Skip to main content
Versa Networks

Integrate VOS Devices in an Alibaba Cloud Deployment

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

This article describes how to integrate Versa Operating SystemTM (VOSTM) devices in an Alibaba cloud deployment.

Activate the OSS

To activate the Alibaba object storage service (OSS):

  1. Log in to the Alibaba cloud website.
  2. In the product list, click Object Storage Service.
  3. On the Object Storage Service page, click Buy Now.
  4. When the OSS is activated, access the OSS console. To do this, eithe rclick Management Console on the Object Storage Service page, or click Console in the upper right corner to access the Alibaba cloud console and then select Object Storage Service in the left menu bar.

    RR Versa VOS on Alibaba.png

Create an OSS Bucket

To create an OSS storage bucket:

  1. Log in to the OSS console.
  2. Click Create Bucket to open the Create Bucket screen. Enter information for the following fields.

    create-bucket.png
    create-bucket-2.png
     
    Field Description
    Bucket Name Enter a name for the bucket. The name must comply with the Alibaba bucket naming conventions, and it must be unique among all existing buckets in the Alibaba cloud OSS. Note that once you have created a bucket, you cannot change its name.
    Region Select the data center for the bucket. Note that once you have created a bucket, you cannot change its region.
    Storage Class Select Standard.
    Access Control List (ACL)

    Select Private Access Permission. With private permission, only the owner of the bucket and the authorized users can perform read, write, and delete operations on the objects in the bucket. Other users cannot access objects in the bucket.
  3. Click OK.

Upload the VOS Image

The Alibaba cloud classifies ECS images as public images, custom images, shared images, and marketplace images. VOS images must be deployed as custom images. You can import image files whose format is QCOW2, RAW, or VHD.

To upload the VOS image to the OSS bucket:

  1. Log in to the OSS console.
  2. In the bucket name list, click the name of the bucket to which you want to upload the VOS image file.
  3. Select the Files tab.

    upload-VOS-image.png
  4. Click Upload.
  5. In the Directory Address field, enter the directory to which to upload the file.
  6. In the File ACL field, select the read and write permissions of the file that you are uploading. By default, a file inherits the read and write permissions of its bucket.
  7. In the Upload field, drag one or more files to upload to this area, or click Upload Them Directly to select one or more files to upload.


    upload-VOS-image-2.png

Create a Custom Image for Versa VMs on Alibaba

  1. Navigate to the Images page.

    custom-image-1.png

    custom-image-2.png

    Alibaba-cloud.png

    Alibaba-cloud-2.png
  2. On the Images page, click Import Image.

    Alibaba-cloud-images.png
  3. In the Import Image screen, enter information for the following fields.

    Alibaba-cloud-images-2.png
     
    Field Description
    Region of Image Select the region where the OSS Bucket of the image file to upload is located.
    OSS Object Address Copy the object address of the image file from the OSS console.
    Image Name Enter a name for the custom image. The name must be 2 to 128 characters in length and can contain letters, numbers, Chinese characters, periods (.), underscores (_), colons (:), and hyphens (-).
    Operating System Select Linux
    System Disk Size Select 80 GiB. The system disk size can be from 40 through 500 GiB.
    System Architecture Select x86_64.
    Platform Select Ubuntu.
    Image Format

    Select the image format:

    • QCOW2
    • RAW
    • VHD. This is the recommended format
  4. Click OK.

To copy a custom image to a different region:

  1. Click Copy Image.

    copy-image-different-region.png
  2. In the Copy Custom Image screen, select the region.

    copy-image-different-region-2.png
  3. Click OK.

Create an Instance from a Custom Image

  1. Log in to the Elastic Computer Service console.
  2. In the left menu bar, click Instances. Alternatively, you can click Images to locate the target image, and then click Create Instance in the Actions column.
  3. Click Create Instance.

    instances.png
  4. Use the wizard to create the instance. In the Region field, select the region where the image is located. In the Image field, select Custom Image, and then select an image.
     
    • instances-2.png

      instances-3.png

      instances-4.png
  5. Confirm the order.
  6. Check that your cloud infrastructure is correct.

Create a VPC

A virtual private cloud (VPC) is a private network established in the Alibaba cloud. VPCs are logically isolated from other virtual networks in the Alibaba Cloud. Each VPC is assigned a private CIDR block and contains one virtual router (VRouter) and at least one virtual switch (VSwitch).

create-VCP.png

VSwitches are basic network devices that are used to form a VPC and that connect different cloud product instances. VPCs are region-level resources. A VPC cannot be used across multiple regions, but it can contain all zones in a region. You can create one or more VSwitches in a zone to divide the zone into multiple subnets.

To create a VPC:

  1. In the left menu bar, select Virtual Private Cloud.

    create-VCP-2.png
  2. In the Create VPC screen, configure the VPC as illustrated in the following screenshots.

    create-VCP-3.png

    vswitch.png

    vswitch-2.png
  3. Click Add.

