Smart Access Gateway (SAG) can use Cloud Enterprise Network (CEN) to access cloud services deployed in virtual private clouds (VPCs). This topic describes how to enable access to cloud services in VPCs.

Background information

Cloud services refer to the Alibaba Cloud services that use the 100.64.0.0/10 CIDR block to provide services. These cloud services include Object Storage Service (OSS), Log Service, and Data Transmission Service (DTS). You can connect the Cloud Connect Network (CCN) instance associated with your SAG instance to a transit router to enable the on-premises networks that are attached to your SAG instance to access cloud services in VPCs.
Note By default, newly created transit routers are of Enterprise Edition, which supports connections to VPCs. This topic describes how to enable access to cloud services by using an Enterprise Edition transit router. For more information about how to enable access to cloud services by using a Basic Edition transit router, see Enable access to a cloud service on a Basic Edition transit router.
Enable access to cloud services - V1.1.0

Prerequisites

  • The IP address or CIDR block of the cloud service is obtained.

    For more information about the IP addresses or CIDR blocks used by OSS, see Internal endpoints of OSS buckets and VIP ranges.

  • A CEN instance is created. For more information, see Create a CEN instance.
  • The CCN instance that is associated with your on-premises network and VPC is connected to a transit router. For more information, see Create a VPC connection and Associate a CCN instance with a transit router.
  • An inter-region connection is established between the transit router connected to the VPC and the transit router connected to the CCN instance. For more information, see Manage inter-region connections.
    Note If both the CCN instance and the VPC are deployed in the Chinese mainland, an inter-region connection is automatically created after you connect the VPC and CCN instance to transit routers. By default, associated forwarding and route leaning are enabled between inter-region connections and the default route table of the transit router where the inter-region connections are created.

Enable access to cloud services

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click the instance ID.
  3. On the Basic Settings > Transit Router tab, click the ID of the transit router in the region where the cloud service that you want to access is deployed.
  4. On the transit router details page, click the Route Table tab and click the route table that is associated with the inter-region connection.
  5. Click the Route Entry tab below the Route Table Details section, and click Add Route Entry.
  6. In the Add Route Entry dialog box, set the following parameters and click OK.
    Parameter Description
    Route Table By default, the current route table is selected.
    Transit Router By default, the current transit router is selected.
    Name Enter a name for the route entry.
    Destination CIDR Enter the IP address or CIDR block that the cloud service uses to provide services.

    For example, OSS buckets in the China (Hangzhou) region use the CIDR block 100.118.28.0/24.

    Blackhole Route Select whether to specify the route as a blackhole route. Valid values:
    • Yes: specifies that the route is a blackhole route. All traffic destined for this route is dropped.
    • No: specifies that the route is not a blackhole route. In this case, you must specify the next hop of the route.

    No is selected in this example.

    Next Hop Select the next hop type.

    Select the ID of the VPC connection on the transit router.

    Description Enter a description for the route.
    Note Typically, a cloud service uses multiple IP addresses or CIDR blocks. Repeat the preceding steps to add all the IP addresses or CIDR blocks of the cloud service.