Connect AWS resources to Alibaba Cloud resources through SAG vCPE

Scenarios

The following figure shows how to use SAG vCPE to establish network communication between cloud resources deployed on Alibaba Cloud and AWS. For example, an enterprise has deployed cloud services on Alibaba Cloud in the Singapore (Singapore) region and on AWS. The enterprise wants to establish network communication between cloud resources deployed on Alibaba Cloud and AWS.

You can deploy the SAG vCPE image on an instance in an AWS VPC. This way, the instance can serve as an SAG vCPE device to help you connect AWS resources to Alibaba Cloud. After you connect the SAG vCPE device to Alibaba Cloud, you can enable resources in AWS VPCs and Alibaba Cloud VPCs to access each other by using Cloud Connect Network (CCN) and Cloud Enterprise Network (CEN).

Procedure

Step 1: Create an SAG vCPE instance

You can create an SAG vCPE instance in the SAG console. After you create an SAG vCPE instance, you can manage the SAG vCPE device through the SAG vCPE instance.

1. Log on to the SAG console.
2. On the SAG page, choose Purchase SAG > Create SAG (vCPE).
3. Set the following parameters to configure the SAG vCPE instance, click Buy Now, and then complete the payment.
   • Area: Select the region where you want to deploy the SAG vCPE instance. In this example, Singapore is selected.
   • Instance Name: Enter a name for the SAG vCPE instance.

     The name must be 2 to 128 characters in length and can contain digits, periods (.), underscores (_), and hyphens (-). It must start with a letter.

   • Device Type: SAG-vCPE is selected by default.
   • Edition: Basic Edition is selected by default.
   • Deployment Mode: Select a deployment mode for the SAG vCPE device. By default,Active-Standby is selected.

     In Active-Standby mode, one SAG vCPE instance can be associated with two SAG vCPE devices by default. You can deploy two SAG vCPE devices in active-standby mode and connect on-premises networks to Alibaba Cloud. This improves network availability. In this example, only the active device is used.

   • Peak Bandwidth: Select the maximum bandwidth for network connections. Unit: Mbit/s.
   • Quantity: Enter the number of SAG vCPE instances that you want to create. In this example, 1 is used.
   • Duration: Specify the subscription duration.
   • Resource Group: Select the resource group to which the SAG vCPE instance belongs.
4. Return to the SAG console. In the top navigation bar, select the region where the SAG vCPE instance is deployed.
5. In the left-side navigation pane, click Smart Access Gateway.
6. On the SAG page, click the ID of the SAG vCPE instance.
7. On the instance details page, click the Device Management tab, view and record the serial number and key of the active SAG vCPE device. The serial number and key are used to associate the SAG vCPE instance with an SAG vCPE device.

Step 2: Deploy the SAG vCPE image

To establish network communication between cloud resources deployed on Alibaba Cloud and AWS, you must create an instance in the AWS VPC. Then, you can deploy the SAG vCPE image on the newly created instance. After you deploy the SAG vCPE image, the AWS instance can serve as an SAG vCPE device and allows you to connect AWS resources to Alibaba Cloud resources.

1. Create an instance in the AWS VPC.

   For more information about how to create an instance in the AWS VPC, see relevant AWS documentation. Make sure that the AWS instance meets the following requirements:

   • You can install operating systems of the following types on the instance:
     • 64-bit CentOS 7.6 or later.
     • 64-bit Ubuntu 18.04 or later.

     We recommend that you install the 64-bit CentOS 7.6 operating system.

   • The instance supports the kernel version 3.10.0-957.21.3.el7.x86_64 or later.
   • The instance has an independent network interface controller (NIC) that allows the instance to connect to the Internet.
   • You can remotely log on to the instance.
   • No service system is running on the instance.
   • If the host is a cloud instance or an Edge Node Service (ENS) instance, the number of vCPU cores must be one or more and the memory must be 2 GB or more.
     We recommend that you select a 2-core vCPU and 4 GB memory for the instance. In this case, the bandwidth of private networks for encrypted connections can reach 350 Mbit/s and higher (the packet length in the performance test is 1024 bytes).
2. Log on to the AWS instance and download the script to the /root directory of the instance. For more information, see relevant AWS documentation.
   Notice

   • You can also download the script to a custom directory. In this case, make sure that you select the corresponding path when you run the script.
   • After you download the script, do not modify its content or name.

   • If your host is deployed in mainland China, run the following commands to download the script:

     wget -O /root/sag_vcpe_v2.3.0_deployment.sh https://sdwan-oss-shanghai.oss-cn-shanghai.aliyuncs.com/vcpe_vm/sag_vcpe_v2.3.0_deployment.sh

   • If your host is deployed outside mainland China, run the following commands to download the script:

     wget -O /root/sag_vcpe_v2.3.0_deployment.sh https://sdwan-oss-shanghai.oss-accelerate.aliyuncs.com/vcpe_vm/sag_vcpe_v2.3.0_deployment.sh

3. Run the following command to grant the script executable permissions:

   chmod +x /root/sag_vcpe_v2.3.0_deployment.sh

4. Run the script.

   /root/sag_vcpe_v2.3.0_deployment.sh -n sage6nniq3**** -k X8==**** -t aws  -w eth0

   The following table describes the parameters of the script. For more information about more parameters of the script, see Descriptions of the script parameters.

