This topic describes how to connect Microsoft Azure resources to Alibaba Cloud resources through Smart Access Gateway (SAG) vCPE.

Prerequisites

  • Cloud resources are deployed on Microsoft Azure. For more information, see Microsoft Azure.
  • A VPC is created and cloud services are deployed in the VPC. For more information, see Create an IPv4 VPC.
  • You have learned and understand the security group rules that apply to Alibaba Cloud virtual private clouds (VPCs). Make sure that the security group rules allow Azure resources to access Alibaba Cloud VPC resources. For more information, see Query security group rules and Add security group rules.

Scenarios

The following figure describes how to establish network communication between cloud resources deployed on Alibaba Cloud and Azure. An enterprise has deployed cloud resources on Azure in the Azure West Europe region and on Alibaba Cloud in the Germany (Frankfurt) region. The enterprise wants to establish network communication between cloud resources deployed on Alibaba Cloud and Azure.

You can deploy the SAG vCPE image on an Azure virtual machine (VM) in an Azure virtual network (VNet). Then, the VM can serve as an SAG vCPE device and can be connected to Alibaba Cloud. After the SAG vCPE device is connected to Alibaba Cloud, resources in Alibaba Cloud VPCs and Azure VNets can communicate with each other through Cloud Connect Network (CCN) and Cloud Enterprise Network (CEN).

Azure architecture

Procedure

Procedure

Step 1: Create an SAG vCPE instance

You must create an SAG vCPE instance in the SAG console. Then, you can use the SAG vCPE instance to manage the SAG vCPE device.

  1. Log on to the SAG console.
  2. On the SAG page, choose Purchase SAG > Create SAG (vCPE).
  3. Set the following parameters to configure an SAG vCPE instance, click Buy Now, and then complete the payment.
    • Area: Select the region or area where you want to create the SAG vCPE instance. In this example, Germany (Frankfurt) is selected.
    • Instance Name: Enter a name for the SAG vCPE instance.

      The name must be 2 to 128 characters in length and can contain digits, periods (.), underscores (_), and hyphens (-). It must start with a letter.

    • Device Type: SAG-vCPE is selected by default.
    • Edition: Basic Edition is selected by default.
    • Deployment Mode: Select a deployment mode for the SAG vCPE device. By default,Active-Standby is selected.

      In Active-Standby mode, one SAG vCPE instance can be associated with two SAG vCPE devices by default. You can deploy two SAG vCPE devices in active-standby mode and connect on-premises networks to Alibaba Cloud. This improves network availability. In this example, only the active device is used.

    • Peak Bandwidth: Select the maximum bandwidth for network connections. Unit: Mbit/s.
    • Quantity: Enter the number of SAG vCPE instances that you want to create. In this example, 1 is used.
    • Duration: Specify the subscription duration.
    • Resource Group: Select the resource group to which the SAG vCPE instance belongs.
  4. Return to the SAG console. In the top navigation bar, select the region where the SAG vCPE instance is deployed.
  5. In the left-side navigation pane, click Smart Access Gateway.
  6. On the SAG page, click the ID of the SAG vCPE instance.
  7. On the instance details page, click the Device Management tab, view and record the serial number and key of the active SAG vCPE device. The serial number and key are used to associate the SAG vCPE instance with an SAG vCPE device. Record the serial number and key

Step 2: Deploy the SAG vCPE image

To connect Azure resources to Alibaba Cloud resources, you must first create an Azure VM in an Azure VNet and deploy the SAG vCPE image on the Azure VM. After you deploy the SAG vCPE image, the Azure VM can serve as an SAG vCPE device to connect Azure resources to Alibaba Cloud resources.

  1. Create an Azure VM in an Azure VNet.

    For more information about how to create an Azure VM, see relevant documentation provided by Azure. Make sure that the Azure VM meets the following requirements:

    • One of the following operating systems is installed on the Azure VM:
      • 64-bit CentOS 7.6 or later (recommended).
      • 64-bit Ubuntu 18.04 or later.
    • The kernel version of the Azure VM is 3.10.0-957.21.3.el7.x86_64 or later.
    • The Azure VM has an independent network interface controller (NIC) that allows the Azure VM to connect to the Internet.
    • You can remotely log on to the Azure VM.
    • No business system is running on the Azure VM.
    • The number of vCPU cores for the Azure VM must be one or more and the memory of the Azure VM must be 2 GB or more.

      We recommend that you select a 2-core vCPU and 4 GB memory for the Azure VM. In this case, the bandwidth of private networks for encrypted connections can reach 350 Mbit/s and higher (the packet length in the performance test is 1,024 bytes).

  2. Log on to the Azure VM and download the following script to the /root directory. For more information, see relevant documentation provided by Azure.
    Notice
    • You can also specify a custom path and download the script to the corresponding directory. In this case, make sure that you select the custom path when you run the script.
    • After you download the script, do not modify its content or name.
    • If the Azure VM is deployed in mainland China, run the following commands to download the script:
      wget -O /root/sag_vcpe_v2.3.0_deployment.sh https://sdwan-oss-shanghai.oss-cn-shanghai.aliyuncs.com/vcpe_vm/sag_vcpe_v2.3.0_deployment.sh
    • If the Azure VM is deployed outside mainland China, run the following commands to download the script:
      wget -O /root/sag_vcpe_v2.3.0_deployment.sh https://sdwan-oss-shanghai.oss-accelerate.aliyuncs.com/vcpe_vm/sag_vcpe_v2.3.0_deployment.sh
  3. Run the following command to grant the script executable permissions:
    chmod +x /root/sag_vcpe_v2.3.0_deployment.sh
  4. Run the script.
    /root/sag_vcpe_v2.3.0_deployment.sh -n sage6nniq3**** -k X8==**** -t azure  -w eth0

    The following table describes the parameters of the script. For more information about more parameters of the script, see Descriptions of the script parameters.

