This topic describes how to use Smart Access Gateway (SAG) to connect a store outside
mainland China to Alibaba Cloud. In the following example, the on-premises clients
are located in the Singapore region.
Prerequisites
- A Virtual Private Cloud (VPC) network is created in the Singapore region. For more
information, see Create a VPC.
- A Cloud Enterprise Network (CEN) instance is created and associated with the VPC network.
For more information, see Create a CEN instance.
Background information
In this example, the private network of a store in Singapore is connected to Alibaba
Cloud through SAG.

The following table lists the resources required in the configuration.
Resource |
Specification |
Quantity |
SAG devices |
SAG-100WM |
1 |
SAG bandwidth |
Deployed in the Singapore region |
50 Mbit/s |
CEN instances |
Default edition |
1 |
Cloud Connect Network (CCN) instances |
Deployed in the Singapore region |
1 |
VPC networks |
Deployed in the Singapore region |
1 |
Elastic Compute Service (ECS) instances |
Deployed in the Singapore region |
2 |
Deployment procedure
The following flowchart shows the deployment procedure.

Step 1: Purchase an SAG device
If your private network is located outside mainland China, we recommend that you purchase
SAG devices from a third-party vendor and install the operating system designed for
SAG. The following table lists the SAG devices supported by the operating system and
their sales information. SAG-100WM is used in this example.
Note
- Alibaba Cloud has authorized the operating system for SAG devices to third-party vendors.
After you purchase an SAG device, you can contact the vendor to download and install
the operating system.
- The pricing information listed on the buy page prevails. After you purchase an SAG
device, relevant services such as after-sales service are provided by the third-party
vendor.
Step 2: Purchase bandwidth for the SAG device
After you purchase an SAG device, you can purchase bandwidth for the SAG device in
the SAG console. After you purchase bandwidth, Alibaba Cloud creates an SAG instance
to facilitate device management.
To purchase bandwidth, take the following steps:
- Log on to the SAG console.
- In the left-side navigation pane, click Smart Access Gateway.
- On the Smart Access Gateway page, click Create SAG Instance.
- Set the following parameters and click Buy Now:
- Area: Select the area where the SAG device is deployed to connect workloads to Alibaba
Cloud. Asia Pacific SE 1 (Singapore) is selected in this example.
Note Areas (outside mainland China) where workloads can be connected to Alibaba Cloud through
SAG devices include China (Hong Kong), Asia Pacific SE 1 (Singapore), Asia Pacific
SE 3 (Kuala Lumpur), and Asia Pacific SE 5 (Jakarta). If your area is not included
in the preceding areas, we recommend that you select the nearest area. For example,
if you purchase an SAG device in Thailand, you can select China (Hong Kong) to connect
your workloads to Alibaba Cloud.
- Device Spec: Select the model of the SAG device. SAG-100WM is selected in this example.
- Have SAG Devices Already: Yes is selected in this example. The value cannot be modified after it is specified.
- Quantity: You do not need to set this parameter. The default value is used in this example.
- Area: Select the area where the SAG bandwidth will be used. The area is the same as that
of the SAG device and cannot be modified.
- Instance Name: Specify a name for the SAG instance. test123 is used in this example.
The name must be 2 to 128 characters in length, and can contain digits, periods (.),
hyphens (-), and underscores (_). It must start with a letter or a Chinese character.
- Peak Bandwidth: Select the maximum bandwidth for network connections. The default value is used
in this example.
- Subscription Duration: Select the duration of the subscription. The default value is used in this example.

- Confirm the order information and click Buy Now.
- In the Shipping Address dialog box, specify the address of the recipient and click Buy Now.
Note You must provide the address of the recipient before you can complete the payment.
The console does not record this information.
- On the payment page that appears, click Pay.
You can check whether the order has been placed on the Smart Access Gateway page.
Step 3: Connect the SAG device to your private network
After you purchase an SAG device, you must configure the device and connect it to
your private network.
- Connect the SAG device to your private network.
- After you receive the SAG device, check whether you have received all the accessories
in the purchase order.
- After you start the SAG device, connect the wide area network (WAN) port to the modem
and connect the local area network (LAN) port to the client.
- In this example, a client in the Singapore region is directly connected to the SAG
device and the default CIDR block is used. For more information about how to WAN and
LAN ports, see Configure SAG-100WM in the web console.
- Activate the SAG device and associate it with the SAG instance.
- Log on to the SAG console.
- In the left-side navigation pane, click Smart Access Gateway.
- In the top navigation bar, select Singapore.
- On the Smart Access Gateway page, find the target SAG instance and click Activate in the Actions column.
- Click the ID of the target instance. On the instance details page that appears, click
the Device Management tab and enter the serial number of the SAG device.
- Click Add Device.
- Configure routes.
- In the left-side navigation pane, click Smart Access Gateway.
- On the Smart Access Gateway page, find the target SAG instance and click Network Configuration in the Actions column.
- In the left-side navigation tree, click Method to Synchronize with On-premises Routes.
- Select Static Routing and click Add Static Route.
192.168.10.0/24 is used in this example. Therefore, the IP addresses of clients are
allocated from 192.168.10.0/24.
- Click OK.
Step 4: Set up network connections
Take the following steps to establish connections between the private network and
cloud resources deployed in the VPC network.
- Associate the SAG instance with a CCN instance.
- Log on to the SAG console.
- In the left-side navigation pane, click CCN.
- In the top navigation bar, select Singapore.
- On the CCN page, click Create CCN Instance.
- In the Create CCN Instance pane, specify a name for the CCN instance and click OK.
The name must be 2 to 100 characters in length, and can contain digits, underscores
(_), and hyphens (-). The name must start with a letter or a Chinese character. test123
is used in this example.
Note If you have already created a CCN instance in the target area, skip the preceding
step and proceed to the following steps.
- In the left-side navigation pane, click Smart Access Gateway.
- On the Smart Access Gateway page, find the target SAG instance and click Network Configuration in the Actions column.
- In the left-side navigation tree, click Network Instance Details.
- Click Attach Network, select the target CCN instance, and then click OK.
- Associate the CCN instance with a CEN instance.
- In the left-side navigation pane, click CCN.
- Find the target CCN instance and click Bind CEN Instance in the Actions column.
- In the Bind CEN Instance pane, select the target CEN instance and click OK. After the CCN instance is associated with the CEN instance, SAG devices associated
with the CCN instance can communicate with VPC networks associated with the CEN instance.
- Configure a security group rule.
- Log on to the ECS console.
- In the left-side navigation pane, click Instances.
- In the top navigation bar, select the target resource group and the Singapore region.
- Find the ECS instance deployed in the target VPC network and choose .
- Click Add Rules and then click Add Security Group Rule.
- Create a security group rule that allows access from the private network to the VPC
network.
The following figure shows how to configure a security group rule. Set Authorization
Object to the CIDR block of the private network. 192.168.10.0/24 is used in this example.
For more information, see
Add security group rules.

Step 5: Test the connectivity
After you complete the configurations in the preceding steps, access cloud resources
deployed in the VPC network from a client in your private network to test the connectivity.