   Parameter	Description
   -n	The serial number of the SAG vCPE device.
   -k	The key of the SAG vCPE device.
   -t	The service provider of the host where you want to install the SAG vCPE image. Valid values: aliyun (default): deploys the SAG vCPE image on an Alibaba Cloud Elastic Compute Service (ECS) instance. aws: deploys the SAG vCPE image on an Amazon Elastic Compute Cloud (EC2) instance. If you want to deploy the SAG vCPE image on an on-premises server, set the value to a string of letters except aliyun or aws.
   -w	The name of the NIC for the WAN port. You can view the NIC name of the host by running the ifconfig command.

5. When you run the script, the system automatically checks whether the deployment environment meets the requirements. If the deployment environment requires other components, the following prompt appears. In this case, enter yes and the system will automatically install required components.
   
6. If the deployment environment meets the requirements, the system automatically starts to deploy the SAG vCPE image. After the image is deployed, the following prompt appears.
   
7. View the deployment result.
   After you deploy the SAG vCPE image, run the docker ps command to check whether the system has the following containers installed:

   If the system has both the vsag-core and vsag-manager-base containers installed, it indicates that the SAG vCPE image is deployed. If not, it indicates that the SAG vCPE image is not deployed. In this case, you can submit a ticket to request technical support from Alibaba Cloud.

Step 3: Configure networks on the Alibaba Cloud side

After the SAG vCPE image is deployed, you must configure networks for the SAG vCPE device in the SAG console. This allows the SAG vCPE device to connect to Alibaba Cloud.

1. Select a method to advertise routes to Alibaba Cloud.
   1. Log on to the SAG console.
   2. In the top navigation bar, select the region where the SAG vCPE device is deployed.
   3. On the Smart Access Gateway page, find the SAG vCPE instance and click Network Configuration in the Actions column.
   4. Choose Network Configuration > Method to Synchronize with On-premises Routes and click Add Static Route.
   5. In the Add Static Route dialog box, enter the private CIDR block of the AWS service and click OK.
      
2. Associate the SAG vCPE instance with a CCN instance.
   CCN is an important component of SAG. SAG connects your private networks to Alibaba Cloud through CCN.
   1. Create a CCN instance. For more information, see Create a CCN instance.
      The SAG vCPE instance and CCN instance must belong to the same region.
   2. In the left-side navigation pane, click Smart Access Gateway.
   3. On the Smart Access Gateway page, find the SAG vCPE instance and click Network Configuration in the Actions column.
   4. On the instance details page, choose Network Configuration > Network Instance Details.
   5. In the Associated Instances Under Current Account section, click Attach Network, select a CCN instance, and then click OK.
   6. After you associate the CCN instance, click the Device Management tab. If the VPN Status and Controller Status of the SAG vCPE device is Normal, it indicates that the SAG vCPE device is connected to Alibaba Cloud.
      
3. Configure a CEN instance.
   You must perform the following operations to connect the SAG vCPE instance to CEN and attach the Alibaba Cloud VPC to a CEN instance. Then, the SAG vCPE instance and the Alibaba Cloud VPC can learn routes from each other. The SAG vCPE device can communicate with the resources in the Alibaba Cloud VPC.
   1. In the left-side navigation pane, click CCN.
   2. On the CCN page, find the CCN instance and click Bind CEN Instance in the Actions column.
   3. In the CEN Instance panel, select a CEN instance and click OK.
      You can use one of the following methods to select a CEN instance. Create CEN is selected in this example.

      • Existing CEN: If you have already created a CEN instance, you can select an existing CEN instance from the drop-down list.
      • Create CEN: If you have not created a CEN instance, enter an instance name. The system then creates a CEN instance and automatically attaches the CCN instance to the CEN instance.

        The instance name must be 2 to 100 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

   4. Attach the Alibaba Cloud VPC to the CEN instance. For more information, see Attach networks.

Step 4: Configure networks on the AWS side

To enable communication between AWS resources and Alibaba Cloud resources, you must configure networks for the AWS VPC. For more information about specific commands, consult AWS.

1. Configure routes for the AWS service.
   Add the following route entry to the AWS VPC: The destination CIDR block of the route entry is the CIDR block of the Alibaba Cloud VPC and the next hop points to the AWS instance. The AWS instance is used to enable communication between AWS resources and Alibaba Cloud resources.
2. Configure the security group of the AWS service.
   Allow the private CIDR blocks of Alibaba Cloud and AWS services to communicate with each other.
3. Disable source checks and destination checks for the AWS instance.
   

Step 5: Test the connectivity

1. Log on to an Elastic Compute Service (ECS) instance in the Alibaba Cloud VPC. For more information, see Overview.
2. Test the connectivity between the Alibaba Cloud VPC and AWS VPC by running the ping command to ping an instance in the AWS VPC.
   The test result shows that the resources in the Alibaba Cloud VPC and AWS VPC can communicate with each other.

References

• What is CEN?
• Introduction to CCN