Create a VOS Virtual Machine

You create a virtual machine (VM) for the VOS device. Note that this is a critical step, because the first network that you choose below becomes the primary elastic network interface (ENI), and it must be the LAN interface. You cannot change the primary ENI later to a different network. Another reason that the primary ENI must be the interface is that when you later deploy HAVIP (VRRP), Alibaba requires that you must deploy it on the primary ENI.

To create a VOS VM:

  1. Select the network type.

    create-VOS-VM.png
  2. Select the type of login credentials and the instance name. For the login credentials, you can choose SSH key pair or Password, depending on the requirements of your cloud administrator. Note that SSH key pair is the more secure option.

    create-VOS-VM-2.png

    create-SSH-key-pair.png
  3. When prompted, save the .pem key on the managing workstation.
  4. If required by your cloud administrator, create a deployment set.
  5. Click Preview > Purchase.
  6. If, at any point, you want to use a username and password instead of SSH, go to ECS > instance-name > More > Reset Password.

    instance-details-reset-password.png
     

  7. Create the ENIs for LAN, WAN, MGMT and the EIP for WAN and MGMT, as describe below. After you create these, you can log in using SSH.

Create Security Groups

To create security groups for the WAN, LAN, and MGMT interfaces:

  1. Go to ECS > Network and Security > Security Groups > Create Security Group. The following example is for MGMT.

    security-group-rule.png
  2. Select the Add Security Group Rule tab. In the Add Security Group Rules screen, enter information for the security group rule.

    security-group-rule-2.png
  3. Select the Inbound tab, and enter information about inbound ports.

    security-group-rule-3.png
  4. Select the Outbound tab, and enter information about outbound ports.

    security-group-rule-4.png
  5. Click OK.

For the LAN security group, you restrict it or set it to any/any.

The following table is the ports required for the WAN security group.

Purpose Traffic Direction Protocol Port Numbers
Encapsulating Security Payload (ESP) Both IP 50
ICMP reachability for ZTP Both ICMP  
IPsec IKE Both UDP

500, 4500
REST port, for fetching operational information from VOS device Inbound TCP 8443
VXLAN communication among VOS hub, VOS branch, and Controller node Both UDP 4790

Create ENIs

  1. Go to ECS > Network and Security > ENI > Create ENI.

    create-ENI.png
     
  2. Select the IP address to allocate, or leave this field blank to allocate an available IP address from within the subnet.
  3. Select the security group depending on whether the ENI belongs to a LAN, WAN, or MGMT interface.

    create-ENI-3.png
  4. Repeat Steps 1, 2, and 3 for the MGMT ENI and an other ENIs

Create the EIPs (public IP addresses) for the WAN and MGMT interfaces:

  1. Go to ECS > Network and Security > EIP, or go to VPC > Elastic IP addresses > Create EIP or VPC > Elastic IP addresses > Create EIP.

    create-EIP.png
  2. Create the EIPs.

    create-EIP-2.png
  3. Confirm the order and click Activate.

    create-EIP-3.png
  4. Click End.

    create-EIP-4.png
  5. Associate the EIPs with the WAN and MGMT ENIs:

    associate-EIPs.png

​​Configure HAVIP

High availability virtual private network IP (HAVIP) is a private network IP resource that you can create and release independently. Afeature of this private network IP is that the user can use the ARP protocol on the ECS to announce this IP address.

A HAVIP object can be bound to a maximum of two ECS instances. Instances can be bound by ARP by the way of private network IP announcement.

An ECS instance can hold the common private network IP address. A user can declare multiple private network IP addresses of HAVIP type, thereby simultaneously holding multiple private IP addresses.

Utilizing the private network IP announcements available on ECS, you can implement high-availability solutions based on VRRP, including mature open source solutions such as keepalived and heartbeat.

HAVIP can be bound to the EIP so that when HAVIP switches between ECS instances, messages sent to the EIP are redirected to the new ECS instance.

HAVIP supports only VPC network environments. The HAVIP function is not available in the Classic network environment.

By default, HAVIP is not visible under the VPC. You must open a support ticket with Alibaba to enable the HAVIP dashboard for the cloud account. When you open the support ticket, you must include the open source tools keepalived and heartbeat, at a minimum, in the HAVIP backend.

A typical use case for using HAVIP is when an application on ECS needs to rely on the declaration of private IP addresses by ARP. Because open source tools such as keepalived and heartbeat are used in HAVIP to achieve high availability for the network and services, two ECS instances are needed, as shown in the following figure. These two ECS instances, based on HAVIP, use keepalived to form a private network service with high availability. Other instances in the VPC can access the service through the private network, and the service address is the IP address of HAVIP. When instance 1 fails, instance 2 takes over the service and the service IP address does not change.

