make them to work in an active/standby pair by setting the virtual interface priority. For the active/standby connections to the cloud, you can set their Local_Pref on your on-premises device.

Solution Architecture

Your on-premises network is connected to the VPC over two connections, with one is terminated at A and the other one terminated at B.

For details on how to create a VPC, see the Creating a VPC.

The following table lists the CIDR blocks used in this example.

Figure 1 Accessing a VPC using two connections that are terminated at two locations and work in an active/standby pair

Advantages

Multi-cloud architecture: You can access the cloud from any location that is closer to your on-premises data center or the third-party cloud and use Direct Connect to connect different clouds for backup.

Secure and reliable: Computing is performed on the clouds with minimum data transmitted over the dedicated network connection, and your core data is still stored in your on-premises data center.

Constraints

• Your on-premises network must use a single-mode fiber with a 1GE, 10GE, 40GE, or 100GE optical module to connect to the access device in the cloud.
• Auto-negotiation for the port must be disabled. Port speed and full duplex mode have been manually configured.
• 802.1Q VLAN encapsulation must be supported on your on-premises network.
• On-premises devices must support BGP and cannot use ASN 64512, which is used by Huawei Cloud.

Resource Planning

The following table describes the resources required for connecting an on-premises data center to a VPC using two connections that are terminated at different locations and working in active/standby pair.

Process Flowchart

In this scenario, your on-premises network connects to the cloud over two connections that are terminated at two locations in the same region, and BGP routes are used to route traffic between your on-premises network and the VPC.

Procedure

1. Create two connections: dc-connect1 and dc-connect2.
   1. Go to the Connections page.
   2. In the upper left corner of the page, click and select a region and project.
   3. In the upper right corner, click Create Connection.
   4. On the Create Connection page, enter the equipment room details and select the Direct Connect location and port based on Table 3.
      Figure 2 Creating a connection
      

      Table 3 Parameters for creating a connection

      Parameter	Example Value	Description
      Billing Mode	Yearly/Monthly	Specifies how you will be billed for the connection. Currently, only Yearly/Monthly is supported.
      Region	EU-Dublin	Specifies the region where the connection resides. You can also change the region in the upper left corner of the console.
      Connection Name	dc-123	Specifies the name of your connection.
      Location	Dublin	Specifies the Direct Connect location where your leased line can be connected to.
      Carrier	China Telecom	Specifies the carrier that provides the leased line.
      Port Type	1GE	Specifies the type of the port that the leased line is connected to: 1GE, 10GE
      Leased Line Bandwidth (Mbit/s)	100	Specifies the bandwidth of the line you need to lease from the carrier.
      Equipment Room Address	Room xx, xx building, xx road, xx district, xx city	Specifies the address of your equipment room. The address must be specific to the floor your equipment room is on.
      Tag	example_key1 example_value1	Adds tags to help you identify your connection. You can change them after the connection is created.
      Description	-	Provides supplementary information about the connection.
      Required Duration	5	Specifies how long the connection will be used for.
      Auto-renew	5	Specifies whether to automatically renew the subscription to ensure service continuity. For example, if you select this option and the required duration is three months, the system automatically renews the subscription for another three months.
      Enterprise Project	default	Specifies the enterprise project by which connections are centrally managed. Select an existing enterprise project.

   5. Click Confirm Configuration.
   6. Confirm the configuration and click Pay Now.
   7. Confirm the order, select a payment method, and click Confirm.
   8. After you have paid for the order, a connection ID is allocated to you automatically, and the connection information is displayed on the management console. You will be contacted to confirm the construction plan and relevant information (including your company name, constructor, expected construction time, and construction workers).
   9. After having confirmed the construction plan, you can arrange the carrier to deploy the dedicated line and connect it to your equipment room based on your construction plan.
   10. In normal cases, Huawei onsite engineers will connect the dedicated line to the Huawei Cloud gateway port within two working days.
   11. Verify that the connection is in the Normal state, which means that the connection is ready, and the billing starts.
   12. Repeat the preceding steps to create connection dc-connect2.

2. Create a virtual gateway.
   1. In the navigation pane on the left, choose Direct Connect > Virtual Gateways.
   2. Click Create Virtual Gateway.
   3. Configure the parameters based on Table 4.
      Figure 3 Creating a virtual gateway
      

      Table 4 Parameters required for creating a virtual gateway

      Parameter	Example Value	Description
      Name	vgw-123	Specifies the virtual gateway name. The name can contain 1 to 64 characters.
      Enterprise Project	default	Specifies the enterprise project by which virtual gateways are centrally managed. Select an existing enterprise project.
      VPC	VPC-001	Specifies the VPC to be associated with the virtual gateway.
      Local Subnet	192.168.0.0/16	Specifies the CIDR blocks of the subnets in the VPC to be accessed using Direct Connect. You can add one or more CIDR blocks. If there are multiple CIDR blocks, separate every entry with a comma (,).
      BGP ASN	64512	Specifies the BGP ASN of the virtual gateway.
      Tag	-	Adds tags to help you identify your virtual gateway. You can change them after the virtual gateway is created.
      Description	-	Provides supplementary information about the virtual gateway.

   4. Click OK.

3. Create two virtual interfaces: vif-test1 and vif-test2.

   Use virtual interface vif-test1 to connect virtual gateway vgw-test and connection dc-connect1 and virtual interface vif-test2 to connect virtual gateway vgw-test and connection dc-connect2. Set different priorities for the two virtual interfaces so the two connections can work in an active/standby pair.

