This topic describes how to connect two office branches to Alibaba Cloud virtual private clouds (VPCs). In this example, the office branches are located in Hangzhou and Ningbo, and the VPCs are deployed in the China (Shanghai) and China (Beijing) regions.

Prerequisites

Before you begin, make sure that the following requirements are met:
  • A VPC is deployed in each of the China (Shanghai) and China (Beijing) regions. For more information, see Create and manage a VPC.
  • A Cloud Enterprise Network (CEN) instance is created and attached to the VPC in the China (Shanghai) region. For more information, see Create a CEN instance.
  • The VPCs in the China (Beijing) and China (Shanghai) regions are attached to the same CEN instance. For more information, see Attach a network instance.

Background information

In this example, a company has created a VPC in each of the China (Shanghai) and China (Beijing) regions. The company needs to connect its Hangzhou and Ningbo office branches to Alibaba Cloud to enable the office branches to access resources on Alibaba Cloud. The CIDR blocks used by the Hangzhou and Ningbo office branches are 10.10.0.0/12 and 10.20.0.0/12. The local clients of the Hangzhou and Ningbo office branches need to connect to Alibaba Cloud through SAG-100WM. Deploy an SAG device in inline mode

Procedure

The following procedure shows how to deploy an SAG device in inline mode: Deploy an SAG device in inline mode

Step 1: Purchase SAG devices

After you purchase SAG devices in the SAG console, Alibaba Cloud delivers the devices to the specified address and creates an SAG instance to help you facilitate network management.

  1. Log on to the SAG console.
  2. On the Smart Access Gateway page, click Purchase SAG.
  3. Select SAG (CPE).
  4. On the Smart Access Gateway page, set the following parameters and click Buy Now:
    • Area: Select the area where the SAG device will be deployed. Mainland China is selected in this example.
    • Device Spec: Select the model of the SAG device. SAG-100W is selected in this example.
    • Have SAG Devices Already: Select whether you already have an SAG device. In this example, No is selected.
    • Edition: Select the edition of the SAG device. Standard is selected in this example.
    • Quantity: Select the number of SAG devices that you want to purchase. 1 is selected in this example.
    • Area: Select the area where the SAG bandwidth will be used. This area must be the same as that of the SAG device and cannot be modified.
    • Instance Name: Enter a name for the SAG instance.

      The name must be 2 to 128 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_). It must start with a letter.

    • Peak Bandwidth: Select a maximum bandwidth value for network connections. 30Mbps is selected in this example.
    • Subscription Duration: Select a subscription duration.
  5. Confirm the order information, select the terms of service, and then click Buy Now.
  6. In the Shipping Address dialog box, enter a recipient address and click Buy Now.
  7. On the Pay page, select a payment method and complete the payment.
  8. Repeat this step to purchase another SAG device. One device is for the Hangzhou branch office, and the other is for the Ningbo branch office.
    You can check whether the order has been placed on the Smart Access Gateway page. The SAG devices will be shipped within two business days. If the devices are not shipped after two business days, you can perform the following steps to check the shipping status:
    1. On the Smart Access Gateway page, find the SAG instance.
    2. Choose ellipsis-vView Shipping Update in the Actions column.
    3. In the Order Updates panel, view the shipping updates.
    The order status

Step 2: Connect the SAG devices to the private networks of the office branches

  1. After you receive the SAG devices, check whether you have received all the accessories. For more information, see SAG-100WM device specifications.
  2. Start an SAG device and connect its WAN port to the modem and LAN port to the local clients.
  3. In this example, the local clients in the Hangzhou and Ningbo office branches need to access Alibaba Cloud through the SAG devices. You can use the default gateway configurations. For more information about how to configure the WAN and LAN ports, see Configure a WAN port and Configure a LAN port.
  4. Repeat this step to connect the other device to the other private network. Connect one device to the Hangzhou office branch and the other to the Ningbo office branch.

