This topic describes how to use Smart Access Gateway (SAG) to connect a store outside mainland China to Alibaba Cloud. In the following example, the on-premises clients are located in the Singapore region.

Prerequisites

  • A Virtual Private Cloud (VPC) network is created in the Singapore region. For more information, see Create a VPC.
  • A Cloud Enterprise Network (CEN) instance is created and associated with the VPC network. For more information, see Create a CEN instance.

Background information

In this example, the private network of a store in Singapore is connected to Alibaba Cloud through SAG.

架构图

The following table lists the resources required in the configuration.

Resource Specification Quantity
SAG devices SAG-100WM 1
SAG bandwidth Deployed in the Singapore region 50 Mbit/s
CEN instances Default edition 1
Cloud Connect Network (CCN) instances Deployed in the Singapore region 1
VPC networks Deployed in the Singapore region 1
Elastic Compute Service (ECS) instances Deployed in the Singapore region 2

Deployment procedure

The following flowchart shows the deployment procedure.流程图3

Step 1: Purchase an SAG device

If your private network is located outside mainland China, we recommend that you purchase SAG devices from a third-party vendor and install the operating system designed for SAG. The following table lists the SAG devices supported by the operating system and their sales information. SAG-100WM is used in this example.

Supported SAG devices Checkout link
SAG-100WM Checkout link
SAG-1000 Checkout link 1
Checkout link 2
Note
  • Alibaba Cloud has authorized the operating system for SAG devices to third-party vendors. After you purchase an SAG device, you can contact the vendor to download and install the operating system.
  • The pricing information listed on the buy page prevails. After you purchase an SAG device, relevant services such as after-sales service are provided by the third-party vendor.

Step 2: Purchase bandwidth for the SAG device

After you purchase an SAG device, you can purchase bandwidth for the SAG device in the SAG console. After you purchase bandwidth, Alibaba Cloud creates an SAG instance to facilitate device management.

To purchase bandwidth, take the following steps:

  1. Log on to the SAG console.
  2. In the left-side navigation pane, click Smart Access Gateway.
  3. On the Smart Access Gateway page, click Create SAG Instance.
  4. Set the following parameters and click Buy Now:
    • Area: Select the area where the SAG device is deployed to connect workloads to Alibaba Cloud. Asia Pacific SE 1 (Singapore) is selected in this example.
      Note Areas (outside mainland China) where workloads can be connected to Alibaba Cloud through SAG devices include China (Hong Kong), Asia Pacific SE 1 (Singapore), Asia Pacific SE 3 (Kuala Lumpur), and Asia Pacific SE 5 (Jakarta). If your area is not included in the preceding areas, we recommend that you select the nearest area. For example, if you purchase an SAG device in Thailand, you can select China (Hong Kong) to connect your workloads to Alibaba Cloud.
    • Device Spec: Select the model of the SAG device. SAG-100WM is selected in this example.
    • Have SAG Devices Already: Yes is selected in this example. The value cannot be modified after it is specified.
    • Quantity: You do not need to set this parameter. The default value is used in this example.
    • Area: Select the area where the SAG bandwidth will be used. The area is the same as that of the SAG device and cannot be modified.
    • Instance Name: Specify a name for the SAG instance. test123 is used in this example.

      The name must be 2 to 128 characters in length, and can contain digits, periods (.), hyphens (-), and underscores (_). It must start with a letter or a Chinese character.

    • Peak Bandwidth: Select the maximum bandwidth for network connections. The default value is used in this example.
    • Subscription Duration: Select the duration of the subscription. The default value is used in this example.
    Purchase bandwidth
  5. Confirm the order information and click Buy Now.
  6. In the Shipping Address dialog box, specify the address of the recipient and click Buy Now.
    Note You must provide the address of the recipient before you can complete the payment. The console does not record this information.
  7. On the payment page that appears, click Pay.
    You can check whether the order has been placed on the Smart Access Gateway page.
    Check the order status

Step 3: Connect the SAG device to your private network

After you purchase an SAG device, you must configure the device and connect it to your private network.

  1. Connect the SAG device to your private network.
    1. After you receive the SAG device, check whether you have received all the accessories in the purchase order.
    2. After you start the SAG device, connect the wide area network (WAN) port to the modem and connect the local area network (LAN) port to the client.
    3. In this example, a client in the Singapore region is directly connected to the SAG device and the default CIDR block is used. For more information about how to WAN and LAN ports, see Configure SAG-100WM in the web console.
  2. Activate the SAG device and associate it with the SAG instance.
    1. Log on to the SAG console.
    2. In the left-side navigation pane, click Smart Access Gateway.
    3. In the top navigation bar, select Singapore.
    4. On the Smart Access Gateway page, find the target SAG instance and click Activate in the Actions column.
    5. Click the ID of the target instance. On the instance details page that appears, click the Device Management tab and enter the serial number of the SAG device.
      Add the device
    6. Click Add Device.
  3. Configure routes.
    1. In the left-side navigation pane, click Smart Access Gateway.
    2. On the Smart Access Gateway page, find the target SAG instance and click Network Configuration in the Actions column.
    3. In the left-side navigation tree, click Method to Synchronize with On-premises Routes.
    4. Select Static Routing and click Add Static Route.
      192.168.10.0/24 is used in this example. Therefore, the IP addresses of clients are allocated from 192.168.10.0/24.
    5. Click OK.

Step 4: Set up network connections

Take the following steps to establish connections between the private network and cloud resources deployed in the VPC network.

  1. Associate the SAG instance with a CCN instance.
    1. Log on to the SAG console.
    2. In the left-side navigation pane, click CCN.
    3. In the top navigation bar, select Singapore.
    4. On the CCN page, click Create CCN Instance.
    5. In the Create CCN Instance pane, specify a name for the CCN instance and click OK.
      The name must be 2 to 100 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter or a Chinese character. test123 is used in this example.
      Note If you have already created a CCN instance in the target area, skip the preceding step and proceed to the following steps.
    6. In the left-side navigation pane, click Smart Access Gateway.
    7. On the Smart Access Gateway page, find the target SAG instance and click Network Configuration in the Actions column.
    8. In the left-side navigation tree, click Network Instance Details.
    9. Click Attach Network, select the target CCN instance, and then click OK.
      Associate with a CCN instance
  2. Associate the CCN instance with a CEN instance.
    1. In the left-side navigation pane, click CCN.
    2. Find the target CCN instance and click Bind CEN Instance in the Actions column.
    3. In the Bind CEN Instance pane, select the target CEN instance and click OK. After the CCN instance is associated with the CEN instance, SAG devices associated with the CCN instance can communicate with VPC networks associated with the CEN instance.
      Associate with a CEN instance 1.1
  3. Configure a security group rule.
    1. Log on to the ECS console.
    2. In the left-side navigation pane, click Instances.
    3. In the top navigation bar, select the target resource group and the Singapore region.
    4. Find the ECS instance deployed in the target VPC network and choose More > Network and Security Group > Configure Security Group.
      Configure a security group rule
    5. Click Add Rules and then click Add Security Group Rule.
    6. Create a security group rule that allows access from the private network to the VPC network.
      The following figure shows how to configure a security group rule. Set Authorization Object to the CIDR block of the private network. 192.168.10.0/24 is used in this example. For more information, see Add security group rules.Configure a security group rule

Step 5: Test the connectivity

After you complete the configurations in the preceding steps, access cloud resources deployed in the VPC network from a client in your private network to test the connectivity.