This topic describes how to connect two office branches to Alibaba Cloud Virtual Private
Cloud (VPC) networks. In this example, the office branches are located in Hangzhou
and Ningbo, and the VPC networks are deployed in the China (Shanghai) and China (Beijing)
regions.
Prerequisites
Before you begin, make sure that the following requirements are met:
- A VPC network is deployed in the China (Shanghai) and China (Beijing) regions. For
more information, see Create a VPC.
- A Cloud Enterprise Network (CEN) instance is created and associated with the VPC network
in the China (Shanghai) region. For more information, see Create a CEN instance.
- The VPC networks in the China (Beijing) and China (Shanghai) regions are associated
with the same CEN instance. For more information, see Attach networks.
Background information
In this example, a company has created a VPC network in both the China (Shanghai)
and China (Beijing) regions. The company needs to connect its Hangzhou and Ningbo
office branches to Alibaba Cloud to enable the office branches to access resources
on Alibaba Cloud. The CIDR blocks used by the Hangzhou and Ningbo office branches
are 10.10.0.0/12 and 10.20.0.0/12. The local clients of the Hangzhou and Ningbo office
branches need to connect to Alibaba Cloud through SAG-100WM.
Procedure
The procedure to deploy an SAG device in inline mode is as follows.

Step 1: Purchase SAG devices
After you purchase SAG devices in the SAG console, Alibaba Cloud delivers the devices
to the specified address and creates an SAG instance to help you facilitate network
management.
To purchase an SAG device, take the following steps.
- Log on to the SAG console.
- On the Smart Access Gateway page, click Create SAG Instance.
- Set the following parameters.
- Area: Select the area where the SAG device will be deployed. Mainland China is selected in this example.
- Device Spec: Select the type of the SAG device. SAG-100WM is selected in this example.
- Have SAG Devices Already: Select whether you already have an SAG device. No is selected in this example.
- Quantity: Select the number of SAG devices that you want to purchase. 1 is selected in this example.
- Area: Select the area where the SAG bandwidth will be used. This area must be the same
as that of the SAG device and cannot be modified.
- Instance Name: Specify a name for the SAG instance.
The name must be 2 to 128 characters in length and can contain digits, periods (.),
hyphens (-), and underscores (_). It must start with a letter or Chinese character.
- Peak Bandwidth: Select the maximum bandwidth for network connections. 30Mbps is selected in this example.
- Subscription Duration: Select the duration of the subscription.
- On the Confirm Order page, click Confirm Purchase.
- In the Shipping Address dialog box that appears, enter the recipient address and then click Buy Now.
- On the Pay page that appears, click Pay.
- Repeat this step to purchase another SAG device. One device is for the Hangzhou office
branch, and the other is for the Ningbo office branch.
You can check whether the order has been placed on the Smart Access Gateway page.
The SAG devices will be shipped within two business days. If the order is not shipped
within two business days,
submit a ticket to query the shipping status.
Step 2: Connect the SAG devices to the private networks of the office branches
- After you receive the SAG devices, check whether you have received all the accessories.
For more information, see Descriptions of SAG-100WM.
- Start an SAG device and connect its WAN port to the modem and LAN port to the local
clients.
- In this example, the local clients in the Hangzhou and Ningbo office branches need
to access Alibaba Cloud through the SAG devices. You can use the default gateway configurations.
For more information about configuring the WAN and LAN ports, see Configure a WAN port and Configure a LAN port.
- Repeat this step to connect the other device to the target private network. One device
is connected to the Hangzhou office branch and the other is connected to the Ningbo
office branch.
Step 3: Activate the SAG devices
After you receive the SAG devices, you must activate them.
To activate an SAG device, take the following steps.
- Log on to the SAG console.
- In the left-side navigation pane, click Smart Access Gateway.
- On the Smart Access Gateway page, find the target SAG instance and click Activate in the Actions column.
- Click the ID of the target SAG instance and the instance details page appears. Click the Device Management tab, enter the serial number of the device, and then click Add Device to associate the SAG device with the SAG instance.
- Repeat this step to activate the other device and associate it with the SAG instance.
Step 4: Set up network connections
After you activate the SAG devices and connect them to the private networks, you must
configure network settings in the SAG console to direct local routes to Alibaba Cloud.
To configure network settings, take the following steps.
- Log on to the SAG console.
- In the left-side navigation pane, click Smart Access Gateway. On the Smart Access Gateway page, find the target SAG instance and click Network Configuration in the Actions column.
- Configure a method to synchronize with local routes.
- In the left-side navigation tree, click Method to Synchronize with On-premises Routes.
- Select Static Routing and click Add Static Route. In the Add Static Route dialog box that appears, enter the CIDR blocks used by the
Hangzhou and Ningbo office branches, respectively.
The CIDR block 10.10.0.0/12 of the Hangzhou office branch is used in this example.
The default gateway configurations are used in this example. Therefore, the IP addresses
of local clients are allocated from this CIDR block: 10.10.0.0/12.
- Click OK.
- Associate the SAG instance with a Cloud Connect Network (CCN) instance.
- Create a CCN instance. For more information about how to create CCN instances, see
Create a CCN instance.
- After you create a CCN instance, navigate to the Network Configuration tab and click Network Instance Details in the left-side navigation tree.
- In the Associated Instances Under Current Account section, click Attach Network to associate the SAG instance with a CCN instance.
- Network Type: Select Cloud Connect Network.
- Network Instance: Select the ID of the CCN created in the preceding step.

- Click OK.
- Repeat this step to configure the network settings of the other SAG instance.
Associate the SAG instances of the Hangzhou and Ningbo office branches with the same
CCN instance.
Step 5: Associate the CCN instance with a CEN instance
Take the following steps to associate the CCN instance with a CEN instance. This connects
the office branches to Alibaba Cloud.
- Log on to the SAG console.
- In the left-side navigation pane, click CCN.
- Find the target CCN instance and click Bind CEN Instance in the Actions column.
- In the Bind CEN Instance pane that appears, select the target CEN instance. After the CCN instance is associated
with the CEN instance, SAG devices in the CCN can communicate with VPC networks associated
with the CEN.
Step 6: Configure a security group
Configure a security group to allow the office branches to access resources in the
VPC networks.
Take the following steps to configure a security group.
- Log on to the Elastic Compute Service (ECS) console.
- In the left-side navigation pane, click Instances.
- Find the ECS instance deployed in the target VPC network and choose .
- Find the target security group, click Add Rules in the Actions column, and then click Add Security Group Rule.
- Create a security group rule that allows access from the private network to the VPC
network.
The following figure shows how to add a security group rule. Set
Authorization Object to the CIDR block of the target private network. In this example, this parameter
is set to 10.10.0.0/12 and 10.20.0.0/12, which are the CIDR blocks of the Hangzhou
and Ningbo office branches.

- Repeat this step to create another security group rule. One rule allows access from
local clients to the VPC network in the China (Shanghai) region, and the other to
the VPC network in the China (Beijing) region. These security group rules allow the
Hangzhou and Ningbo office branches to access resources in the VPC networks.
Step 7: Test the connectivity
After you complete the configurations in the preceding steps, access cloud resources
deployed in the VPC networks from a client in the office branches to test the connectivity.