   1. In the navigation pane on the left, choose Direct Connect > Virtual Interfaces.
   2. In the upper right corner, click Create Virtual Interface.
   3. Configure the parameters based on Table 5.
      Figure 4 Creating a virtual interface for your own account
      

      Table 5 Parameters for creating a virtual interface

      Parameter	Example Value	Description
      Virtual Interface Owner	Current account	Specifies the account that this virtual interface will be created for.
      Region	EU-Dublin	Specifies the region where the connection resides. You can also change the region in the upper left corner of the console.
      Name	vif-test1	Specifies the virtual interface name. The name can contain 1 to 64 characters.
      Virtual Interface Priority	-	Specifies whether the virtual interface will be used prior to other virtual interfaces. There are two options: Preferred and Standard. Virtual interfaces with different priorities are working in active/standby pairs. Select Preferred for the virtual interface associated with the active connection. Select Standard for the virtual interface associated with the standby connection.
      Connection	dc-connect1	Specifies the connection you can use to connect your on-premises network to Huawei Cloud.
      Gateway	Virtual gateway	Specifies the gateway that the virtual interface connects to. You can select a virtual gateway or global DC gateway. In this example, select a virtual gateway.
      Virtual Gateway	vgw-123	This parameter is mandatory when Gateway is set to Virtual gateway. Specifies the virtual gateway that the virtual interface connects to.
      Global DC Gateway	dgw-123	This parameter is mandatory when Gateway is set to Global DC gateway. Specifies the global DC gateway that the virtual interface connects to.
      VLAN	30	Specifies the ID of the VLAN for the virtual interface. You need to configure the VLAN if you create a standard connection. The VLAN for a hosted connection will be allocated by the carrier or partner. You do not need to configure the VLAN.
      Bandwidth (Mbit/s)	1000	Specifies the bandwidth that can be used by the virtual interface. The bandwidth cannot exceed that of the connection or LAG.
      Enterprise Project	default	Specifies the enterprise project by which virtual interfaces are centrally managed. Select an existing enterprise project.
      Local Gateway	10.0.0.1/30	Specifies the IP address used by the cloud to connect to your on-premises network. After you configure Local Gateway on the console, the configuration will be automatically delivered to the gateway used by the cloud.
      Remote Gateway	10.0.0.2/30	Specifies the IP address used by the on-premises data center to connect to the cloud. After you configure Remote Gateway on the console, you need to configure the IP address on the interface of the on-premises device. CAUTION: The IP addresses of the local gateway and remote gateway must be in the same IP address range. Generally, an IP address range with a 30-bit mask is used. The IP addresses you plan cannot conflict with IP addresses used on your on-premises network. Plan an IP address range that will be used at both ends of the connection for network communication between your on-premises data center and the cloud.
      Remote Subnet	10.1.123.0/24	Specifies the subnets and masks of your on-premises network. If there are multiple subnets, use commas (,) to separate them.
      Routing Mode	BGP	Specifies whether static routing or dynamic routing is used to route traffic between your on-premises network and the cloud network. If there are or will be two or more connections, select BGP routing for higher availability.
      BGP ASN	64510	Specifies the ASN of the BGP peer. This parameter is required when BGP routing is selected.
      BGP MD5 Authentication Key	Qaz12345678	Specifies the password used to authenticate the BGP peer using MD5. This parameter can be set when BGP routing is selected, and the parameter values on both gateways must be the same. The key contains 8 to 255 characters and must contain at least two types of the following characters: Uppercase letters Lowercase letters Digits Special characters ~!,.:;-_"(){}[]/@#$%^&*+\|=
      Description	-	Provides supplementary information about the virtual interface.

   4. Click Create Now.
   5. Repeat steps 3.a to 3.d to create virtual interface vif-test2.
   

   • When you create virtual interface vif-test2, select connection dc-connect2, and set Local Gateway to 10.0.0.5/30 and Remote Gateway to 10.0.0.6/30.

   • Set different BGP ASNs and BGP MD5 authentication keys for the two virtual interfaces.

   • The default security group rule denies all the inbound traffic. Ensure that security group rules in both directions are correctly configured to ensure normal communications.

4. Wait for route delivery from the cloud.

   Direct Connect automatically delivers the routes, and the active connection from the cloud has been specified through the priority of the associated virtual interface.

5. Configure routes on your on-premises network device.

   Suppose you want the connection terminated at A to serve as the active connection to access the cloud, you can set Local_Pref to lower the priority of the BGP routes for the connection terminated at Langfang-Huawei.

   Example BGP route (A Huawei-developed network device is used as an example.)

   bgp 64510
   peer 10.0.0.1 as-number 64512
   peer 10.0.0.1 password simple Qaz12345678
   peer 10.0.0.5 as-number 64512
   peer 10.0.0.5 password simple Qaz12345678
   peer 10.0.0.5 route-policy slave_direct_in import
   network 10.1.123.0 255.255.255.0
   route-policy  slave_direct_in  permit node 10
   apply local-preference 90

Connectivity Verification

Ping an on-premises server from an ECS to verify that the ECS can communicate with the on-premises server normally.

Disable the port for any connection and run the ping command again. If the ECS can still communicate with the on-premises server normally, the on-premises data center can access the cloud privately.

To view the specific path of a route, run the tracert command. The command varies according to the device type. For details, contact the device vendor.

Helpful Links

• For details about how to troubleshoot connection faults, see Network and Connectivity and Routing.
• For common problems about establishing network connectivity using Direct Connect, see Leased Line.
• For common problems about Direct Connect interconnection, see Interconnection with Cloud.