This topic describes how to establish network communication between cloud resources
deployed on Alibaba Cloud and Amazon Web Services (AWS).
Prerequisites
Before you start, make sure that the following requirements are met:
- Cloud services are deployed on an AWS server. For more information, consult your service
provider.
- Virtual private clouds (VPCs) are created. For more information, see Create a VPC.
Background information
SAG vCPE is an image that can be deployed on cloud instances. You can deploy the SAG
vCPE image on an Alibaba Cloud Edge Node Service (ENS) instance or an AWS instance.
After the image is deployed on an instance, the instance functions as a virtual client-premises
equipment (CPE) device. This allows you to connect private networks to Alibaba Cloud
in a more flexible way.
The following figure describes how to establish network communication between cloud
resources deployed on Alibaba Cloud and AWS. For example, an enterprise has deployed
cloud services on Alibaba Cloud in the Singapore (Singapore) region and on AWS. The
enterprise wants to establish network communication between cloud resources deployed
on Alibaba Cloud and AWS.
Procedure
Step 1: Purchase an SAG vCPE device
After you purchase an SAG vCPE device in the SAG console, the system creates an SAG
vCPE instance that allows you to manage and configure the SAG vCPE device.
- Log on to the SAG console.
- On the Smart Access Gateway page, click Purchase SAG.
- Set the following parameters and click Buy Now.
- Area: Select the region where you want to deploy the SAG vCPE image. Singapore is selected in this example.
- Instance Name: Optional. Enter a name for the SAG vCPE instance.
The name must be 2 to 128 characters in length, and can contain digits, periods (.),
underscores (_), and hyphens (-). It must start with a letter or a Chinese character.
- Instance Type: Select the instance type. SAG-vCPE is selected by default.
- Edition: Select the edition of SAG vCPE. Basic Edition is selected by default.
- Deployment Mode: Select the deployment mode. By default, HA is selected.
You can purchase two SAG vCPE devices, and use one as the active device and the other
as the standby device. When the active device is faulty, you can switch to the standby
device. In this example, only the active device is used.
- Peak Bandwidth: Select the maximum bandwidth for network connections.
- Quantity: Enter the number of SAG vCPE devices that you want to purchase. 1 is entered in this example.
- Duration: Select the duration of the subscription.
You can select Auto-renewal to enable automatic renewal upon expiration.
- On the Confirm Order page, confirm the order information, select I have read and agree to Smart Access Gateway-vCPE Agreement of Service, and then click Pay.
- Return to the SAG console. In the top navigation bar, select the region that you specified
when you created the SAG vCPE instance.
- On the Smart Access Gateway page, click the ID of the SAG vCPE instance that you created.
- On the page that appears, click the Device Management tab and record the serial number and key of the active SAG vCPE device.

Step 2: Deploy the SAG vCPE image
To establish network communication between cloud resources deployed on Alibaba Cloud
and AWS, you must create an instance in the AWS VPC. Then, you can deploy the SAG
vCPE image on the newly created instance. After you deploy the image, AWS can be connected
to Alibaba Cloud through the AWS SAG vCPE instance.
For more information about how to create an instance in the AWS VPC, see relevant
documentations provided by AWS. When you create an AWS VPC instance, note that:
- When you select a system image for the instance, select the SAG vCPE image.
The SAG vCPE image is in the Private state.
Submit a ticket to Alibaba Cloud. After you provide your AWS account, the SAG vCPE image is shared
with your AWS account.

- When you select the instance type, we recommend that you select a vCPU with 2 cores
and 4 GB memory.
With the preceding specification, the bandwidth of private networks for encrypted
connections can reach 300 Mbit/s and higher (the packet length in the performance
test is 1024 bytes). You can also select a vCPU with 1 core and 2 GB memory. In this
case, the system performance is at least 30% lower. You can select the specification
based on your requirements.

