Hybrid Cloud Primary/Secondary Communication (CCN and VPN)

Last updated: 2021-09-09 15:05:23

    If your business is deployed in both a local IDC and a Tencent Cloud VPC, you can connect them via Cloud Connect Network (CCN) or VPN. To improve the business availability, you set up both CCN and VPN connections and configure them as the primary and secondary linkage for redundant communication. This document guides you through how to configure the CCN and VPN connection as primary/secondary linkages to connect your IDC to the cloud.

    Note:

    The route priority feature is currently in beta test. To try it out, please submit a ticket.

    Scenarios

    Suppose you have deployed your business in both Tencent Cloud VPC and an IDC. To interconnect them, you need to configure network connection services for high-availability communications as follows:

    • CCN (primary): connects the local IDC to a CCN-based direct connect gateway through a physical connection, and adds both the direct connect gateway and the VPC to a CCN to enable interconnection. When the connection linkage is normal, all data traffic between the IDC and the VPC are forwarded over CCN through the physical connection.
    • VPN connection (secondary): establishes an IPsec VPN tunnel to interconnect the local IDC and the Tencent Cloud VPC. When the connection linkage fails, traffic will be forwarded using this linkage to ensure the business availability.

    Prerequisites

    • Your local IDC gateway device should support the IPsec VPN feature and can act as a customer gateway to create a VPN tunnel with the VPN gateway.
    • The IDC gateway device has configured with a static IP address.
    • Sample data and configuration:
      Configuration item Sample value
      Network VPC information Subnet CIDR block 192.168.1.0/24
      Public IP of the VPN gateway 203.xx.xx.82
      IDC information Subnet CIDR block 10.0.1.0/24
      Public IP of the gateway 202.xx.xx.5

    Steps

    Directions

    Step 1: connect IDC to VPC through CCN

    1. Log in to the Direct Connect console and click Connections on the left sidebar to create a connection.
    2. Log in to the VPC console and click Direct Connect Gateway on the left sidebar. Click +New to create a direct connect gateway for which the Associate Network is CCN.
    3. Click the ID/Name of the direct connect gateway just created to enter its details page. Select the IDC IP Range tab to enter the IDC IP range, such as 10.0.1.0/24.
    4. Go to the CCN page and click +New to create a CCN instance.
    5. Go to the Dedicated Tunnels page and click +New to create a dedicated tunnel to connect the CCN-based direct connect gateway. Enter the tunnel name, select CCN for the Access Network, and then select the CCN-based direct connect gateway instance created earlier. Configure the IP addresses on both the Tencent Cloud and IDC sides, and select the BGP route. After the configuration is complete, click Download configuration guide and complete the IDC device configurations as instructed in the guide.
    6. Associate the VPC and the CCN-based direct connect gateway with the CCN instance to interconnect the VPC and the IDC.
      Note:

      For detailed directions, see Migrating IDC to the Cloud Through CCN.

    Step 2: connect IDC to VPC through a VPN connection

    1. Log in to the VPN Gateway console and click +New to create a VPN gateway for which the Associate Network is Virtual Private Cloud.
    2. Click Customer Gateway on the left sidebar and click +New to configure a customer gateway (a logical object of the VPN gateway on the IDC side). Enter the public IP address of the VPN gateway on the IDC side, such as 202.xx.xx.5.
    3. Click VPN Tunnel on the left sidebar and click +New to complete configurations such as SPD policy, IKE, and IPsec.
    4. Configure the same VPN tunnel as the step 3 on the local gateway device of the IDC to ensure a normal connection.
    5. In the route table associated with the VPC subnet for communication, configure a routing policy with the VPN gateway as the next hop and IDC IP range as the destination.
      Note:

      For detailed configurations of VPN gateways in different versions,

    Step 3: configure network probes

    Note:

    After the first two steps, there are two VPC routes to IDC. That is, both CCN and VPN gateway act as the next hop. The CCN route has a higher priority, making it the primary path and the VPN gateway the secondary path.

    To stay on top of the primary/secondary connection quality, configure two network probes separately to monitor the key metrics such as latency and packet loss rate and check the availability of primary/secondary routes.

    1. Go to the Network Probe page on VPC console.
    2. Click +New to create a network probe. Enter a name and destination IP, select a VPC and subnet, and set the Source Next Hop to CCN.
    3. Repeat the step 2 and set the Source Next Hop to VPN gateway. After the configuration is complete, you can check the probed network latency and packet loss rate of the CCN and VPN connection.
      Note:

      For detailed configurations, see Network Probe.

    Step 4: configure an alarm policy

    You can configure an alarm policy for linkages. When a linkage has an exception, alarm notifications are sent to you automatically via emails and SMS message, alerting you of the risks in advance.

    1. Log in to the CM console and go to the Alarm Policy page.
    2. Click Create. Enter the policy name, select VPC/Network Probe for the policy type, specify the network probe instances as the alarm object, and configure trigger conditions, alarm notifications, and other information. Then click Complete.

    Step 5: switch between primary and secondary routes

    After receiving a CCN network exception alarm, you need to manually disable the primary route, and forward traffic to the secondary route VPN gateway.

    1. Log in to the VPC console and go to the Route Tables page.
    2. Locate the route table associated with the VPC subnet for communication, click the ID/Name to enter its details page. Click to disable the primary route with the CCN as the next hop. Then the VPC traffic destined to IDC will be forwarded to the VPN gateway, instead of the CCN.