    Parameter Description
    -n The serial number of the SAG vCPE device.
    -k The key of the SAG vCPE device.
    -t The service provider of the host where you want to install the SAG vCPE image. Valid values:
    • aliyun (default): deploys the SAG vCPE image on an Alibaba Cloud Elastic Compute Service (ECS) instance.
    • aws: deploys the SAG vCPE image on an Amazon Elastic Compute Cloud (EC2) instance.
    • azure: deploys the SAG vCPE image on a Microsoft Azure virtual machine (VM).
    • If you want to deploy the SAG vCPE image on an on-premises server, set the value to a string of letters except aliyun, ens, aws, or azure.
    -w The name of the NIC for the WAN port. You can run the ifconfig or ip -br address command to view the NIC name of the host.
  5. When you run the script, the system automatically checks whether the deployment environment meets the requirements. If the deployment environment requires other components, the following prompt appears. In this case, enter yes and the system will automatically install required components.
    Install the components
  6. If the deployment environment meets the requirements, the system automatically starts to deploy the SAG vCPE image. After the image is deployed, the following prompt appears.
    Deployed
  7. View the deployment result.
    After you deploy the SAG vCPE image, run the docker ps command to check whether the system has the following containers installed:Azure docker ps

    If the system has both the vsag-core and vsag-manager-base containers installed, it indicates that the SAG vCPE image is deployed. If not, it indicates that the SAG vCPE image is not deployed. In this case, you can submit a ticket to request technical support from Alibaba Cloud.

Step 3: Configure networks on the Alibaba Cloud side

After the SAG vCPE image is deployed, you must configure networks for the SAG vCPE device in the SAG console. This allows the SAG vCPE device to connect to Alibaba Cloud.

  1. Select a method to advertise routes to Alibaba Cloud.
    1. Log on to the SAG console.
    2. In the top navigation bar, select the region where the SAG vCPE instance is deployed.
    3. On the Smart Access Gateway page, find the SAG vCPE instance and click Network Configuration in the Actions column.
    4. Choose Network Configuration > Method to Synchronize with On-premises Routes and click Add Static Route.
    5. In the Add Static Route dialog box, enter the private CIDR block of the Azure service and click OK.
      Advertise routes to Alibaba Cloud
  2. Associate the SAG vCPE instance with a CCN instance.
    CCN is an important component of SAG. SAG connects your private networks to Alibaba Cloud through CCN.
    1. Create a CCN instance. For more information, see Create a CCN instance.
      The SAG vCPE instance and CCN instance must belong to the same region.
    2. In the left-side navigation pane, click Smart Access Gateway.
    3. On the Smart Access Gateway page, find the SAG vCPE instance and click Network Configuration in the Actions column.
    4. On the instance details page, choose Network Configuration > Network Instance Details.
    5. In the Associated Instances Under Current Account section, click Attach Network, select a CCN instance, and then click OK.
    6. After you associate the CCN instance, click the Device Management tab. If the VPN Status and Controller Status of the SAG vCPE device is Normal, it indicates that the SAG vCPE device is connected to Alibaba Cloud.
      View the status of the SAG vCPE device
  3. Configure a CEN instance.
    You must perform the following operations to connect the SAG vCPE instance to CEN and attach the Alibaba Cloud VPC to a CEN instance. Then, the SAG vCPE instance and the Alibaba Cloud VPC can learn routes from each other.
    1. In the left-side navigation pane, click CCN.
    2. On the CCN page, find the CCN instance and click Bind CEN Instance in the Actions column.
    3. In the CEN Instance panel, select a CEN instance and click OK.
      You can use one of the following methods to select a CEN instance. Create CEN is selected in this example.
      • Existing CEN: If you have already created a CEN instance, you can select an existing CEN instance from the drop-down list.
      • Create CEN: If you have not created a CEN instance, enter an instance name. The system then creates a CEN instance and automatically attaches the CCN instance to the CEN instance.

        The instance name must be 2 to 100 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    4. Attach the Alibaba Cloud VPC to the CEN instance. For more information, see Attach a network instance.

Step 4: Configure networks on the Azure side

To enable communication between Azure resources and Alibaba Cloud resources, you must configure networks on the Azure side. For more information about specific commands or operations, consult Azure.

  1. Create a route table in Azure.
    Create a route table in Azure
  2. Associate the route table with the subnet where the Azure service is deployed.
    Associate the route table with the subnet
  3. Add a route that points to Alibaba Cloud to the Azure route table.
    • Address prefix: Enter the private CIDR block where the Alibaba Cloud service is deployed.
    • Next hop type: Select Virtual appliance.
    • Next hop address: Enter the private IP address of the Azure VM where the SAG vCPE image is deployed.
    Configure routes for Azure
  4. Find the private network interface of the Azure VM where the SAG vCPE image is deployed, and enable the IP forwarding feature of the network interface.
    IP forwarding

Step 5: Test the connectivity

  1. Log on to an Elastic Compute Service (ECS) instance in the Alibaba Cloud VPC. For more information, see Overview.
  2. You can run the ping command to ping an Azure VM in the Azure VNet to test whether the Alibaba Cloud VPC is connected to the Azure VNet.
    The following figure shows that the resources in the Alibaba Cloud VPC and Azure VNet can communicate with each other. Test the connectivity

References