To use an enterprise router to connect an on-premises data center with VPCs, you need to:
- Network Planning: Plan CIDR blocks of VPCs and their subnets, virtual gateway and virtual interface of the Direct Connect connection, VPC route tables, and enterprise router route tables.
- Resource Planning: Plan the quantity, names, and other parameters of cloud resources, including VPCs, Direct Connect connection, ECSs, and enterprise router.
Network Planning
Figure 1 shows the network planning for communications between on-premises data center and VPCs.
Figure 1 Network planning for communications between on-premises data center and VPCs
Table 1 Network traffic flows
Path |
Description |
Request traffic: from VPC 1 to the on-premises data center |
- In the route table of VPC 1, there is a route with the next hop set to the enterprise router to forward traffic from VPC 1 to the enterprise router.
- In the route table of the enterprise router, there are two routes with the next hop set to the virtual gateway attachment to forward traffic from the enterprise router to the virtual gateway.
- The virtual gateway is associated with the virtual interface. Traffic from the virtual gateway is forwarded to the Direct Connect connection through the remote gateway of the virtual interface
- Traffic is forwarded to the on-premises data center over the Direct Connect connection.
|
Response traffic: from the on-premises data center to VPC 1 |
- Traffic is forwarded to the virtual interface over the connection.
- The virtual interface is associated with the virtual gateway. Traffic from the virtual interface is forwarded to the virtual gateway through the local gateway of the virtual interface.
- Traffic is forwarded from the virtual gateway to enterprise router.
- In the route table of the enterprise router, there is a route with the next hop set to the VPC 1 attachment to forward traffic from the enterprise router to VPC 1.
|
Table 2 Description of network planning for communications between on-premises data center and VPCs
Resource |
Description |
VPCs |
- The CIDR blocks of the VPCs to be connected cannot overlap with each other.
In this example, the CIDR blocks of the VPCs are propagated to the enterprise router route table as the destination in routes. The CIDR blocks cannot be modified and overlapping CIDR blocks may cause route conflicts.
If your existing VPCs have overlapping CIDR blocks, do not use propagated routes. Instead, you need to manually add static routes to the route table of the enterprise router. The destination can be VPC subnet CIDR blocks or smaller ones.
- The CIDR blocks of VPCs and of the on-premises data center cannot overlap.
- Each VPC has a default route table.
- The routes in the default route table are described as follows:
- Local: a system route for communications between subnets in a VPC.
- Enterprise router: a custom route with destination set to 0.0.0.0/0 for routing traffic from a VPC subnet to the enterprise router. For details, see Table 3.
|
Direct Connect |
- One connection links your on-premises data center to the cloud.
- One virtual gateway is attached to the enterprise router.
- One virtual interface connects the virtual gateway with the connection.
|
Enterprise router |
After Default Route Table Association and Default Route Table Propagation are enabled and virtual gateway and VPC attachments are created, Enterprise Router will automatically:
- Direct Connect
- Associate the virtual gateway attachment with the default route table of the enterprise router.
- Propagate the virtual gateway attachment to the default route table of the enterprise router. The route table automatically learns the local and remote gateways, and the on-premises network CIDR block as the destinations of routes. For details, see Table 4.
- VPC
- Associate the two VPC attachments with the default route table of the enterprise router.
- Propagate the VPC attachments to the default route table of the enterprise router. The route table automatically learns the VPC CIDR blocks as the destination of routes. For details, see Table 4.
|
ECSs |
The two ECSs are in different VPCs. If the ECSs are in different security groups, add rules to the security groups to allow access to each other. |
Table 3 VPC route table
Destination |
Next Hop |
Route Type |
0.0.0.0/0 |
Enterprise router |
Static route (custom) |
- If you enable Auto Add Routes when creating a VPC attachment, you do not need to manually add static routes to the VPC route table. Instead, the system automatically adds routes (with this enterprise router as the next hop and 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as the destinations) to all route tables of the VPC.
- If an existing route in the VPC route tables has a destination to 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16, the routes will fail to be added. In this case, do not enable Auto Add Routes. After the attachment is created, manually add routes.
- You need to add a route to VPC route tables with destination set to the on-premises network CIDR block and next hop set to enterprise router.
- To reduce the number of routes, you can set the destination of a route (with an enterprise router as the next hop) to 0.0.0.0/0 in the VPC route table. However, in this case, ECSs in VPCs cannot be bound with EIPs. If an ECS in the VPC has an EIP bound, the VPC route table will have a policy-based route with 0.0.0.0/0 as the destination, which has a higher priority than the route with the enterprise router as the next hop. In this case, traffic is forwarded to the EIP and cannot reach the enterprise router.
Table 4 Enterprise router route table
Destination |
Next Hop |
Route Type |
VPC 1 CIDR block: 192.168.0.0/16 |
VPC 1 attachment: er-attach-01 |
Propagated |
VPC 2 CIDR block: 172.16.0.0/16 |
VPC 2 attachment: er-attach-02 |
Propagated |
Local and remote gateways: 10.0.0.0/30 |
Virtual gateway attachment: vgw-demo |
Propagated |
Data center CIDR block: 10.1.123.0/24 |
Virtual gateway attachment: vgw-demo |
Propagated |
Resource Planning
An enterprise router, a Direct Connect connection, VPCs, and ECSs are in the same region but can be in different AZs.
The following resource details are only examples. You can modify them if needed.
- One enterprise router. See details in Table 5.
Table 5 Enterprise router details
Enterprise Router Name |
ASN |
Default Route Table Association |
Default Route Table Propagation |
Association Route Table |
Propagation Route Table |
Attachment |
er-test-01 |
64512 |
Enabled |
Enabled |
Default route table |
Default route table |
er-attach-01 |
er-attach-02 |
- Direct Connect connection: see details in Table 6.
Table 6 Direct Connect connection details
Virtual Gateway |
Virtual Interface |
Local Gateway (Cloud) |
Remote Gateway (On-premises) |
Remote Subnet |
Routing and BGP Peer ASN |
vgw-demo |
vif-demo |
10.0.0.1/30 |
10.0.0.2/30 |
10.1.123.0/24 |
Routing: BGP |
BGP peer ASN: 64510 |
- Two VPCs that do not overlap with each other. See details in Table 7.
Table 7 VPC details
VPC |
VPC CIDR Block |
Subnet |
Subnet CIDR Block |
Association Route Table |
vpc-demo-01 |
192.168.0.0/16 |
subnet-demo-01 |
192.168.1.0/24 |
Default route table |
vpc-demo-02 |
172.16.0.0/16 |
subnet-demo-02 |
172.16.1.0/24 |
Default route table |
- Two ECSs, respectively, in two VPCs. See details in Table 8.
Table 8 ECS details
ECS Name |
Image |
VPC |
Subnet |
Security Group |
Private IP Address |
ecs-demo-01 |
Public image:
EulerOS 2.5 64-bit |
vpc-demo-01 |
subnet-demo-01 |
sg-demo
(general-purpose web server) |
192.168.1.99 |
ecs-demo-02 |
vpc-demo-02 |
subnet-demo-02 |
172.16.1.137 |