This topic describes how to connect two office branches to Alibaba Cloud Virtual Private Cloud (VPC) networks. In this example, the office branches are located in Hangzhou and Ningbo, and the VPC networks are deployed in the China (Shanghai) and China (Beijing) regions.

Prerequisites

Before you begin, make sure that the following requirements are met:
  • A VPC network is deployed in the China (Shanghai) and China (Beijing) regions. For more information, see Create a VPC.
  • A Cloud Enterprise Network (CEN) instance is created and associated with the VPC network in the China (Shanghai) region. For more information, see Create a CEN instance.
  • The VPC networks in the China (Beijing) and China (Shanghai) regions are associated with the same CEN instance. For more information, see Attach networks.

Background information

In this example, a company has created a VPC network in both the China (Shanghai) and China (Beijing) regions. The company needs to connect its Hangzhou and Ningbo office branches to Alibaba Cloud to enable the office branches to access resources on Alibaba Cloud. The CIDR blocks used by the Hangzhou and Ningbo office branches are 10.10.0.0/12 and 10.20.0.0/12. The local clients of the Hangzhou and Ningbo office branches need to connect to Alibaba Cloud through SAG-100WM.Device-inline mode

Procedure

The procedure to deploy an SAG device in inline mode is as follows.1-Procedure

Step 1: Purchase SAG devices

After you purchase SAG devices in the SAG console, Alibaba Cloud delivers the devices to the specified address and creates an SAG instance to help you facilitate network management.

To purchase an SAG device, take the following steps.

  1. Log on to the SAG console.
  2. On the Smart Access Gateway page, click Create SAG Instance.
  3. Set the following parameters.
    • Area: Select the area where the SAG device will be deployed. Mainland China is selected in this example.
    • Device Spec: Select the type of the SAG device. SAG-100WM is selected in this example.
    • Have SAG Devices Already: Select whether you already have an SAG device. No is selected in this example.
    • Quantity: Select the number of SAG devices that you want to purchase. 1 is selected in this example.
    • Area: Select the area where the SAG bandwidth will be used. This area must be the same as that of the SAG device and cannot be modified.
    • Instance Name: Specify a name for the SAG instance.

      The name must be 2 to 128 characters in length and can contain digits, periods (.), hyphens (-), and underscores (_). It must start with a letter or Chinese character.

    • Peak Bandwidth: Select the maximum bandwidth for network connections. 30Mbps is selected in this example.
    • Subscription Duration: Select the duration of the subscription.
  4. On the Confirm Order page, click Confirm Purchase.
  5. In the Shipping Address dialog box that appears, enter the recipient address and then click Buy Now.
  6. On the Pay page that appears, click Pay.
  7. Repeat this step to purchase another SAG device. One device is for the Hangzhou office branch, and the other is for the Ningbo office branch.
    You can check whether the order has been placed on the Smart Access Gateway page. The SAG devices will be shipped within two business days. If the order is not shipped within two business days, submit a ticket to query the shipping status.
    Order placed

Step 2: Connect the SAG devices to the private networks of the office branches

  1. After you receive the SAG devices, check whether you have received all the accessories. For more information, see Descriptions of SAG-100WM.
  2. Start an SAG device and connect its WAN port to the modem and LAN port to the local clients.
  3. In this example, the local clients in the Hangzhou and Ningbo office branches need to access Alibaba Cloud through the SAG devices. You can use the default gateway configurations. For more information about configuring the WAN and LAN ports, see Configure a WAN port and Configure a LAN port.
  4. Repeat this step to connect the other device to the target private network. One device is connected to the Hangzhou office branch and the other is connected to the Ningbo office branch.

Step 3: Activate the SAG devices

After you receive the SAG devices, you must activate them.

To activate an SAG device, take the following steps.

  1. Log on to the SAG console.
  2. In the left-side navigation pane, click Smart Access Gateway.
  3. On the Smart Access Gateway page, find the target SAG instance and click Activate in the Actions column.
  4. Click the ID of the target SAG instance and the instance details page appears. Click the Device Management tab, enter the serial number of the device, and then click Add Device to associate the SAG device with the SAG instance.
    Add device
  5. Repeat this step to activate the other device and associate it with the SAG instance.

Step 4: Set up network connections

After you activate the SAG devices and connect them to the private networks, you must configure network settings in the SAG console to direct local routes to Alibaba Cloud.

To configure network settings, take the following steps.

  1. Log on to the SAG console.
  2. In the left-side navigation pane, click Smart Access Gateway. On the Smart Access Gateway page, find the target SAG instance and click Network Configuration in the Actions column.
  3. Configure a method to synchronize with local routes.
    1. In the left-side navigation tree, click Method to Synchronize with On-premises Routes.
    2. Select Static Routing and click Add Static Route. In the Add Static Route dialog box that appears, enter the CIDR blocks used by the Hangzhou and Ningbo office branches, respectively.
      The CIDR block 10.10.0.0/12 of the Hangzhou office branch is used in this example. The default gateway configurations are used in this example. Therefore, the IP addresses of local clients are allocated from this CIDR block: 10.10.0.0/12.
    3. Click OK.
  4. Associate the SAG instance with a Cloud Connect Network (CCN) instance.
    1. Create a CCN instance. For more information about how to create CCN instances, see Create a CCN instance.
    2. After you create a CCN instance, navigate to the Network Configuration tab and click Network Instance Details in the left-side navigation tree.
    3. In the Associated Instances Under Current Account section, click Attach Network to associate the SAG instance with a CCN instance.
      • Network Type: Select Cloud Connect Network.
      • Network Instance: Select the ID of the CCN created in the preceding step.
      Attach Network
    4. Click OK.
  5. Repeat this step to configure the network settings of the other SAG instance.
    Associate the SAG instances of the Hangzhou and Ningbo office branches with the same CCN instance.

Step 5: Associate the CCN instance with a CEN instance

Take the following steps to associate the CCN instance with a CEN instance. This connects the office branches to Alibaba Cloud.

  1. Log on to the SAG console.
  2. In the left-side navigation pane, click CCN.
  3. Find the target CCN instance and click Bind CEN Instance in the Actions column.
  4. In the Bind CEN Instance pane that appears, select the target CEN instance. After the CCN instance is associated with the CEN instance, SAG devices in the CCN can communicate with VPC networks associated with the CEN.
    Bind CEN Intance

Step 6: Configure a security group

Configure a security group to allow the office branches to access resources in the VPC networks.

Take the following steps to configure a security group.

  1. Log on to the Elastic Compute Service (ECS) console.
  2. In the left-side navigation pane, click Instances.
  3. Find the ECS instance deployed in the target VPC network and choose More > Network and Security Group > Configure Security Group.
    ECS Instance
  4. Find the target security group, click Add Rules in the Actions column, and then click Add Security Group Rule.
  5. Create a security group rule that allows access from the private network to the VPC network.
    The following figure shows how to add a security group rule. Set Authorization Object to the CIDR block of the target private network. In this example, this parameter is set to 10.10.0.0/12 and 10.20.0.0/12, which are the CIDR blocks of the Hangzhou and Ningbo office branches.Add Security
  6. Repeat this step to create another security group rule. One rule allows access from local clients to the VPC network in the China (Shanghai) region, and the other to the VPC network in the China (Beijing) region. These security group rules allow the Hangzhou and Ningbo office branches to access resources in the VPC networks.

Step 7: Test the connectivity

After you complete the configurations in the preceding steps, access cloud resources deployed in the VPC networks from a client in the office branches to test the connectivity.