Alibaba Cloud is offering free trials of Smart Access Gateway (SAG) APP. This topic describes how to claim a free client account and use SAG APP.

Prerequisites

A Virtual Private Cloud (VPC) network is created. For more information, see Create a VPC.

Background information

The scenario in the following figure is used as an example. A company has deployed application services in a VPC network in the China (Hangzhou) region. The employees access resources deployed in the VPC network from the private network of the company. To facilitate the management of resources on Alibaba Cloud and streamline O&M, the company plans to use SAG APP to allow administrators to remotely access the resources through fast and secure connections from the private network.

Architecture

Configuration procedure

Procedure to claim a free client account

Step 1: Claim a free client account

You can log on to the SAG console and claim a free client account of SAG APP.

  1. Log on to the SAG console.
  2. In the left-side navigation pane, click Smart Access Gateway APP.
  3. In the pop-up advertisement that offers free client accounts, click Claim.
    After you claim a client account, the system automatically creates a free SAG APP instance based on the following specification:
    • Number of client accounts: 1.
    • Data transfer plan per account: 5 GB per month.
    • Bandwidth: 2 Mbit/s.
    • Validity period: 1 year.
    Claim a free client account

Step 2: Configure the SAG APP instance

After the SAG APP instance is created, you must configure it. You can follow the Quick Configuration wizard to specify CIDR blocks of clients, create client accounts, and view information about how to download and install the SAG app. After the SAG APP instance is configured, clients added to it can quickly and securely access resources on Alibaba Cloud.

  1. Click Configure Now to open the Quick Configuration wizard.
  2. On the Network Configuration wizard page, you can associate the SAG APP instance with a Cloud Connect Network (CCN) instance and specify the CIDR blocks of clients.
    Quick Configuration
    • CCN Instance ID/Name: You can select one of the following options to associate the SAG APP instance with a CCN instance. Create CCN is selected in this example.

      CCN is an important component of SAG. After an SAG APP instance is associated with a CCN instance, clients associated with the SAG APP instance can communicate with networks attached to the CCN instance. For more information, see Introduction to CCN.

      • Existing CCN: If you have created CCN instances, you can select an existing CCN instance from the drop-down list.
      • Create CCN: If you have not created a CCN instance, enter an instance name. The system then creates a CCN instance in the current region and automatically associates the CCN instance with the SAG APP instance.

        The name must be 2 to 100 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter or Chinese character.

    • Standby and Active DNS: This parameter is optional. The active and standby DNS servers that the clients use to connect to Alibaba Cloud. After you configure the DNS servers, the system automatically synchronizes the DNS settings to the clients. Ignore this parameter in this example.
      Note
      • If the clients use PrivateZone to connect to Alibaba Cloud, set the DNS server addresses to 100.100.2.136 and 100.100.2.138. For more information about PrivateZone, see What is PrivateZone
      • Android and macOS operating systems require 2.1.1 or later versions of the SAG app for receiving DNS settings. For more information about how to install the SAG app, see Install SAG APP.
    • Private CIDR Block: Specify the private CIDR blocks that the clients use to connect to Alibaba Cloud. When a client connects to Alibaba Cloud, an IP address within the specified CIDR block is assigned to the client. Make sure that the private CIDR blocks do not overlap with each other. 192.168.1.0/24 is used in this example.

      You can click Add Private CIDR Block to add more private CIDR blocks. You can add a maximum of five private CIDR blocks.

  3. Configure a CEN instance. You can associate the CCN instance with a Cloud Enterprise Network (CEN) instance to enable communication between networks attached to the CCN instance and resources associated with the CEN instance. For more information, see What is Cloud Enterprise Network.
    1. Click Associate with a CEN (Optional) to associate the CCN instance with a CEN instance.
      This step is optional. If you do not need to associate the CCN instance with a CEN instance, click Skip.
    2. You can select one of the following options to associate the CCN instance with a CEN instance to enable communication between the clients and cloud resources. Create CEN is selected in this example.
      Free configuration-L
      • Existing CEN: If you have already created CEN instances, you can select an existing CEN instance from the drop-down list.
      • Create CEN: If you have not created a CEN instance, enter an instance name. The system then creates a CEN instance and automatically associates it with the CCN instance.

        The name must be 2 to 100 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter or Chinese character.

    3. Attach the VPC network to the CEN instance to enable communication between the clients and resources on Alibaba Cloud. For more information, see Attach networks.
  4. Create a client account. After you set up network connections, you must create client accounts to allow users to log on to the SAG app and access the private network.
    1. Click Next: Create a client account to create a client account.
      Create a client account
      • Username: optional. The username must be 7 to 33 characters in length, and can contain underscores (_), at signs (@), periods (.), and hyphens (-). It must start with a digit or letter.
        Note When you create a client account, if you specify only the email address, the system automatically generates a username and password. The specified email address is used as the username.
      • Email Address: This parameter required. The email address of the user. The username and password are sent to the specified email address.

        The email address must be 2 to 64 characters in length, and can contain letters, digits, underscores (_), periods (.), and hyphens (-). It must contain an at sign (@).

      • Static IP:
        • If you enable this feature, you must configure the IP address of the client. The client uses the specified IP address to connect to Alibaba Cloud.
          Note The specified IP address must fall into the CIDR block of the private network.
        • If you disable this feature, an IP address within the CIDR block of the private network is assigned to the client. Each connection to Alibaba Cloud uses a different IP address.
      • Set Maximum Bandwidth: Specify the maximum bandwidth for the current client account. The default value is used in this example.

        You can set the maximum bandwidth to 1 to 2,000 Kbit/s. The maximum bandwidth is set to 2,000 Kbit/s by default.

      • Set Password: optional. The password that is used to log on to the SAG app.

        The password must be 8 to 32 characters in length, and can contain underscores (_) and hyphens (-). It must start with a letter or digit.

    2. Click OK.
  5. Connect the client to Alibaba Cloud. After you create the client account, you must download and install the SAG app on your mobile device. The SAG app allows devices to access resources on Alibaba Cloud through private networks.
    1. After you create the client account, click Download Now to go to the page that provides instructions on how to download and install the SAG app. For more information, see Install SAG APP.
    2. After you download and install the SAG app on your device, you can log on to the SAG app with your username and password, and then connect to the private network. This allows you to access resources on Alibaba Cloud. For more information, see Connect to Alibaba Cloud.

Step 3: Configure a security group rule

After you configure the SAG APP instance, you must also configure the security group of the Elastic Compute Service (ECS) instance that you want to access. Configure a security group rule that allows the clients to access resources on Alibaba Cloud.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, click Instances.
  3. In the top navigation bar, select the region where the target ECS instance is deployed.
  4. Find the ECS instance deployed in the target VPC network and choose More > Network and Security Group > Configure Security Group.
    Select the target security group
  5. Find the target security group, click Add Rules in the Actions column, and then click Add Security Group Rule.
  6. Configure a security group rule that allows the clients to access resources on Alibaba Cloud.
    The following figure shows how to configure a security group rule. Set Authorization Object to the CIDR block of the private network. 192.168.1.0/24 is used in this example. For more information, see Add security group rules.Security Group 1
  7. After the security rule is configured, the client can access resources on Alibaba Cloud.