Open in app

Sign in

Write

Sign in

Hands on alibaba CEN-TR -1

interbeing
6 min readAug 24, 2021

This tutoiral will show you how to use CEN-TR for intra-region cross VPC communication. we will create a CEN instance, a CEN-TR router, two Spoke VPC, and one VM in each VPC. VM in each VPC can reach other VM in other VPC via CEN-TR. as all component are in same Region under one aliyun account.

Create two Spoke VPC

Use Terraform Script to create vpc_a and vpc_b with three vswitch in zone B and Zone C

resource "alicloud_vpc" "vpc_a" {
  cidr_block = var.vpc_cidr_a
  vpc_name       = "${var.vpc_name_a}-${random_string.random_name_post.result}"
}
resource "alicloud_vswitch" "vswitch_a_zone_a" {
  vpc_id            = alicloud_vpc.vpc_a.id
  cidr_block        = var.vswitch_a_zone_a_cidr
  zone_id           = data.alicloud_zones.default.zones[0].id
  vswitch_name      = "${var.vpc_name_a}-${random_string.random_name_post.result}"
}

resource "alicloud_vswitch" "vswitch_a_zone_b" {
  vpc_id = alicloud_vpc.vpc_a.id
  cidr_block = var.vswitch_a_zone_b_cidr
  zone_id = data.alicloud_zones.default.zones[1].id
  vswitch_name = "${var.vpc_name_a}-${random_string.random_name_post.result}"
}

resource "alicloud_vswitch" "vswitch_a_zone_c" {
  vpc_id = alicloud_vpc.vpc_a.id
  cidr_block = var.vswitch_a_zone_c_cidr
  zone_id = data.alicloud_zones.default.zones[2].id
  vswitch_name = "${var.vpc_name_a}-${random_string.random_name_post.result}"
}resource "random_string" "random_name_post" {
  length           = 4
  special          = true
  override_special = ""
  min_lower        = 4
}



resource "alicloud_vpc" "vpc_b" {
  cidr_block = var.vpc_cidr_b
  vpc_name = "${var.vpc_name_b}-${random_string.random_name_post.result}"
}

data "alicloud_zones" "default" {
  available_disk_category     = "cloud_efficiency"
  available_resource_creation = "VSwitch"
}

resource "alicloud_vswitch" "vswitch_b_zone_a" {
  vpc_id  = alicloud_vpc.vpc_b.id
  cidr_block = var.vswitch_b_zone_a_cidr
  zone_id = data.alicloud_zones.default.zones[0].id
  vswitch_name = "${var.vpc_name_b}-${random_string.random_name_post.result}"
}

resource "alicloud_vswitch" "vswitch_b_zone_b" {
  vpc_id  = alicloud_vpc.vpc_b.id
  cidr_block = var.vswitch_b_zone_b_cidr
  zone_id = data.alicloud_zones.default.zones[1].id
  vswitch_name = "${var.vpc_name_b}-${random_string.random_name_post.result}"
}

resource "alicloud_vswitch" "vswitch_b_zone_c" {
  vpc_id  = alicloud_vpc.vpc_b.id
  cidr_block = var.vswitch_b_zone_c_cidr
  zone_id = data.alicloud_zones.default.zones[2].id
  vswitch_name = "${var.vpc_name_b}-${random_string.random_name_post.result}"
}

Create One VM in each VPC

data "alicloud_instance_types" "types_ds" {
  cpu_core_count = 1
  memory_size    = 1
}


resource "alicloud_instance" "web-a" {
  image_id        = "ubuntu_18_04_x64_20G_alibase_20200521.vhd"
  internet_max_bandwidth_out = var.internet_max_bandwidth_out ? 10 : null
  security_groups = alicloud_security_group.SecGroup_a.*.id
  instance_type="${data.alicloud_instance_types.types_ds.instance_types.0.id}"
  vswitch_id                 = alicloud_vswitch.vswitch_a_zone_a.id
  private_ip = var.privateip_a

}


resource "alicloud_instance" "web-b" {
  internet_max_bandwidth_out = var.internet_max_bandwidth_out ? 10 : null
  image_id        = "ubuntu_18_04_x64_20G_alibase_20200521.vhd"
  security_groups = alicloud_security_group.SecGroup_b.*.id
  instance_type="${data.alicloud_instance_types.types_ds.instance_types.0.id}"
  vswitch_id                 = alicloud_vswitch.vswitch_b_zone_a.id
  private_ip = var.privateip_b

}

Result as below

Create CEN instance

variable "cen_instance_name" {
  default = "cen-terraform-andy"
}

variable "cen_tr_name" {
  default = "tf"
}
resource "alicloud_cen_instance" "default" {
  cen_instance_name        = "${var.cen_instance_name}-${random_string.random.result}"
  description = "terraform01"
}

Create CEN-TR

resource "alicloud_cen_transit_router" "default" {
  transit_router_name       = "${var.cen_tr_name}-${var.cen_region}-${random_string.random.result}"
  cen_id     = alicloud_cen_instance.default.id
}

Result as below

Create routing table on CEN-TR

CEN-TR by default already has a routing table. but here , we create our own custom routing table with name “to_spoke_vpc”


resource "alicloud_cen_transit_router_route_table" "to_spoke_vpc" {
  transit_router_id = alicloud_cen_transit_router.default.transit_router_id
  transit_router_route_table_name="${var.cen_tr_name}-${var.cen_tr_table_name_to_spoke_vpc}"
}

Result as below

Next is attach two spoke VPCs to CEN-TR (create connection)

here we use GUI

CEN-TR is a like a VM instance which is located in dual zone, above you see primary zone- C and Secondary Zone B.

Next is choose the VPC to attach

Fill in Attachment Name, Networks (the VPC nme) and vSwitchs. We created 3 vswitch for each zone in each zone, We select Zone C and Zone B to match TR.

Unselect Advanced Setting as we can do it manually to get better understanding.

the result is

Do the same to attach VPC-B

The Result after attach both spoke VPC.

above under “intra-region connect”, you see 2 VPC attachment and Routing table has not yet associated. so We have to associate the connection to routingt table. From CEN-TR perspective, when receiving traffic comming from attachement , the route look up for destination will be done in that associated routing table.

Associate connection to routing table

Results

If we want two VPCs can communicate each other via CEN-TR, we have to populate the CEN-TR associated routing table. for this. we config Route Propagation

after finish configuration. the GUI will looks like

Now, let’s check CEN-TR tf-to_spoke_vpc routing table for route entries.

above you will see each subnet (vswitch) on two VPCs now propogated to CEN-TR associated routing table tf-to_spoke_vpc. the diagram become like below.

Now, CEN-TR already has route to reach both attached VPC, however, Spoke VPC do not have route to other VPC yet. so we will need to configure each VPC to reach other network. for simplicity , we can just configure default route in each VPC with next -hop to CEN-TR.

Above under “Network Instance Route Table” , you can create a Route Entry with Destination CIDR/block 0.0.0.0/0 and next-hop TR. the Network Instance Routing Table actually is VPC routing table. you can do some under VPC routing table.

Now both VPC has default route to CEN-TR, and CEN-TR has route to both VPC. so two VPC are now reachable via CEN-TR. let’s verify that. assume VM in spoke-VPC-a has public IP 47.241.198.109, and it’s private ip is 192.168.10.100. ping VM in spoke-VPC-B (IP:192.168.20.100) shall reachable.

Verify Result

We can also verify the traffic use CEN-TR Connection traffic monitoring

above you can see the traffic statisitics for in and out.

Here we need this tutorial, in next blog, I will show how we can route traffic from CEN to a firewall (fortinet fortigate) to inspect traffics between spoke-VPC-a and Spoke-VPC-b.

--

--

interbeing

Written by interbeing

2 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams