Network and Resource Planning

Updated on 2024-07-23 GMT+08:00

View PDF

To use an enterprise router to connect an on-premises data center with VPCs, you need to:

Network Planning: Plan CIDR blocks of VPCs and their subnets, virtual gateway and virtual interface of the Direct Connect connection, VPC route tables, and enterprise router route tables.
Resource Planning: Plan the quantity, names, and other parameters of cloud resources, including VPCs, Direct Connect connection, ECSs, and enterprise router.

Network Planning

Figure 1 shows the network planning for communications between on-premises data center and VPCs.

Figure 1 Network planning for communications between on-premises data center and VPCs

**Table 1** Network traffic flows
Path	Description
Request traffic: from VPC 1 to the on-premises data center	In the route table of VPC 1, there is a route with the next hop set to the enterprise router to forward traffic from VPC 1 to the enterprise router. In the route table of the enterprise router, there are two routes with the next hop set to the virtual gateway attachment to forward traffic from the enterprise router to the virtual gateway. The virtual gateway is associated with the virtual interface. Traffic from the virtual gateway is forwarded to the Direct Connect connection through the remote gateway of the virtual interface Traffic is forwarded to the on-premises data center over the Direct Connect connection.
Response traffic: from the on-premises data center to VPC 1	Traffic is forwarded to the virtual interface over the connection. The virtual interface is associated with the virtual gateway. Traffic from the virtual interface is forwarded to the virtual gateway through the local gateway of the virtual interface. Traffic is forwarded from the virtual gateway to enterprise router. In the route table of the enterprise router, there is a route with the next hop set to the VPC 1 attachment to forward traffic from the enterprise router to VPC 1.

**Table 2** Description of network planning for communications between on-premises data center and VPCs
Resource	Description
VPCs	The CIDR blocks of the VPCs to be connected cannot overlap with each other. In this example, the CIDR blocks of the VPCs are propagated to the enterprise router route table as the destination in routes. The CIDR blocks cannot be modified and overlapping CIDR blocks may cause route conflicts. If your existing VPCs have overlapping CIDR blocks, do not use propagated routes. Instead, you need to manually add static routes to the route table of the enterprise router. The destination can be VPC subnet CIDR blocks or smaller ones. The CIDR blocks of VPCs and of the on-premises data center cannot overlap. Each VPC has a default route table. The routes in the default route table are described as follows: Local: a system route for communications between subnets in a VPC. Enterprise router: a custom route with destination set to 0.0.0.0/0 for routing traffic from a VPC subnet to the enterprise router. For details, see Table 3.
Direct Connect	One connection links your on-premises data center to the cloud. One virtual gateway is attached to the enterprise router. One virtual interface connects the virtual gateway with the connection.
Enterprise router	After Default Route Table Association and Default Route Table Propagation are enabled and virtual gateway and VPC attachments are created, Enterprise Router will automatically: Direct Connect Associate the virtual gateway attachment with the default route table of the enterprise router. Propagate the virtual gateway attachment to the default route table of the enterprise router. The route table automatically learns the local and remote gateways, and the on-premises network CIDR block as the destinations of routes. For details, see Table 4. VPC Associate the two VPC attachments with the default route table of the enterprise router. Propagate the VPC attachments to the default route table of the enterprise router. The route table automatically learns the VPC CIDR blocks as the destination of routes. For details, see Table 4.
ECSs	The two ECSs are in different VPCs. If the ECSs are in different security groups, add rules to the security groups to allow access to each other.

**Table 3** VPC route table
Destination	Next Hop	Route Type
0.0.0.0/0	Enterprise router	Static route (custom)

NOTE:

If you enable Auto Add Routes when creating a VPC attachment, you do not need to manually add static routes to the VPC route table. Instead, the system automatically adds routes (with this enterprise router as the next hop and 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as the destinations) to all route tables of the VPC.
If an existing route in the VPC route tables has a destination to 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16, the routes will fail to be added. In this case, do not enable Auto Add Routes. After the attachment is created, manually add routes.
You need to add a route to VPC route tables with destination set to the on-premises network CIDR block and next hop set to enterprise router.
To reduce the number of routes, you can set the destination of a route (with an enterprise router as the next hop) to 0.0.0.0/0 in the VPC route table. However, in this case, ECSs in VPCs cannot be bound with EIPs. If an ECS in the VPC has an EIP bound, the VPC route table will have a policy-based route with 0.0.0.0/0 as the destination, which has a higher priority than the route with the enterprise router as the next hop. In this case, traffic is forwarded to the EIP and cannot reach the enterprise router.

**Table 4** Enterprise router route table
Destination	Next Hop	Route Type
VPC 1 CIDR block: 192.168.0.0/16	VPC 1 attachment: er-attach-01	Propagated
VPC 2 CIDR block: 172.16.0.0/16	VPC 2 attachment: er-attach-02	Propagated
Local and remote gateways: 10.0.0.0/30	Virtual gateway attachment: vgw-demo	Propagated
Data center CIDR block: 10.1.123.0/24	Virtual gateway attachment: vgw-demo	Propagated

Resource Planning

An enterprise router, a Direct Connect connection, VPCs, and ECSs are in the same region but can be in different AZs.

NOTE:

The following resource details are only examples. You can modify them if needed.

One enterprise router. See details in Table 5.

**Table 5** Enterprise router details
Enterprise Router Name	ASN	Default Route Table Association	Default Route Table Propagation	Association Route Table	Propagation Route Table	Attachment
er-test-01	64512	Enabled	Enabled	Default route table	Default route table	er-attach-01
er-test-01	64512	Enabled	Enabled	Default route table	Default route table	er-attach-02

Direct Connect connection: see details in Table 6.

**Table 6** Direct Connect connection details
Virtual Gateway	Virtual Interface	Local Gateway (Cloud)	Remote Gateway (On-premises)	Remote Subnet	Routing and BGP Peer ASN
vgw-demo	vif-demo	10.0.0.1/30	10.0.0.2/30	10.1.123.0/24	Routing: BGP
vgw-demo	vif-demo	10.0.0.1/30	10.0.0.2/30	10.1.123.0/24	BGP peer ASN: 64510

Two VPCs that do not overlap with each other. See details in Table 7.

**Table 7** VPC details
VPC	VPC CIDR Block	Subnet	Subnet CIDR Block	Association Route Table
vpc-demo-01	192.168.0.0/16	subnet-demo-01	192.168.1.0/24	Default route table
vpc-demo-02	172.16.0.0/16	subnet-demo-02	172.16.1.0/24	Default route table

Two ECSs, respectively, in two VPCs. See details in Table 8.

**Table 8** ECS details
ECS Name	Image	VPC	Subnet	Security Group	Private IP Address
ecs-demo-01	Public image: EulerOS 2.5 64-bit	vpc-demo-01	subnet-demo-01	sg-demo (general-purpose web server)	192.168.1.99
ecs-demo-02	Public image: EulerOS 2.5 64-bit	vpc-demo-02	subnet-demo-02	sg-demo (general-purpose web server)	172.16.1.137