HAVIP.jpg

HAVIP has the following imitations:

  • Each instance can hold a maximum of five HAVIP objects. Deleted HAVIP objects are not counted.
  • A maximum of five HAVIP objects can exist simultaneously in each VPC. Deleted HAVIP objects are not counted.
  • Each cloud server instance can bind up to five HAVIPs at the same time. A user can only bind a maximum of two cloud server instances at a time.
  • Multicast communication cannot be used.
  • Broadcast communication cannot be used.

Before you configure HAVIP, you must modify the VOS boot configuration file and stage the VOS device using ZTP.

Modify the VOS Boot Configuration File

Make the following modifications to the VOS boot-config file so that it can integrate with Alibaba HAVIP:

  1. Modify sshd_config to allow password-based authentication for the Director node southbound IP address. You can do this in one of the following ways:
  • Allow password authentication only for the Director southbound IP address (control network IP address. This option provides suitable security for production environments.
~$ sudo nano /etc/ssh/sshd_conf

Match Address 172.23.1.2/32 
  PasswordAuthentication yes 
Match all
  • Allow password authentication for all, which is suitable for testing and preproduction environments.
~$ sudo nano /etc/ssh/sshd_conf
PasswordAuthentication yes

  1. Change available interfaces to present to global routing table from eth0 to eth2.

~$ sudo nano /etc/network/interfaces
//Change eth0 to eth2

change-interfaces.png

  • Edit the /opt/versa/etc/vsboot.conf file, and change the avoid list interface from eth0 to eth2.

    change-interfaces-2.png
     
  • Issue the vsh restart CLI command to restart Versa services.

Stage the VOS Device

Stage the device using CLI ZTP:

  1. Run the staging script, providing an IP address in the –c and specifying the name of the Controller node and provider organization. After the staging script completes, the order of the ports is as follows:
  • LAN (eth0)—vni-0/0
  • WAN (eth1)—vni-0/1
  • MGMT (eth2)—Exposed to the Linux kernel namespace

For example:

~$ sudo /opt/versa/scripts/staging.py -w 1 -c 103.231.208.60 -d -l SDWAN-Branch@Versa.com -r Controller01-staging@Versa.com
  1. Configure the VOS device. Sample templates used are listed here for reference.

edit-template-Alibaba-1.png

edit-template-Alibaba-2.png

edit-template-Alibaba-3.png

edit-template-Alibaba-4.png

edit-template-Alibaba-5.png

edit-template-Alibaba-6.png

edit-template-Alibaba-7.jpg

edit-template-Alibaba-8.jpg

edit-template-Alibaba-9.jpg

Configure HAVIP

To configure HAVIP for VRRP integration on the LAN interface:

  1. Go to VPC > HAVIP > Create HAVIP Address. Note: that, by default, HAVIP is not visible under the VPC. To enable the HAVIP dashboard for the cloud account, open a support ticket with Alibaba. While raising the support ticket, open source tools keepalived and heartbeat at a minimum must be included in the HAVIP backend.

    create-HaVip-address.jpg

    create-HaVip-address-2.jpg
    create-HaVip-address-3.jpg
     

Control Route Tables

After you create a VPC, the system creates a default route table to control routes in the VPC. By default, al the l VSwitches in the VPC use this route table. You cannot create or delete the default route table. However, you can create a custom route table and attach it to the VSwitch to control the routes in the subnet.

To create a custom route table:

  1. Go to VPC > Route Table > Create Route Table.
  2. Go to Created Route Table > Add Route Entry

The example here creates a custom route using the HAVIP IP address (here, the VRRP virtual IP address), to reach the Beijing LAN subnet 192.168.100.0/24:

route-table.jpg

route-table-2.jpg

The following figures and ping command output illustrate the convergence times when a LAN or WAN link fails.The following figure shows the operational topology.

Convergence_time_LAN_WAN_link_failure_p33.png

Failure of a Shanghai LAN:

SH_LAN_Shut-1_p34.png

SH_LAN_Shut-2_p35.png

Recovery of the Shanghai LAN:

SH_LAN_Unshut-1_p36.png

SH_LAN_Unshut-2_p36.png

Failure of a Beijing LAN:

BJ_LAN_Shut-1_p37.png

BJ_LAN_Shut-2_p38.png

Recovery of the Beijing LAN:

BJ_LAN_Unshut-1_p39.png

BJ_LAN_Unshut-2_p40.png

Result of the Shanghai LAN failure:

SH_WAN_Shut-1_p41.png

SH_WAN_Shut-2_p42.png

 

SH_WAN_Unshut-1_p43.png

SH_WAN_Unshut-2_p44.png

Result of the Beijing LAN failure:

BJ_WAN_Shut-1_p45.png

BJ_WAN_Shut-2_p46.png

 

BJ_WAN_Unshut-1_p47.png

BJ_WAN_Unshut-2_p48.png

Supported Software Information

Releases 21.2.2 and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.