Community Blog Network Interconnection - Different Methods to Connect to Alibaba Cloud in a Corporate Environment

Network Interconnection - Different Methods to Connect to Alibaba Cloud in a Corporate Environment

This short article offers first-hand experience from the author about different methods to connect to Alibaba Cloud in different scenarios.

By Vincent Siu, Alibaba Cloud Certified Expert - Cloud Computing


I have a number of years of helping clients connect to the cloud or migrate resources to the cloud. Regardless of the scale of the projects, there is a moment when I must consider how to implement the connection most effectively. Since I am talking about a corporate environment, I don’t count the remote desktop or VPN software on a desktop computer as a solution.

My Solutions and Experiences

I show my solutions below. I explain the difficulty from my experience and gut feeling. I believe you would agree that every project is different.

Method Name Provider Major Protocol or Technology Best Scenario Cost (from 1 to 3) Difficulty (from 1 to 3)
Site to Site IPSec VPN Self (by customer premises equipment) IPSec VPN Connection between IDC and VPC; bandwidth is limited 1 2
Smart Access Gateway Alibaba Cloud SD-WAN Flexible, but incline to end users 2 1
Express Connect Local ISP BGP Connection between IDC and VPC; guaranteed bandwidth 2 3
Cloud Enterprise Network (CEN) Alibaba Cloud Multi Connection among VPC within Alibaba Cloud 3 3

Discussing the Details

The first method is a Site to Site IPSec VPN. This is a universal connection method for all cloud platforms. As long as you have an NGFW, such as FortiGate 80F (here, we call it customer premises equipment or CPE), you can build an IPSec VPN tunnel by yourself. Generally speaking, each cloud provider and the CPE manufacturer would have detailed instructions. In my experience, this is the most cost-effective method to connect your site or Internet Data Center (IDC) because you already have the CPE. This link shows the step-by-step for reference.

The next method is Alibaba Cloud Smart Access Gateway (SAG). In my opinion, it is a no-brainer if you are a fan of Alibaba Cloud. You can connect private networks to Alibaba Cloud through SAG in a secure, intelligent, and reliable way. There are three service types: SAG CPE, SAG vCPE, and SAG app.

SAG CPE is a hardware solution. It is very similar to the first solution, tailor-made for Alibaba Cloud. There are two models: SAG-100WM and SAG-1000. The only difference is the capability. SAG-100WM is suitable for small branch offices and stores, and SAG-1000 is suitable for data centers and large branch offices.

SAG vCPE is a software solution. Since it is an image, you can deploy it on data center servers, Edge Node Service (ENS) instances, Alibaba Cloud instances, and other cloud vendors’ instances. After you deploy the image on your host, the host serves as a virtual CPE device. Please refer to this link for details.

The SAG app is ideal for connecting terminals to Alibaba Cloud. You can install it on terminals (such as computers and mobile devices). The SAG app supports the following operating systems: Windows (Windows 7 SP1 and later), macOS (10.11.1 and later), Android (5.0 to 10.0), and iOS (12.0 and later). I don’t count it as a major method because it inclines to end users. However, as a sub-category under SAG, it is a nice feature offered by Alibaba Cloud.

Express Connect is the third method I recommend to clients who need guaranteed bandwidth and a stable connection because it is a dedicated leased line, usually in the form of an Ethernet cable with an RJ45 connector provided by your ISP. You have your own say in terms of bandwidth. You can choose the ISP that you trust the most. This is the most reliable and flexible method because you have control. You need a strong networking background when you configure the BGP and firewall rules with different subnets on your firewall. In my experience, your ISP may not fully understand your network topology. Please refer to this link for details.

Cloud Enterprise Network (CEN) is the fourth method. It allows you to connect VPCs in different regions to each other. You can attach VPCs to CEN as needed to enable inter-region communication to build a full-mesh network on top of the Alibaba Cloud global transmission network. As a result, it is the best solution for corporate customers who need to share resources among different regions within Alibaba Cloud. Please refer to this link for details.


When discussing cloud deployment, there is always time to mention Network Interconnection. Different methods may apply based on the cost, scale, and resources. Hopefully, the table above can help you to choose the right tool.

I am thinking about writing a series about Building a Home Hybrid Cloud on a Budget. I believe cloud computing is the future, but for now, we still have most stuff locally on-premises. This will be an experimental journey to discover how to connect on-premises machines to Alibaba Cloud (via a private tunnel) on a budget. My objective is to finish it within a short time frame while making it affordable to an ordinary person. I believe this would be an alternative method when we need to interconnect to cloud platforms.


1.  Create and manage IPsec-VPN connections in single-tunnel mode

2.  Terms of Smart Access Gateway

3.  Tata Communications and Alibaba Cloud partner to empower and transform global businesses

4.  Connecting a local FortiGate to an AliCloud VPC VPN

5.  What is SAG?

6.  Introduction to SAG vCPE

7.  Express Connect

8.  Cloud Enterprise Network

Disclaimer: The views expressed herein are for reference only and don't necessarily represent the official views of Alibaba Cloud.

0 1 0
Share on


6 posts | 0 followers

You may also like



6 posts | 0 followers

Related Products