Step 3: Activate the SAG devices

After you receive the SAG devices, you must activate them.

  1. Log on to the SAG console.
  2. In the left-side navigation pane, click Smart Access Gateway.
  3. In the top navigation bar, select the region.
  4. On the Smart Access Gateway page, find the SAG instance and click Activate in the Actions column.
  5. Click the ID of the SAG instance. On the instance details page, click the Device Management tab, enter the serial number of the device, and then click Add Device to associate the SAG device with the SAG instance.
    Add a device
  6. Repeat this step to activate the other device and associate it with the SAG instance.

Step 4: Set up network connections

After you activate the SAG devices and connect them to the private networks, you must configure network settings in the SAG console to point the routes from the private networks to Alibaba Cloud.

  1. Log on to the SAG console.
  2. In the top navigation bar, select the region.
  3. In the left-side navigation pane, click Smart Access Gateway. On the Smart Access Gateway page, find the SAG instance and click Network Configuration in the Actions column.
  4. Select a method to advertise routes to Alibaba Cloud.
    1. In the left-side navigation tree, click Method to Synchronize with On-premises Routes.
    2. Select Static Routing and click Add Static Route. In the Add Static Route dialog box, enter the CIDR blocks used by the Hangzhou and Ningbo office branches.
      The CIDR block 10.10.0.0/12 of the Hangzhou office branch is used in this example. The default gateway configurations are used in this example. Therefore, the IP addresses of local clients are allocated from the 10.10.0.0/12 CIDR block.
    3. Click OK.
  5. Associate the SAG instance with a CCN instance.
    1. Create a CCN instance. For more information about how to create CCN instances, see Create a CCN instance.
    2. After you create a CCN instance, navigate to the Network Configuration tab and click Network Instance Details in the left-side management pane.
    3. In the Associated Instances Under Current Account section, click Attach Network to associate the SAG instance with a CCN instance.
      • Network Type: Select Cloud Connect Network.
      • Resource Group: Select a resource group.
      • Network Instance: Select the ID of the CCN created in the preceding step.
      The Attach Network tab
    4. Click OK.
  6. Repeat this step to complete the network settings of the other SAG instance.
    Associate the SAG instances of the Hangzhou and Ningbo office branches with the same CCN instance.

Step 5: Associate the CCN instance with a CEN instance

Perform the following steps to associate the CCN instance with a CEN instance. This connects the office branches to Alibaba Cloud.

  1. Log on to the SAG console.
  2. In the left-side navigation pane, click CCN.
  3. Find the CCN instance and click Bind CEN Instance in the Actions column.
  4. In the Bind CEN Instance pane, select the CEN instance that you want to use. After the CCN instance is associated with the CEN instance, the SAG devices that are associated with the CCN instance can communicate with VPCs associated with the CEN instance.
    • Existing CEN: Select an existing CEN instance.
    • Create CEN: Create a CEN instance.

Step 6: Add security group rules

Add security group rules that allow the office branches to access resources in the VPCs.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Network & Security > Security Groups.
  3. On the Security Groups page, click the ID of the ECS instance that you want to manage.
  4. Click Security Group Rules in the left-side management pane and click the Inbound tab. On this tab, click Add Rule.
  5. Add a security group rule that allows access from the private networks to one of the VPCs.
    Set Authorization Object to the CIDR block of the private networks. In this example, this parameter is set to 10.10.0.0/12 and 10.20.0.0/12, which are the CIDR blocks of the Hangzhou and Ningbo office branches. For more information, see Add a security group rule.
  6. Repeat this step to create another security group rule. One rule allows access from local clients to the VPC in the China (Shanghai) region, and the other to the VPC in the China (Beijing) region. These security group rules allow the Hangzhou and Ningbo office branches to access resources in the VPCs.

Step 7: Test network connectivity

After you complete the preceding steps, access cloud resources deployed in the VPCs from a client in the office branches to test the network connectivity.