How to connect your data center with Alibaba Cloud

Posted on 5 July 2021 by Alberto Roura.
alibaba cloudhybrid cloudnetworkingvpnexpress connect

Connecting on-premises data centers with Alibaba Cloud enables hybrid cloud architectures, allowing organizations to leverage cloud resources while maintaining existing infrastructure. Alibaba Cloud offers multiple connectivity options to establish secure, high-performance connections between your data center and cloud resources.

Connectivity Options

1. Express Connect (Dedicated Network)

Express Connect provides dedicated, private network connections:

  • High Bandwidth: Up to 100 Gbps per connection
  • Low Latency: Direct private connection
  • High Reliability: SLA-backed availability
  • BGP Support: Dynamic routing capabilities
  • Multiple Connection Types: Physical and virtual connections

2. VPN Gateway

IPsec VPN connections for secure site-to-site connectivity:

  • Cost-Effective: Pay-as-you-go pricing
  • Quick Setup: Rapid deployment
  • IPsec Protocol: Industry-standard encryption
  • Multiple Connections: Support for multiple VPN connections
  • High Availability: Active-standby redundancy

3. Smart Access Gateway (SAG)

Managed network service for branch connectivity:

  • Cloud-Managed: Centralized management
  • Multiple Access Methods: 4G, 5G, and broadband
  • SD-WAN Capabilities: Software-defined networking
  • Unified Management: Manage multiple sites centrally

Express Connect Setup

Physical Connection

For high-bandwidth, low-latency requirements:

Step 1: Apply for Connection

# Create Express Connect connection via CLI
aliyun vpc CreatePhysicalConnection \
  --RegionId cn-hangzhou \
  --AccessPointId ap-xxxxx \
  --Type VirtualBorderRouter \
  --Bandwidth 1000

Step 2: Configure Border Router

  • Set up Virtual Border Router (VBR)
  • Configure BGP sessions
  • Set up route tables
  • Configure VLANs

Step 3: Test Connectivity

# Test connectivity from ECS instance
ping <on-premises-ip>

# Test from on-premises
ping <ecs-private-ip>

Virtual Border Router (VBR) Configuration

# Create VBR
aliyun vpc CreateVirtualBorderRouter \
  --PhysicalConnectionId pc-xxxxx \
  --VbrOwnerId your-account-id \
  --VlanId 100 \
  --LocalGatewayIp 10.0.0.1 \
  --PeerGatewayIp 10.0.0.2 \
  --PeeringSubnetMask 255.255.255.252

VPN Gateway Setup

Create VPN Gateway

# Create VPN gateway
aliyun vpc CreateVpnGateway \
  --RegionId cn-hangzhou \
  --VpcId vpc-xxxxx \
  --Bandwidth 5 \
  --InstanceChargeType PostPaid

Configure Customer Gateway

# Create customer gateway
aliyun vpc CreateCustomerGateway \
  --IpAddress <on-premises-public-ip> \
  --Name "on-premises-gateway"

Create IPsec Connection

# Create IPsec VPN connection
aliyun vpc CreateVpnConnection \
  --VpnGatewayId vpn-xxxxx \
  --CustomerGatewayId cgw-xxxxx \
  --LocalSubnet "172.16.0.0/16" \
  --RemoteSubnet "10.0.0.0/16" \
  --EffectImmediately true

Configure On-Premises VPN Device

Example configuration for common VPN devices:

Cisco ASA:

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map outside_map 1 set peer <vpn-gateway-ip>
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-128-SHA
crypto map outside_map 1 set match address VPN_ACL

pfSense:

  • Navigate to VPN → IPsec → Tunnels
  • Configure Phase 1 and Phase 2 settings
  • Set local and remote subnets
  • Configure authentication

Network Architecture

VPC Configuration

# Create VPC for hybrid connectivity
aliyun vpc CreateVpc \
  --RegionId cn-hangzhou \
  --CidrBlock "172.16.0.0/16" \
  --VpcName "hybrid-cloud-vpc"

# Create VSwitch
aliyun vpc CreateVSwitch \
  --VpcId vpc-xxxxx \
  --CidrBlock "172.16.1.0/24" \
  --ZoneId cn-hangzhou-a

Route Table Configuration

# Add route to on-premises network
aliyun vpc CreateRouteEntry \
  --RouteTableId vtb-xxxxx \
  --DestinationCidrBlock "10.0.0.0/16" \
  --NextHopType "VpnGateway" \
  --NextHopId vpn-xxxxx

Security Group Rules

Configure security groups to allow traffic:

# Allow traffic from on-premises network
aliyun ecs AuthorizeSecurityGroup \
  --SecurityGroupId sg-xxxxx \
  --IpProtocol tcp \
  --PortRange "22/22" \
  --SourceCidrIp "10.0.0.0/16"

Best Practices

Network Design

  1. Use Non-Overlapping CIDR Blocks: Ensure VPC and on-premises networks don’t overlap
  2. Implement Redundancy: Use multiple connections for high availability
  3. Route Optimization: Configure proper routing tables
  4. Network Segmentation: Use security groups and network ACLs

Security

  1. Encryption: Use IPsec for VPN connections
  2. Access Control: Implement security groups and network ACLs
  3. Monitoring: Enable VPC Flow Logs
  4. Audit Logging: Monitor connection logs

Performance

  1. Bandwidth Planning: Right-size connection bandwidth
  2. Latency Optimization: Choose appropriate regions
  3. Traffic Routing: Optimize routing paths
  4. QoS Configuration: Implement quality of service policies

Monitoring and Troubleshooting

Monitor Connections

# Check VPN connection status
aliyun vpc DescribeVpnConnections

# View connection metrics
aliyun vpc DescribeVpnGateway \
  --VpnGatewayId vpn-xxxxx

Troubleshooting Steps

  1. Check Connection Status: Verify VPN/Express Connect status
  2. Verify Routing: Check route tables and BGP sessions
  3. Test Connectivity: Ping and traceroute tests
  4. Review Logs: Check VPC Flow Logs and VPN logs
  5. Verify Security Groups: Ensure rules allow traffic

Common Issues

  • Connection Drops: Check bandwidth limits and health checks
  • Routing Issues: Verify route tables and BGP configuration
  • Performance Problems: Check bandwidth utilization and latency
  • Security Blocking: Review security group and ACL rules

Cost Considerations

Express Connect

  • Port Fee: Monthly port rental fee
  • Data Transfer: Charges based on data transfer volume
  • Regional Pricing: Varies by region

VPN Gateway

  • Instance Fee: Pay-as-you-go or subscription
  • Data Transfer: Charges for outbound data transfer
  • Bandwidth: Charges based on bandwidth tier

Conclusion

Connecting your data center with Alibaba Cloud enables hybrid cloud architectures that combine the benefits of cloud computing with existing on-premises infrastructure. Whether using Express Connect for high-performance dedicated connections or VPN Gateway for cost-effective secure connectivity, Alibaba Cloud provides flexible options to meet various requirements.

By following best practices for network design, security, and monitoring, organizations can build reliable, secure hybrid cloud environments that support their business objectives while maintaining optimal performance and cost efficiency.

✉️ Contact

Ready to take the next step? Don't wait any longer! If you're interested in learning more about Guztia products and services, or if you have any questions or concerns, book a meeting today.

Book a Meeting

Our team of experts is standing by, ready to assist you with anything you need. Book a Meeting, and Guztia will take care of the rest.