Enterprise SaaS Acceleration via SAG + CEN + ECS Proxy

This article describes how to use the SAG App and CEN to access your cross-border company SaaS platform with extremely stable network performance step-by-step.

By Victor Mak, Alibaba Cloud Solution Architect

Background Information

COVID-19 has caused unprecedented changes in work culture worldwide. Most people were working from home during the pandemic. Some of them stayed in China and want to access the company's SaaS platform overseas. Alibaba Cloud Smart Access Gateway (SAG) and Cloud Enterprise Network (CEN) provide a one-stop solution to secure, accelerate, and connect your mobile/PC to overseas resources.

Prerequisites

Before you begin, make sure of the following:

You have Alibaba Cloud Account. If not, sign up with Alibaba Cloud and add a payment method.
Assume you have a company SaaS platform based in Hong Kong. We use http://8.210.199.171 as an example.

Architecture Diagram

Solution Data Flow:

Before connecting to overseas resources, users need to connect to the SAG Client first.
The data traffic will go through SAG CCN in Mainland China and send it to the Alibaba Cloud Hong Kong Region VPC via CEN.
The Hong Kong VPC will have a static route to route 8.210.199.171 IP to the ECS server.
The ECS server enables IP forwarding and sends 8.210.199.171 traffic via the EIP address.

Procedure

Subscribe and configure the CEN for the Hong Kong VPC
Subscribe and configure the Smart Access Gateway app in Mainland China
Configure the SAG CCN in CEN
Subscribe and configure the ECS proxy and routing
Download and install the Smart Access Gateway app client
Verify the results

Subscribe and Configure the CEN for Hong Kong and Shenzhen VPCs

1. You have to create a VPC in the Hong Kong region. In this example, the Hong Kong region uses VPC subnet 10.198.0.0/16. If you don't know how to create a VPC, please refer to the VPC Quick Start helper page.

2. Log on to the CEN console

3. On the Instances page, click Create CEN Instance

4. Fill in the required information, select the VPC in the Hong Kong region you created and click OK:

5. You will see the results listed below:

6. You need to purchase cross-region connection bandwidth to establish a connection between different regions. Click Buy Bandwidth Package (Subscription) under the Bandwidth Packages tab:

7. Select the CEN instance you want to purchase a bandwidth package for and the areas to be interconnected. In this example, we selected Asia Pacific and Mainland China with 2 Mbps Bandwidth and clicked Buy Now:

8. Bind the Bandwidth Package to the CEN instance and click OK:

9. You will see the results listed below. The bandwidth is already associated with the CEN instance:

Subscribe and Configure the Smart Access Gateway App in Mainland China

1. Log on to the Smart Access Gateway console

2. Select Mainland China, go to the Smart Access Gateway app, and click Create SAG app:

3. Select Mainland China and the Number of Client Accounts you want to create. In this example, we used the default value of 10:

4. Before the client can use the Smart Access Gateway app, you need to create a client account. Alibaba Cloud will send the login information to the email address provided:

Configure the SAG CCN in CEN

1. Before the Smart Access Gateway app can bind to the CEN instance, you need to create a CCN instance under the Smart Access Gateway console first. Then, input the CCN instance name and click OK:

2. Once you have created the CCN instance, you need to associate the CCN instance with the Smart Access Gateway app. Then, click Network Configuration.

3. Select the CCN instance and configure the private CIDR Block. In this example, we used 192.168.1.0/24:

4. Once you have created the CCN Instance, you can bind that CCN instance to the CEN instance:

5. Go to the CEN console and navigate to Region Connections. Then, click Set Region Connection:

6. Configure the Connected Regions and bandwidth. In this example, we used China (Hong Kong) and Mainland China CCN with 2 Mbps bandwidth. Afterward, click OK:

Subscribe and Configure the ECS Proxy and VPC Routing

1. Subscribe to the ECS server with a public IP address in the Hong Kong region with the CentOS image. If you don't know how to subscribe to the ECS server, please refer to the ECS Quick Start help page.

2. Log in to the ECS server via SSH and enable IP forwarding:

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

3. Install and configure the iptables SANT rules. In this example, we used 10.198.0.50:

yum -y install iptables-services
systemctl start iptables       
systemctl enable iptables  
iptables -t nat -I POSTROUTING -s 192.168.1.0/24  -j SNAT --to-source 10.198.0.50
iptables-save > /etc/sysconfig/iptables
systemctl restart iptables

4. Verify configuration using the command iptables -L -n -t nat. You should see a SNAT rule is configured:

5. Log on to the VPC console and go to route tables:

6. Add a static route with the destination 8.210.199.171/32 next-hop and select the ECS instance under Add Route Entry

7. Publish the static route you created above to the CEN

Download and Install the Smart Access Gateway App Client

1. You can go to the Alibaba Cloud Document Center to download the latest SAG app client. Currently, we support Windows, MacOS, Android, and iOS operating systems.

2. Once you have successfully downloaded and installed the file, you can launch the SAG app client. In this example, I used Mac client: