By Haemi Kim, Solution Architect, Alibaba Cloud
Many multinational enterprises use SaaS services deployed overseas, such as Office365 and Salesforce. Due to the poor quality of China domestic visits to overseas sites, the customer experience is badly affected.
This solution uses Smart Access Gateway (SAG), Cloud Enterprise Network (CEN) and Global Accelerator (GA) to build an application acceleration service, which can help domestic users in China accelerate access to application systems deployed overseas.
Before the start, you need to check the location of your SaaS service so that you can determine the proxy Elastic Compute Service (ECS) instance region. If it's not located in Korea, please reach out to Alibaba Cloud Korea sales rep.
To accelerate the Korea MS teams service as an example, we have 5 main parts:
This solution can accelerate HTTP/HTTPs based on the domain name.
1. The client configures the DNS address of the Private Zone. The custom DNS function of the SAG-APP allows you to configure the DNS of the terminal to Private Zone DNS.
Private Zone DNS addresses are 100.100.2.136 and 100.100.2.138
2. Use the Private Zone to resolve the domain name to be accelerated into the internal IP address of the proxy server. If the domain does not exist in Private Zone, the SAG client then lookup public DNS to reach the target server. In this way, we only accelerate teams related domains.
3. The traffic to be accelerated is forwarded to the proxy server via CCN and CEN. The proxy server then send the request to the MS teams service through the local Korea internet.
4. Traffic that does not need to be accelerated is not pulled to CCN, and is directly accessed from the local internet of the client, without occupying SAG-APP acceleration bandwidth.
As of now(2021.02.16), Alibaba Cloud do not have a Korea region. For having every component be in Alibaba Cloud, we use an old version of GA(Global Accelerator). We can use a current version of GA, but then we need to deploy a proxy in somewhere in Korea by using other cloud vendors or IDC etc, which leads to become cumbersome to manage entire components. To be able to use old version of GA(GA1.0), you need to submit the ticket and apply a whitelist. Make sure that you apply all of them below.
1) GA1.0 2) Korea(Seoul) Network PoP for an accelerated area 3) A VPC whitelist for Korea Network PoP
In this step, the basic network architecture on which the entire service depends is built.
In this scenario, we need to create 2 VPC.
|VPC name||usage||Region||Address segment|
|Proxy_VPC||Deploy forward proxy services||Shanghai (can be the other region depending on your needs)||10.0.0.0/8|
|PVZ_VPC||The domain name associated with the PrivateZone||Shanghai||172.19.0.0/16|
Which Proxy-VPC can be created in 2 different AZ the vSwitch for easy deployment High available agent cluster. You do not need to deploy any resources in the PVZ-VPC. You can also use any existing domestic VPC without any conflict with the PrivateZone configuration.
Create a CEN instance named SF_Accelerate_CEN.
For more information, see: https://www.alibabacloud.com/help/doc-detail/128625.htm
Add the previously created Proxy_VPC and PVZ_VPC to CEN.
For detailed operation steps, see: https://www.alibabacloud.com/help/doc-detail/128653.htm
Create a CCN instance for SAG-APP access and name it SF_Accelerate_CCN.
The steps to create CCN are detailed in: https://www.alibabacloud.com/help/doc-detail/93669.htm
After the CCN is created, bind the CCN to SF_Accelerate_CEN. For more information, see: https://www.alibabacloud.com/help/doc-detail/93671.htm
In this step, we will create a proxy instance in Proxy_VPC in Shanghai as an exit for service access.
The following is an example of an ECS instance:
If your whitelist (see in the prerequisites section) is successfully applied, you would see the Global Accelerator in VPC console.
Select the region 'Asia Pacific NE 2 pop (Seoul)'.
Select the 'Dedicated Bandwidth' and the 'create instance' button.
Select the same as the figure below and complete purchasing.
Now you can see the GA instance just created. Make sure that you choose the region 'Asia Pacific NE 2 pop (Seoul)', otherwise you can not see anything in the console.
Click the 'Bind instance' button.
Choose the ECS instance previously created.
Now you can see the backend service instance IP address. Copy this address to keep it.
After the backend service is bound, you need to add a NIC sub interface to the bound ECS instance. The IP address of the sub interface is the backend service address allocated by the system. After the backend service is bound to the Global Acceleration instance, the acceleration link is always active as long as the sub interface in the backend server is correctly configured.
Note: Activation is required only when the backend service is an ECS instance.
1. Access the proxy ECS.
2. Run the following command to open the NIC configuration file.
sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0:1
3. Add the following information in the configuration file. Change the IPADDR to your own copied address from previous section.
DEVICE=eth0:1 IPADDR=10.0.0.124 NETMASK=255.255.255.255 ONBOOT=yes
4. Run the following command to make the configuration take effect.
After the backend service is bound, you can ping the EIP of the Global Acceleration instance to verify if the configuration takes effect.
Log in to the proxy ECS and run the following command after root logon:
If you want to see how the forward proxy works through ngx_stream_ssl_preread_module in nginx, reach the following blog to understand how this L4 proxy extract the domain name from the upper-layer packets to obtain the target domain name. (in this case, teams related domains)
1. log in to the proxy ECS server via SSH and enable IP forwarding:
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf sysctl -p
2. Install and configure the iptables SNAT rules. In our scenario, we should change the source IP from eth0 to eth0:1 to access the internet through the GA public IP.
yum -y install iptables-services systemctl start iptables systemctl enable iptables #snat rule, dns resolve to eth0, and using eth0:1 as a source to access the internet iptables -t nat -A POSTROUTING -s 10.0.0.122 -o eth0 -j SNAT --to-source 10.0.0.124 iptables-save > /etc/sysconfig/iptables systemctl restart iptables
3. Verify configuration using the command
iptables -L -n -t nat. You should see a SNAT rule is configured:
4. SNAT Verification
if you can access the internet,
ping 18.104.22.168 then, SNAT is successfully working.
In this step, we create a PrivateZone and configure the relevant domain name. Then associate this PrivateZone with PVZ_VPC for SAG-APP acceleration.
The procedure for activating PrivateZone is as follows: https://www.alibabacloud.com/help/doc-detail/64627.htm
First add a zone
Note: If you need to configure generic resolution, do not check the subdomain recursive resolution proxy.
Add the required domain name resolution to the Zone: pointing to proxy ECS eth0 address
You can configure a wildcard resolution to overwrite all subdomains under this domain name to reduce the configuration workload.
Fore more information, see: https://www.alibabacloud.com/help/doc-detail/64628.htm
Click 'bind VPC' and associate the newly created Zone with PVZ_VPC.
For more information, see: https://www.alibabacloud.com/help/doc-detail/64629.htm
Do the same procedure for other domains. In my test scenario, I found out 8 domains are engaged to access Microsoft teams. I registered all the domains.
You need to publish the Private Zone to CEN so as to let other CEN networks (PVZ_VPC) communicate with Private Zone.
In this step, we will purchase and configure SAG-APP to enable the terminal to access CCN and access the proxy server cluster in Shanghai through CEN.
You can purchase, configure, and create an account.
For more information about how to setup SAG-APP, see: https://www.alibabacloud.com/help/doc-detail/173726.htm
After the purchase is successful, you need to configure the SAG-APP. Mainly:
1) Bind CCN: the SF_Accelerate_CCN created before binding;
2) Configure DNS: configure the PrivateZone DNS, namely 100.2.136 and 100.100.2.138;
3) Configure private CIDR block: configure the CIDR block assigned to the SAG-APP client. This CIDR block must be carefully planned and cannot conflict with other CIDR blocks in the network, try to avoid conflicts with the address segment of the customer terminal itself and avoid using the address segment in 168.0.0/16.
After you download and install the SAG app on your terminal, you need to wait for a while to access Alibaba Cloud Network. If you fail to access to intranet network, please wait for a while and retry.
You can compare the upload/download speed while connecting to SAG app and disconnecting to SAG app respectively to compare the latency and packet loss.
Accelerate network from Korea to China:
You don't need to use GA in this case, you can simply use the combination of 'SAG+CEN(cross-border bandwidth)+Proxy ECS' with same configuration in above sections. Two things different are that you need to add CEN cross border bandwidth to connect Korea to China through Alibaba Cloud backbone network and, and you can skip SNAT setting on the proxy ECS server. In this case, you can access several China sites (for example www.qq.com, baidu.com) over Alibaba backbone network to with accelerated network speed.
Haemi Kim - June 15, 2021
Alibaba Clouder - January 19, 2021
ApsaraDB - October 30, 2020
XG Lab - January 13, 2021
Alibaba Clouder - March 2, 2021
Alibaba Clouder - March 9, 2021
Connect your business globally with our stable network anytime anywhere.Learn More
A global network for rapidly building a distributed business system and hybrid cloud to help users create a network with enterprise level-scalability and the communication capabilities of a cloud networkLearn More
This solution helps you improve and secure network and application access performance.Learn More
Alibaba Cloud offers an accelerated global networking solution that makes distance learning just the same as in-class teaching.Learn More