This topic describes how to deploy a Smart Access Gateway (SAG) device to set up standby network connections between a private network and Alibaba Cloud. In this scenario, a leased line is already deployed in the private network. This helps you build a high availability (HA) hybrid cloud.

Scenario

The following figure shows the network topology used in this topic. To ensure the HA of your workloads and avoid changes in the network topology, the on-premises data center is connected to Alibaba Cloud through physical connections of Express Connect. A Smart Access Gateway (SAG) device is connected to a Layer 3 switch. The SAG device provides standby connections.

In this example, network traffic is transmitted in the following directions:
  • To Alibaba Cloud

    The switches deployed in the on-premises data center route traffic to Alibaba Cloud through the leased line preferentially. When an error occurs to the leased line, the switches automatically switch the route to the SAG device to maintain network connections between the private network and Alibaba Cloud over the Internet.

  • To the on-premises data center

    By default, Cloud Enterprise Network (CEN) chooses a leased line over the route to Cloud Connect Network (CCN). When an error occurs to the leased line, the switches automatically switch the route to CCN. In this case, the SAG device connects to Alibaba Cloud over encrypted Internet connections.

Leased Line out

Prerequisites

  • A Virtual Private Cloud (VPC) network is created in the China (Beijing) region. For more information, see Create a VPC.
  • A CEN instance is created and associated with the VPC network in the China (Beijing) region. For more information, see Create a CEN instance.
  • A leased line is deployed and connected to the private network. For more information, see What is Express Connect?.

Subnetting

The following CIDR blocks are used in this example. When you allocate CIDR blocks based on your actual requirements, make sure that the CIDR blocks do not overlap with each other.

Object CIDR block
Private network Workloads: 172.16.0.0/12.
WAN port (port 3) of the SAG device: 192.168.100.1/30. IP address of the gateway: 192.168.100.2.
Port G11 of the Layer 3 switch: 192.168.100.2/30.
Port G1 of the Internet-facing router: 192.168.80.1/30.

Port G2 of the Layer 3 switch: 192.168.80.2/30.

VPC network in the China (Beijing) region 10.0.0.0/16

Step 1: Purchase an SAG device

After you purchase an SAG device in the SAG console, Alibaba Cloud delivers the device to the specified address and creates an SAG instance to help you facilitate network management.

  1. Log on to the SAG console.
  2. Set the following parameters.
    • Area: Select the area where the SAG device will be deployed. Mainland China is selected in this example.
    • Device Spec: Select the type of the SAG device. SAG-1000 is selected in this example.
    • Have SAG Devices Already: Select whether you already have an SAG device. No is selected in this example.
    • Quantity: Select the number of SAG devices that you want to purchase. 1 is selected in this example.
    • Area: Select the area where the SAG bandwidth will be used. This area must be the same as that of the SAG device and cannot be modified.
    • Instance Name: Specify a name for the SAG instance.

      The name must be 2 to 128 characters in length and can contain digits, periods (.), hyphens (-), and underscores (_). It must start with a letter or Chinese character.

    • Peak Bandwidth: Select the maximum bandwidth for network connections. 30Mbps is selected in this example.
    • Subscription Duration: Select the duration of the subscription.
  3. After you set the preceding parameters, click Buy Now.
  4. Confirm the order information and click Confirm Purchase.
  5. In the Shipping Address dialog box that appears, enter the recipient address and then click Buy Now.
  6. On the Pay page that appears, click Pay.

You can check whether the order has been placed on the Smart Access Gateway page. The SAG device will be shipped within two business days. If the order is not shipped within two business days, submit a ticket to query the shipping status.

Order Placed

Step 2: Activate the SAG device

After you receive the SAG device, check whether you have received all the accessories. For more information, see Descriptions of SAG-1000.

  1. Log on to the SAG console.
  2. On the Smart Access Gateway page, find the target SAG instance.
  3. In the Actions column, click Activate.
  4. Click the ID of the target SAG instance. On the instance details page, click the Device Management tab and enter the serial number of the device.
    Add device
  5. Click Add Device.

Step 3: Connect the SAG device to your private network

After you activate the SAG device and associate it with the SAG instance, you must connect the device to your private network.

Before you begin, make sure that the device is activated, the 4G network works as expected, and the device is connected to Alibaba Cloud.

  1. Log on to the SAG console.
  2. On the Smart Access Gateway page, find and click the target SAG instance.
  3. On the instance details page, click the Device Management tab.
  4. In the left-side navigation tree, click Assign Port Roles.
  5. In the Assign Port Roles section, find the target port and click Edit in the Actions column. Assign a role to the port and click OK.
    The WAN port (port 3) is used in this example.
  6. Use a network cable to connect the WAN port (port 3) of the SAG device to port G11 of the Layer 3 switch.

