Connect AWS to Alibaba Cloud through SAG vCPE

Procedure

Step 1: Purchase an SAG vCPE device

After you purchase an SAG vCPE device in the SAG console, the system creates an SAG vCPE instance that allows you to manage and configure the SAG vCPE device.

1. Log on to the SAG console.
2. On the Smart Access Gateway page, click Purchase SAG.
3. Set the following parameters and click Buy Now.
   • Area: Select the region where you want to deploy the SAG vCPE image. Singapore is selected in this example.
   • Instance Name: Optional. Enter a name for the SAG vCPE instance.

     The name must be 2 to 128 characters in length, and can contain digits, periods (.), underscores (_), and hyphens (-). It must start with a letter or a Chinese character.

   • Instance Type: Select the instance type. SAG-vCPE is selected by default.
   • Edition: Select the edition of SAG vCPE. Basic Edition is selected by default.
   • Deployment Mode: Select the deployment mode. By default, HA is selected.

     You can purchase two SAG vCPE devices, and use one as the active device and the other as the standby device. When the active device is faulty, you can switch to the standby device. In this example, only the active device is used.

   • Peak Bandwidth: Select the maximum bandwidth for network connections.
   • Quantity: Enter the number of SAG vCPE devices that you want to purchase. 1 is entered in this example.
   • Duration: Select the duration of the subscription.

     You can select Auto-renewal to enable automatic renewal upon expiration.

4. On the Confirm Order page, confirm the order information, select I have read and agree to Smart Access Gateway-vCPE Agreement of Service, and then click Pay.
5. Return to the SAG console. In the top navigation bar, select the region that you specified when you created the SAG vCPE instance.
6. On the Smart Access Gateway page, click the ID of the SAG vCPE instance that you created.
7. On the page that appears, click the Device Management tab and record the serial number and key of the active SAG vCPE device.

Step 2: Deploy the SAG vCPE image

To establish network communication between cloud resources deployed on Alibaba Cloud and AWS, you must create an instance in the AWS VPC. Then, you can deploy the SAG vCPE image on the newly created instance. After you deploy the image, AWS can be connected to Alibaba Cloud through the AWS SAG vCPE instance.

For more information about how to create an instance in the AWS VPC, see relevant documentations provided by AWS. When you create an AWS VPC instance, note that:

1. When you select a system image for the instance, select the SAG vCPE image.
   The SAG vCPE image is in the Private state. Submit a ticket to Alibaba Cloud. After you provide your AWS account, the SAG vCPE image is shared with your AWS account.
2. When you select the instance type, we recommend that you select a vCPU with 2 cores and 4 GB memory.
   With the preceding specification, the bandwidth of private networks for encrypted connections can reach 300 Mbit/s and higher (the packet length in the performance test is 1024 bytes). You can also select a vCPU with 1 core and 2 GB memory. In this case, the system performance is at least 30% lower. You can select the specification based on your requirements.
3. When you configure the instance, you must provide the serial number and key of the SAG vCPE device to associate the SAG vCPE device with the SAG vCPE instance. Make sure that a public IP address is assigned to the instance.
   An example of the serial number and key:

   {"sn":"sage6m2ph5sit**********","key":"y7y7LUWqnbc4fCpIJnxRQ2c1nOYtW***********"}

   
4. When you configure the security group, you must allow the private CIDR blocks of Alibaba Cloud and AWS to access the SAG vCPE instance.
5. After the instance is started, you must disable the source and destination check.
   

Step 3: Configure the networks of the SAG vCPE device

After you deploy the SAG vCPE image, the AWS SAG vCPE instance functions as a virtual CPE device to provide services. To allow the AWS SAG vCPE instance to access Alibaba Cloud services, you must configure the networks of the instance in the SAG console.

1. Select a method to advertise routes to Alibaba Cloud.
   1. Log on to the SAG console.
   2. In the top navigation bar, select the region where the SAG vCPE instance is deployed.
   3. On the Smart Access Gateway page, find the instance and click Network Configuration in the Actions column.
   4. On the Method to Synchronize with On-premises Routes page, click Add Static Route.
   5. Enter the private CIDR block of your AWS service and click OK.
      
2. Associate the SAG vCPE instance with a CCN instance.
   Cloud Connect Network (CCN) is an important component of SAG. SAG connects your private networks to Alibaba Cloud through CCN. For more information, see Introduction to CCN.

   If you have not created a CCN instance, create a CCN instance before you perform the following steps. For more information about how to create a CCN instance, see Create a CCN instance.

   1. On the Smart Access Gateway page, find the instance and click Network Configuration in the Actions column.
   2. Click Network Instance Details.
   3. Click Attach Network, select the CCN instance you want to associate, and then click OK.
   4. After the CCN instance is associated with the SAG vCPE instance, the VPN Status and Control Status change to Normal on the Device Management tab.
      
3. Configure the CEN instance.
   Cloud Enterprise Network (CEN) allows the SAG vCPE instance to communicate with the resources deployed in your Alibaba Cloud VPCs. For more information about CEN, see What is Cloud Enterprise Network?.

   You must perform the following steps to associate the SAG vCPE instance and the created Alibaba Cloud VPC with a CEN instance. Then, the routes of the SAG vCPE instance and the VPC can be advertised to each other.

   1. In the left-side navigation pane, click CCN.
   2. On the CCN page, find the CCN instance and click Bind CEN Instance in the Actions column.
   3. In the Bind CEN Instance pane, select the CEN instance you want to associate and click OK.
      You can use one of the following methods to select the CEN instance. Create CEN is selected in this example.

      • Existing CEN: If you have already created a CEN instance, you can select an existing CEN instance from the drop-down list.
      • Create CEN: If you have not created a CEN instance, enter an instance name. The system then creates a CEN instance and automatically associates it with the CCN instance.

        The name must be 2 to 100 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter or a Chinese character.

   4. Associate the Alibaba Cloud VPC with the CEN instance. For more information, see Attach networks.
   5. After the VPC is associated with the CEN instance, you must configure the security group of the Elastic Compute Service (ECS) instance that is deployed in the VPC. You must allow the private CIDR block of the AWS instance to access the resources deployed in the VPC. For more information, see Add security group rules.
      

Step 4: Configure the AWS instance

To establish interconnections between AWS and Alibaba Cloud, you must configure the AWS instance. For more information about how to configure the AWS instance, consult your service provider.

1. Log on to the AWS instance.
2. Configure routes for the AWS instance.
   Map the next hop of the Alibaba Cloud CIDR block to the SAG vCPE instance that is deployed in the AWS VPC. This establishes network communication between cloud resources deployed on Alibaba Cloud and AWS.
3. Configure a security group rule for the AWS instance.
   Allow the private CIDR block of Alibaba Cloud to access AWS services.
4. After you configure the routes, use the private IP address of the AWS instance as the source IP address and run the ping command to test the connectivity between Alibaba Cloud and AWS.