Help Center/ Direct Connect/ Best Practices/ Connecting an On-Premises Data Center to a VPC over Two Connections in an Active/Standby Pair (Virtual Gateway)
Updated on 2024-08-01 GMT+08:00

Connecting an On-Premises Data Center to a VPC over Two Connections in an Active/Standby Pair (Virtual Gateway)

Solution Overview

Scenarios

You need two connections that are terminated at different Direct Connect locations in the same region to access the same VPC. The two connections work in an active/standby pair.

In this case, it is recommended that you use BGP routing. For the connections from the cloud, you can make them to work in an active/standby pair by setting the virtual interface priority. For the active/standby connections to the cloud, you can set their Local_Pref on your on-premises device.

Solution Architecture

Your on-premises network is connected to a VPC in the CN-Hong Kong region over two connections, with one terminated at Hong Kong-Sha Tin-Telecom and the other terminated at Hong Kong-Sai Kung-Mobile.

For details on how to create a VPC, see the Creating a VPC.

The following table lists the CIDR blocks used in this example.

Table 1 CIDR blocks

Item

CIDR Block

On-premises network

10.1.123.0/24

Local and remote gateways (addresses for interconnection)

10.0.0.0/30 and 10.0.0.4/30

VPC

192.168.0.0/16

Figure 1 Accessing a VPC using two connections that are terminated at two locations and work in an active/standby pair

Advantages

Multi-cloud architecture: You can access the cloud from any location that is closer to your on-premises data center or the third-party cloud and use Direct Connect to connect different clouds for backup.

Secure and reliable: Computing is performed on the clouds with minimum data transmitted over the dedicated network connection, and your core data is still stored in your on-premises data center.

Constraints

  • Your on-premises network must use a single-mode fiber with a 1GE, 10GE, 40GE, or 100GE optical module to connect to the access device in the cloud.
  • Auto-negotiation for the port must be disabled. Port speed and full duplex mode have been manually configured.
  • 802.1Q VLAN encapsulation must be supported on your on-premises network.
  • On-premises devices must support BGP and cannot use ASN 64512, which is used by Huawei Cloud.

Resource Planning

The following table describes the resources required for connecting an on-premises data center to a VPC using two connections that are terminated at different locations and working in active/standby pair.

Table 2 Resource planning

Region

Resource

Description

Quantity

Price

CN-Hong Kong

VPC

VPC CIDR block: 192.168.0.0/16

1

Free

Connection

Connection dc-connect1 is terminated at Beijing-Yizhuang-Centrin and associated with virtual gateway vgw-test and virtual interface vif-test1.

Local subnet of virtual gateway vgw-test: 192.168.0.0/16

Local gateway of virtual interface vif-test1: 10.0.0.1/30

Remote gateway of virtual interface vif-test1: 10.0.0.2/30

Remote subnet of virtual interface vif-test1: 10.1.123.0/24

2

For details, see Direct Connect Pricing Details.

Connection dc-connect2 is terminated at Langfang-Guangyang-Huawei and associated with virtual gateway vgw-test and virtual interface vif-test2.

Local subnet of virtual gateway vgw-test: 192.168.0.0/16

Local gateway of virtual interface vif-test2: 10.0.0.5/30

Remote gateway of virtual interface vif-test2: 10.0.0.6/30

Remote subnet of virtual interface vif-test2: 10.1.123.0/24

Process Flowchart

In this scenario, your on-premises network connects to the cloud over two connections that are terminated at two locations in the same region, and BGP routes are used to route traffic between your on-premises network and the VPC.

Procedure

  1. Create two connections: dc-connect1 and dc-connect2.

    1. Log in to the management console.
    2. On the console homepage, click in the upper left corner and select the desired region and project.
    3. Hover on to display Service List and choose Networking > Direct Connect.
    4. In the navigation pane on the left, choose Direct Connect > Connections.
    5. Click Create Connection. Select Self Service Installation.
    6. On the Create Connection page, enter the equipment room details and select the Direct Connect location and port based on Table 3.
      Figure 2 Creating a self-service connection
      Table 3 Parameters required for creating a connection

      Parameter

      Description

      Billing Mode

      Specifies how you will be billed for the connection. Currently, only Yearly/Monthly is supported.