- When you configure the instance, you must provide the serial number and key of the
SAG vCPE device to associate the SAG vCPE device with the SAG vCPE instance. Make
sure that a public IP address is assigned to the instance.
An example of the serial number and key:
{"sn":"sage6m2ph5sit**********","key":"y7y7LUWqnbc4fCpIJnxRQ2c1nOYtW***********"}

- When you configure the security group, you must allow the private CIDR blocks of Alibaba
Cloud and AWS to access the SAG vCPE instance.
- After the instance is started, you must disable the source and destination check.
Step 3: Configure the networks of the SAG vCPE device
After you deploy the SAG vCPE image, the AWS SAG vCPE instance functions as a virtual
CPE device to provide services. To allow the AWS SAG vCPE instance to access Alibaba
Cloud services, you must configure the networks of the instance in the SAG console.
- Select a method to advertise routes to Alibaba Cloud.
- Log on to the SAG console.
- In the top navigation bar, select the region where the SAG vCPE instance is deployed.
- On the Smart Access Gateway page, find the instance and click Network Configuration in the Actions column.
- On the Method to Synchronize with On-premises Routes page, click Add Static Route.
- Enter the private CIDR block of your AWS service and click OK.
- Associate the SAG vCPE instance with a CCN instance.
Cloud Connect Network (CCN) is an important component of SAG. SAG connects your private
networks to Alibaba Cloud through CCN. For more information, see
Introduction to CCN.
If you have not created a CCN instance, create a CCN instance before you perform the
following steps. For more information about how to create a CCN instance, see Create a CCN instance.
- On the Smart Access Gateway page, find the instance and click Network Configuration in the Actions column.
- Click Network Instance Details.
- Click Attach Network, select the CCN instance you want to associate, and then click OK.
- After the CCN instance is associated with the SAG vCPE instance, the VPN Status and
Control Status change to Normal on the Device Management tab.
- Configure the CEN instance.
Cloud Enterprise Network (CEN) allows the SAG vCPE instance to communicate with the
resources deployed in your Alibaba Cloud VPCs. For more information about CEN, see
What is Cloud Enterprise Network?.
You must perform the following steps to associate the SAG vCPE instance and the created
Alibaba Cloud VPC with a CEN instance. Then, the routes of the SAG vCPE instance and
the VPC can be advertised to each other.
- In the left-side navigation pane, click CCN.
- On the CCN page, find the CCN instance and click Bind CEN Instance in the Actions column.
- In the Bind CEN Instance pane, select the CEN instance you want to associate and click OK.
You can use one of the following methods to select the CEN instance.
Create CEN is selected in this example.
- Existing CEN: If you have already created a CEN instance, you can select an existing CEN instance
from the drop-down list.
- Create CEN: If you have not created a CEN instance, enter an instance name. The system then
creates a CEN instance and automatically associates it with the CCN instance.
The name must be 2 to 100 characters in length, and can contain digits, underscores
(_), and hyphens (-). It must start with a letter or a Chinese character.
- Associate the Alibaba Cloud VPC with the CEN instance. For more information, see Attach networks.
- After the VPC is associated with the CEN instance, you must configure the security
group of the Elastic Compute Service (ECS) instance that is deployed in the VPC. You
must allow the private CIDR block of the AWS instance to access the resources deployed
in the VPC. For more information, see Add security group rules.
Step 4: Configure the AWS instance
To establish interconnections between AWS and Alibaba Cloud, you must configure the
AWS instance. For more information about how to configure the AWS instance, consult
your service provider.
- Log on to the AWS instance.
- Configure routes for the AWS instance.
Map the next hop of the Alibaba Cloud CIDR block to the SAG vCPE instance that is
deployed in the AWS VPC. This establishes network communication between cloud resources
deployed on Alibaba Cloud and AWS.

- Configure a security group rule for the AWS instance.
Allow the private CIDR block of Alibaba Cloud to access AWS services.
- After you configure the routes, use the private IP address of the AWS instance as
the source IP address and run the
ping
command to test the connectivity between Alibaba Cloud and AWS.