Step 4: Configure ports

After the SAG device is connected to your private network, you can configure the device ports in the SAG console.

  1. Log on to the SAG console.
  2. On the Smart Access Gateway page, click the ID of the target SAG instance.
  3. On the instance details page, click the Device Management tab.
  4. In the left-side navigation tree, click Manage WAN Ports.
  5. In the WAN (Port 3) section, click Edit.
  6. In the Configure WAN (Port 3) dialog box that appears, set the following parameters and click OK.
    • Connection Type: Select Static IP.
    • IP Address: Enter the IP address of the WAN port. 192.168.100.1 is used in this example.
    • Subnet Mask: Enter the subnet mask of the WAN port IP address. 255.255.255.252 is used in this example.
    • Gateway: Enter the IP address of the gateway. 192.168.100.2 is used in this example.
      Note After you configure the gateway, the SAG device generates a default route.

Step 5: Configure the routing method

After you configure the WAN port of the SAG device, you must also configure the routing method that synchronizes with local routers and specify static routes to establish connections between local workloads and cloud services.

  1. On the Smart Access Gateway page, click the ID of the target SAG instance.
  2. On the instance details page, click the Network Configuration tab.
  3. In the left-side navigation tree, click Methods to Synchronize with On-premises Routes.
  4. Select Static Routing, click Add Static Route to add a CIDR block, and then click OK.

    The static route is the CIDR block used to connect the private network to Alibaba Cloud. 172.16.0.0/12 is used in this example.

    Network-Static Route
  5. On the Smart Access Gateway page, click the Device Management tab.
  6. In the left-side navigation tree, click Manage Routes and then click Add Static Route.
  7. In the Add Static Route dialog box that appears, add a static route that routes traffic from Alibaba Cloud to the private network.Route-Static route

Step 6: Configure switches and Internet-facing routers

In this step, you must configure the peer switch and Internet-facing router for the SAG device. Switches and routers used in this example may be different from yours. For more information, see the manuals issued by your providers.

Configure routes for the peer switch.
The Layer 3 switch:

interface GigabitEthernet 0/11
no switchport
ip address 192.168.100.2 255.255.255.252 The port IP address of the peer switch of the SAG device


ip route 10.0.0.0 255.255.0.0 192.168.100.1 The route to the VPC network in the China (Beijing) region

ip route 0.0.0.0 0.0.0.0 192.168.80.1 The route to the Internet

				
Configure routes for the Internet-facing router.
The Internet-facing router:

ip route 192.168.100.1 255.255.255.252  192.168.80.2 The route to the SAG device
				

Step 7: Set up network connections

After you configure the SAG device, you must set up network connections to connect the private network to Alibaba Cloud.

  1. Create a CCN instance.
    1. Log on to the SAG console.
    2. In the left-side navigation pane, click CCN.
    3. On the CCN page, click Create CCN Instance.
    4. In the Create CCN Instance pane that appears, specify a name for the CCN instance and click OK.
      The name must be 2 to 100 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter or Chinese character.Creat CCN
  2. Set up network connections.
    1. Log on to the SAG console.
    2. On the Smart Access Gateway page, click the ID of the target SAG instance or click Network Configuration in the Actions column.
    3. On the Network Instance Details tab, click Attach Network, select the CCN instance, and then click OK.
      Attach Network
    4. In the Attach Network dialog box, add a virtual border router (VBR) that is connected to the leased line.
  3. Associate the CCN instance with a CEN instance.
    1. Log on to the SAG console.
    2. In the left-side navigation pane, click CCN.
    3. Find the target CCN instance and click Bind CEN Instance in the Actions column.
    4. In the Bind CEN Instance pane that appears, select the target CEN instance and click OK.
      After the CCN instance is associated with the CEN instance, SAG devices in the CCN can communicate with networks such as VPC networks and VBRs associated with the CEN.Bind CEN Intance
  4. Configure a security group.
    1. Log on to the Elastic Compute Service (ECS) console.
    2. In the left-side navigation pane, click Instances.
    3. Find the ECS instance deployed in the target VPC network and choose More > Network and Security Group > Configure Security Group.
    4. Click Add Rules and then click Add Security Group Rule.
    5. Create a security group rule that allows access from the private network to the VPC network.
      The following figure shows how to configure a security group rule. Set Authorization Object to the CIDR block of the private network.Add Security Group