      Region

      Specifies the region where the connection resides. You can also change the region in the upper left corner of the console.

      Connection Name

      Specifies the name of your connection.

      Location

      Specifies the Direct Connect location where your leased line can be connected to.

      Carrier

      Specifies the carrier that provides the leased line.

      Port Type

      Specifies the type of the port that the leased line is connected to. There are four types of ports: 1GE, 10GE, 40GE, and 100GE.

      Leased Line Bandwidth

      Specifies the bandwidth of the connection in the unit of Mbit/s. This is the bandwidth of the leased line you bought from the carrier.

      Your Equipment Room Address

      Specifies the address of your equipment room. The address must be specific to the floor your equipment room is on, for example, XX Equipment Room, XX Building, No. XX, Huajing Road, Pudong District, Shanghai.

      Tag

      Identifies the connection. A tag consists of a key and a value. You can add 20 tags to a connection.

      Tag keys and values must meet the requirements listed in Table 4.

      NOTE:

      If a predefined tag has been created on Tag Management Service (TMS), you can directly select the corresponding tag key and value.

      For details about predefined tags, see Predefined Tag Overview.

      If you have configured tag policies for Direct Connect, you need to add tags to your connections based on the tag policies. If you add a tag that does not comply with the tag policies, connections may fail to be created. Contact your administrator to learn more about tag policies.

      Description

      Provides supplementary information about the connection.

      Contact Person/Phone Number/Email

      Specifies who is responsible for your connection.

      If you do not provide any contact information, we will contact the person in your account information.

      Required Duration

      Specifies how long the connection will be used for.

      Auto-renew

      Specifies whether to automatically renew the subscription to ensure service continuity.

      For example, if you select this option and the required duration is three months, the system automatically renews the subscription for another three months.

      Enterprise Project

      Provides a cloud resource management mode where cloud resources and members are centrally managed by project.

      Table 4 Tag key and value requirements

      Parameter

      Requirements

      Key

      • Cannot be left blank.
      • Must be unique for each resource.
      • Can contain a maximum of 36 characters.
      • Can contain only letters, digits, hyphens, and underscores.

      Value

      • Can be left blank.
      • Can contain a maximum of 43 characters.
      • Can contain only letters, digits, periods, hyphens, and underscores.
    7. Click Confirm Configuration.
    8. Confirm the connection and click Pay Now.
    9. Confirm the order, select a payment method, and click Confirm.
    10. Repeat steps 1.d to 1.i to create connection dc-connect2 and select Hong Kong-Sai Kung-China Mobile as its location.

  1. Create a virtual gateway.

    1. In the navigation pane on the left, choose Direct Connect > Virtual Gateways.
    2. Click Create Virtual Gateway.
    3. Configure the parameters based on Table 5.
      Figure 3 Creating a virtual gateway
      Table 5 Parameters required for creating a virtual gateway

      Parameter

      Description

      Name

      Specifies the virtual gateway name.

      The name can contain 1 to 64 characters.

      Enterprise Project

      Provides a cloud resource management mode where cloud resources and members are centrally managed by project.

      VPC

      Specifies the VPC to be associated with the virtual gateway.

      Local Subnet

      Specifies the CIDR blocks of the subnets in the VPC to be accessed using Direct Connect.

      You can add one or more CIDR blocks. If there are multiple CIDR blocks, separate every entry with a comma (,).

      BGP ASN

      Specifies the BGP ASN of the virtual gateway.

      NOTE:

      Generally, Huawei Cloud's BGP ASN is 64512. There are two special cases:

      • In the CN North-Beijing1 region, the default BGP ASN of Huawei Cloud is 65533.
      • In the AP-Bangkok region, the BGP ASN of some Direct Connect locations is 65535 by default. For details, contact the Direct Connect manager.

      Tag

      Identifies the virtual gateway. A tag consists of a key and a value. You can add 20 tags to a virtual gateway.

      Tag keys and values must meet the requirements listed in Table 6.

      NOTE:

      If a predefined tag has been created on TMS, you can directly select the corresponding tag key and value.

      For details about predefined tags, see Predefined Tag Overview.

      If you have configured tag policies for Direct Connect, you need to add tags to your virtual gateways based on the tag policies. If you add a tag that does not comply with the tag policies, virtual gateways may fail to be created. Contact your administrator to learn more about tag policies.

      Description

      Provides supplementary information about the virtual gateway.

      Table 6 Tag naming requirements

      Parameter

      Requirements

      Key

      • Cannot be left blank.
      • Must be unique for each resource.
      • Can contain a maximum of 36 characters.
      • Can contain only letters, digits, hyphens, and underscores.

      Value

      • Can be left blank.
      • Can contain a maximum of 43 characters.
      • Can contain only letters, digits, periods, hyphens, and underscores.
    1. Click OK.

  1. Create two virtual interfaces: vif-test1 and vif-test2.

    Use virtual interface vif-test1 to connect virtual gateway vgw-test and connection dc-connect1 and virtual interface vif-test2 to connect virtual gateway vgw-test and connection dc-connect2. Set different priorities for the two virtual interfaces so the two connections can work in an active/standby pair.

    1. In the navigation pane on the left, choose Direct Connect > Virtual Interfaces.
    2. Click Create Virtual Interface.
    3. Configure the parameters based on Table 7.
      Figure 4 Creating a virtual interface
      Table 7 Parameters for creating a virtual interface

      Parameter

      Description

      Region

      Specifies the region where the connection resides. You can also change the region in the upper left corner of the console.

      Name

      Specifies the virtual interface name.

      The name can contain 1 to 64 characters.

      Virtual Interface Priority

      Specifies whether the virtual interface will be used prior to other virtual interfaces. There are two options: Preferred and Standard.

      Virtual interfaces with different priorities are working in active/standby pairs.

      • Select Preferred for the virtual interface associated with the active connection.
      • Select Standard for the virtual interface associated with the standby connection.

      Connection

      Specifies the connection you can use to connect your on-premises network to Huawei Cloud.

      Virtual Gateway

      Specifies the virtual gateway that the virtual interface connects to.

      VLAN

      Specifies the ID of the VLAN for the virtual interface.

      You need to configure the VLAN if you create a standard connection.

      The VLAN for a hosted connection will be allocated by the carrier or partner. You do not need to configure the VLAN.

      Bandwidth

      Specifies the bandwidth that can be used by the virtual interface, in Mbit/s. The bandwidth cannot exceed that of the connection or LAG.

      Enable Rate Limiting

      Limits the highest bandwidth that can be used by the virtual interface. If this option is enabled, the rate limit gradients are as follows:

      • If the bandwidth is less than or equal to 100 Mbit/s, the rate limit gradient is 10 Mbit/s.
      • If the bandwidth is greater than 100 Mbit/s but is less than or equal to 1,000 Mbit/s, the rate limit gradient is 100 Mbit/s.
      • If the bandwidth is greater than 1,000 Mbit/s but is less than or equal to 100 Gbit/s, the rate limit gradient is 1 Gbit/s.
      • If the bandwidth is greater than 100 Gbit/s, the rate limit gradient is 10 Gbit/s.

      For example, if the bandwidth is 52 Mbit/s, the actual rate limit is 60 Mbit/s. If the bandwidth is 115 Mbit/s, the actual rate limit is 200 Mbit/s.

      Enterprise Project

      Provides a cloud resource management mode where cloud resources and members are centrally managed by project.

      Tag

      Identifies the virtual interface. A tag consists of a key and a value. You can add 20 tags to a virtual interface.

      Tag keys and values must meet the requirements listed in Table 8.

      NOTE:

      If a predefined tag has been created on TMS, you can directly select the corresponding tag key and value.

      For details about predefined tags, see Predefined Tag Overview.

      If you have configured tag policies for Direct Connect, you need to add tags to your virtual interfaces based on the tag policies. If you add a tag that does not comply with the tag policies, virtual interfaces may fail to be created. Contact your administrator to learn more about tag policies.

      IP Address Family

      Specifies the address type of the virtual interface.

      IPv4 is selected by default.

      Local Gateway

      Specifies the gateway on the cloud network.

      Remote Gateway

      Specifies the gateway on your on-premises network.

      The remote gateway must be in the same IP address range as the local gateway. Generally, a subnet with a 30-bit mask is recommended.

      Remote Subnet

      Specifies the subnets and masks of your on-premises network. If there are multiple subnets, use commas (,) to separate them.

      Routing Mode

      Specifies whether static routing or dynamic routing is used to route traffic between your on-premises network and the cloud network.

      If there are or will be two or more connections, select BGP routing for higher availability.

      BGP ASN

      Specifies the ASN of the BGP peer.

      This parameter is required when BGP routing is selected.

      BGP MD5 Authentication Key

      Specifies the password used to authenticate the BGP peer using MD5.

      This parameter is mandatory when BGP routing is selected, and the parameter values on both gateways must be the same.

      The key contains 8 to 255 characters and must contain at least two types of the following characters:

      • Uppercase letters
      • Lowercase letters
      • Digits
      • Special characters ~!, .:;-_"(){}[]/@#$ %^&*+\|=

      Description

      Provides supplementary information about the virtual interface.

      Table 8 Tag naming requirements

      Parameter

      Requirements

      Key

      • Cannot be left blank.
      • Must be unique for each resource.
      • Can contain a maximum of 36 characters.
      • Can contain only letters, digits, hyphens, and underscores.

      Value

      • Can be left blank.
      • Can contain a maximum of 43 characters.
      • Can contain only letters, digits, periods, hyphens, and underscores.
    1. Click Create Now.
    2. Repeat steps 3.a and 3.d to create virtual interface vif-test2.
    • When you create virtual interface vif-test2, select connection dc-connect2, and set Local Gateway to 10.0.0.5/30 and Remote Gateway to 10.0.0.6/30.
    • Set different BGP ASNs and BGP MD5 authentication keys for the two virtual interfaces.
    • The default security group rule denies all the inbound traffic. Ensure that security group rules in both directions are correctly configured to ensure normal communications.

  2. Wait for route delivery from the cloud.

    Direct Connect automatically delivers the routes, and the active connection from the cloud has been specified through the priority of the associated virtual interface.

  3. Configure routes on your on-premises network device.

    Suppose you want the connection terminated at Hong Kong-Sha Tin-Telecom to serve as the active connection to access the cloud, you can set Local_Pref to lower the priority of the BGP routes for the connection terminated at Langfang-Guangyang-Huawei.

    Example BGP route (A Huawei-developed network device is used as an example.)

    bgp 64510
    peer 10.0.0.1 as-number 64512
    peer 10.0.0.1 password simple Qaz12345678
    peer 10.0.0.5 as-number 64512
    peer 10.0.0.5 password simple Qaz12345678
    peer 10.0.0.5 route-policy slave_direct_in import
    network 10.1.123.0 255.255.255.0
    route-policy  slave_direct_in  permit node 10
    apply local-preference 90

Connectivity Verification

Ping an on-premises server from an ECS to verify that the ECS can communicate with the on-premises server normally.

Disable the port for any connection and run the ping command again. If the ECS can still communicate with the on-premises server normally, the on-premises data center can access the cloud privately.

To view the specific path of a route, run the tracert command. The command varies according to the device type. For details, contact the device vendor.

Helpful Links