Help Center/ Enterprise Router/ Best Practices/ Setting Up a Hybrid Cloud Network Using Enterprise Router and a Pair of Active/Standby Direct Connect Connections (Global DC Gateway)/ Network and Resource Planning
Updated on 2024-07-23 GMT+08:00
View PDF

Network and Resource Planning

To set up a hybrid cloud network using an enterprise router and a pair of active/standby Direct Connect connections, you need:
  • Network Planning: Plan the CIDR blocks of the VPC and their subnets, global DC gateway and virtual interface of each Direct Connect connection, VPC route tables, and enterprise router route tables.
  • Resource Planning: Plan the quantity, names, and other parameters of cloud resources, such as VPC, Direct Connect connection, ECS, and enterprise router.

Network Planning

Figure 1 shows the hybrid cloud network that you set up using two Direct Connect connections that work in an active/standby pair.

Figure 1 Hybrid cloud network that you set up using an enterprise router, two Direct Connect connections, and two global DC gateways

Two Direct Connect connections work in an active/standby pair. Connection DC-A is the active connection, and connection DC-B is the standby one. The on-premises data center communicates with the VPC over connection DC-A. If connection DC-A becomes faulty, connection DC-B automatically takes over. Table 1 describes the network paths in detail.

Only the preferred route is displayed in the enterprise router route table. Because connection DC-A associated with global DC gateway DGW-A is the active connection, the route with the next hop set to the global DC gateway DGW-A attachment is displayed in the enterprise router route table.

Table 1 Network traffic flows

Path

Description

Request traffic: from VPC-A to the on-premises data center
  1. In the route table of VPC-A, there are routes with the next hop set to the enterprise router to forward traffic from VPC-A to the enterprise router.
  2. In the route table of the enterprise router, there are routes with the next hop set to the global DC gateway DGW-A attachment to forward traffic from the enterprise router to the global DC gateway.
    • There are two routes with the next hop set to DGW-A. The destination of one route is 172.16.1.0/24, which is the on-premises network CIDR block. The destination of the other route is 10.0.0.0/30, which is the gateway address of virtual interface VIF-A.
    • There is a route whose destination is 172.16.1.0/24 and the next hop set to the global DC gateway DGW-A attachment. This is the preferred route.
  3. Virtual interface VIF-A is connected to global DC gateway DGW-A to forward traffic from global DC gateway DGW-A to DC-A through the remote gateway of virtual interface VIF-A.
  1. Traffic is forwarded to the on-premises data center over connection DC-A.

Response traffic: from the on-premises data center to VPC-A
  1. Traffic is forwarded to virtual interface VIF-A over connection DC-A.

    On the on-premises network, the routes pointing to the cloud are also configured to work in an active/standby pair, so that traffic is preferentially forwarded to DC-A.

  2. Virtual interface VIF-A is associated with global DC gateway DGW-A to forward traffic from virtual interface VIF-A to the global DC gateway DGW-A through the local gateway of virtual interface VIF-A.
  3. Traffic is forwarded from the global DC gateway DGW-A attachment to the enterprise router.
  4. In the route table of the enterprise router, there is a route with the next hop set to the VPC-A attachment to forward traffic from the enterprise router to VPC-A.
Table 2 Network planning details

Cloud Service/Resource

Description

VPC

A VPC is used to run your workloads and needs to be attached to the enterprise router.

  • The CIDR block of the VPC cannot overlap with that of any existing VPC.

    In this example, the CIDR block of the VPC is propagated to the enterprise router route table as the destination in routes and cannot be modified. Overlapping CIDR blocks may cause route conflicts.

    If your existing VPCs have overlapping CIDR blocks, do not use propagated routes. Instead, you need to manually add static routes to the route table of the enterprise router. The destination can be VPC subnet CIDR blocks or smaller ones.

  • The CIDR blocks of the VPC and of the on-premises data center cannot overlap.
  • The VPC has a default route table.
  • Table 3 lists the routes in the default VPC route table.
    • Three routes to fixed CIDR blocks: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. If Auto Add Routes is enabled when the VPC is attached to the enterprise router, static routes will be automatically configured in the VPC route table. If more than one VPC is attached to an enterprise router, traffic from one VPC to the other VPCs can be forwarded to the enterprise router over these routes, and is then to the next-hop network instance through the enterprise router.
    • A route to the on-premises network: In addition to the automatically-added routes to the three VPC CIDR blocks, you need to add a route whose destination is the on-premises network CIDR block (172.16.1.0/24 in this example) and next hop is the enterprise router in the VPC route table. Traffic from the VPC is forwarded to the enterprise router and then to the next-hop network instance through the enterprise router.
NOTE:

If an existing route in the VPC route table has a destination to 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16, the route that points to each CIDR block will fail to be added. In this case, do not enable Auto Add Routes. After the attachment is created, manually add the routes.

Direct Connect

Two connections work in an active/standby pair.

  • Both connections link your on-premises data center to the cloud.
  • Each connection has a global DC gateway associated, and both global DC gateways are attached to the enterprise router.
  • One virtual interface is required for each connection to connect the global DC gateway and connection.

Enterprise Router

After Default Route Table Association and Default Route Table Propagation are enabled and global DC gateway and VPC attachments are created, Enterprise Router will automatically:

  • Direct Connect
    • Associate the two global DC gateway attachments with the default route table of the enterprise router.
    • Propagate the global DC gateway attachment to the default route table of the enterprise router. The route table automatically learns the local and remote gateways, and the on-premises network CIDR block as the destinations of routes. For details, see Table 4.
  • VPC
    • Associate the VPC attachment with the default route table of the enterprise router.
    • Propagate the service VPC attachment to the default route table of the enterprise router. The route table automatically learns the VPC CIDR block as the destination of the route. For details, see Table 4.

Route policy
  • If the BGP routes on the on-premises network learned by the enterprise router through two global DC gateway attachments are equal-cost routes, load balancing is automatically implemented. In this case, you need to create a route policy to make the two connections work in an active/standby pair.

    In this example, the routes with 172.16.1.0/24 as the destination and DGW-A and DGW-B as the next hops are equal-cost routes.

  • A route policy is required for the propagation of the global DC gateway DGW-B attachment. Add a policy value to the AS_Path of the routes from the enterprise router to the on-premises data center through the global DC gateway DGW-B attachment to lower its priority.

    For this to work, you need to add two nodes to the route policy:

    • Node 1 has a higher priority and matches BGP routes. If a route is matched, 65535 is added to the AS_Path value of the route. 65535 is an example AS_Path, which cannot be the same as the ASNs used by the on-premises network, enterprise router, or global DC gateways.
    • Node 2 has a lower priority and matches all routes, ensuring normal communication through non-BGP routes.

    For details, see Route Policies.

Adding a policy value to the AS_Path of the route may cause network loops. Before configuring a route policy, check your network plan.

ECS

An ECS is deployed in the VPC to verify communications between the cloud and the on-premises data center.

If you have multiple ECSs associated with different security groups, you need to add rules to the security groups to allow network access.

On-premises data center

Configure the routes from the on-premises data center to the Direct Connect connections to work in an active/standby pair.
Table 3 VPC route table

Destination

Next Hop

Route Type

Fixed CIDR block: 10.0.0.0/8

Enterprise router

Static route (custom)

Fixed CIDR block: 172.16.0.0/12

Enterprise router

Static route (custom)

Fixed CIDR block: 192.168.0.0/16

Enterprise router

Static route (custom)

On-premises network CIDR block: 172.16.1.0/24

Enterprise router

Static route (custom)
  • If you enable Auto Add Routes when creating a VPC attachment, you do not need to manually add static routes to the VPC route table. Instead, the system automatically adds routes (with this enterprise router as the next hop and 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as the destinations) to all route tables of the VPC.
  • If an existing route in the VPC route table has a destination to 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16, the route that points to each CIDR block will fail to be added. In this case, do not enable Auto Add Routes. After the attachment is created, manually add the routes.
  • You need to add a route to the VPC route table with the destination set to the on-premises network CIDR block and next hop set to enterprise router.
Table 4 Enterprise router route table

Destination

Next Hop

Route Type

VPC-A CIDR block: 192.168.0.0/16

VPC-A attachment: er-attach-vpc-A

Propagated

VIF-A gateway: 10.0.0.0/30

DGW-A attachment: er-attach-dgw-A

Propagated

VIF-B gateway: 10.1.0.0/30

DGW-B attachment: er-attach-dgw-B

Propagated

On-premises network CIDR block: 172.16.1.0/24

Only the next hop of the preferred route is displayed:

DGW-A attachment: er-attach-dgw-A

Propagated

Resource Planning

One enterprise router, two Direct Connect connections, one VPC, and one ECS are in the same region but can be in different AZs.

The following resource details are only examples. You can modify them if needed.

Table 5 Details of required resources

Resource

Quantity

Description

VPC

1

A VPC is required to run your workloads and needs to be attached to the enterprise router.

  • VPC name: Set it based on site requirements. In this example, VPC-A is used.
  • VPC IPv4 CIDR block: The CIDR block must be different from that of the on-premises data center. Set it based on site requirements. In this example, 192.168.0.0/16 is used.
  • Subnet name: Set it based on site requirements. In this example, Subnet-A01 is used.
  • Subnet IPv4 CIDR block: The CIDR block must be different from the on-premises network CIDR block. Set it based on site requirements. In this example, 192.168.0.0/24 is used.

Enterprise Router

1
  • Name: Set it based on site requirements. In this example, ER-X is used.
  • ASN: Set an ASN that is different from that used by the on-premises data center. In this example, the ASN is 64513.
  • Default Route Table Association: Enable it.
  • Default Route Table Propagation: Enable it.
  • Auto Accept Shared Attachments: Set it based on site requirements. In this example, this option is enabled.
  • Three attachments on the enterprise router:
    • VPC-A attachment: er-attach-vpc-A
    • DGW-A attachment: er-attach-dgw-A
    • DGW-B attachment: er-attach-dgw-B

Route policy

1

If the on-premises BGP routes learned by the enterprise router through two global DC gateway attachments are equal-cost routes, you need to configure a route policy and bind it to the propagation of the global DC gateway DGW-B attachment and add a policy value for the AS_Path of the roue learned through the global DC gateway DGW-B attachment.

For this to work, you need to add two nodes to the route policy:

  • Node 1 has a higher priority. You need to add a policy value to the AS_Path of the BGP routes to reduce the priority of the routes learned by the enterprise router through the global DC gateway DGW-B attachment.
    • Node Number: A node with a smaller node number is executed first. The node number of node 1 must be smaller than that of node 2. Set it to 10.
    • Action: Set it to Allow.
    • Match Condition: Select Route type and then BGP.
    • Policy Value 1: Select AS_Path.
    • Action: Set it to Add. The policy value must be different from the ASNs used by the global DC gateways, enterprise router, and on-premises network. Set the policy value based on site requirements. In this example, set it to 64535.
  • Node 2 has a lower priority and matches all routes, ensuring normal communication through non-BGP routes.
    • Node Number: Set a value greater than that of node 1. In this example, set it to 20.
    • Action: Set it to Allow.
  • Leave other parameters blank, indicating that other routes that do not match node 1 can match node 2. This ensures that the route policy allows all routes.

Direct Connect

2

Two connections are required.

In this example, the two connections are DC-A and DC-B.

A global DC gateway is required for each connection.

  • Name: Set it based on site requirements. In this example, DGW-A and DGW-B are used.
  • Associate With: Select Enterprise Router.
  • Enterprise Router: Select your enterprise router. In this example, ER-X is used.
  • BGP ASN: The ASNs of the two global DC gateways can be customized and can be the same as or different from that of the enterprise router. In this example, the ASNs of both global DC gateways are 64512.

One virtual interface is required for each connection.

  • Name: In this example, the two virtual interfaces are VIF-A and VIF-B.
  • Virtual Interface Priority: Select Preferred for both virtual interfaces, indicating that load balancing is implemented. The route policy on the enterprise router makes the two connections work in an active/standby pair.
  • Connection: In this example, virtual interface VIF-A is associated with connection DC-A, and virtual interface VIF-B is associated with connection DC-B.
  • Global DC Gateway: In this example, global DC gateway DGW-A is associated with virtual interface VIF-A, and DGW-B associated with VIF-B.
  • Local Gateway: In this example, the local gateway IP address range for virtual interface VIF-A is 10.0.0.1/30, and that for VIF-B is 10.1.0.1/30.
  • Remote Gateway: In this example, the remote gateway IP address range for virtual interface VIF-A is 10.0.0.2/30, and that for VIF-B is 10.1.0.2/30.
  • Remote Subnet: In this example, the on-premises network CIDR block is 172.16.1.0/24.
  • Routing Mode: Select BGP.
  • BGP ASN: ASN used by the on-premises network, which must be different from the ASNs of the global DC gateways on the cloud. In this example, 64555 is used.

Set up a peer link between the global DC gateway and the enterprise router.

  • Resource Type: Select Peer link.
  • Peer Link Name: Set it based on site requirements. In this example, er-attach-dgw is used.
  • Peer Link Type: Select Enterprise Router.
  • Link To: Select ER-X.

ECS

1

An ECS is required to verify connectivity.

  • ECS Name: Set it based on site requirements. In this example, ECS-A is used.
  • Image: Select an image based on site requirements. In this example, a public image (CentOS 8.2 64bit) is used.
  • Network
    • VPC: Select the service VPC. In this example, select VPC-A.
    • Subnet: Select the subnet that communicates with the on-premises data center. In this example, the subnet is Subnet-A01.
  • Security Group: Select a security group based on site requirements. In this example, the security group sg-demo uses a general-purpose web server template.
  • Private IP address: 192.168.0.137