Alibaba Cloud Smart Access Gateway (SAG) provides a solution based on the Software-defined Wide Area Network (SD-WAN) architecture. Terminal devices can access cloud resources by using an SAG app. After you configure an SAG app, you can remotely access services that are deployed by using a virtual private cloud (VPC) in the cloud from an on-premises device, such as a local computer and a mobile phone. This topic describes how to use an SAG app to connect a WUYING client installed on a local computer to a secure office network of a cloud computer in WUYING Workspace. In this case, the cloud computer can be connected over a private network from the client.
Background information
SAG is an SD-WAN service provided by Alibaba Cloud. In most cases, SAG takes effect together with Cloud Connect Network (CCN). For more information about SAG, see What is SAG? SAG provides the following service types: SAG customer-premises equipment (CPE), SAG vCPE, and SAG app. If you use an SAG CPE or SAG app to connect cloud services, you can refer to this topic to configure network settings.
Preparations
Before you access a cloud computer over a private network from an SAG app, make sure that you complete the following preparations:
A Cloud Enterprise Network (CEN) instance is created. If you do not have a CEN instance, create a CEN instance before you proceed. For more information, see Create a CEN instance.
A Cloud Connect Network (CCN) instance is created. If you do not have a CCN instance, create a CCN instance before you proceed. For more information, see Create a CCN instance.
An office network is created. If you do not have an office network, create a convenience office network or an Active Directory (AD) office network and attach the VPC of the office network to the CEN instance. For more information, see Create or delete a convenience office network or Create and configure an AD office network.
ImportantBefore you create an office network, you must plan the IPv4 CIDR block of the office network that you want to create. This can prevent CIDR block conflicts between the office network and the CEN instance or between the office network and the on-premises data center. For more information, see Plan a CIDR block.
If you already have a convenience office network, you must attach the convenience office network to the CEN instance.
If you deploy your AD system on an Elastic Compute Service (ECS) instance, you must attach the VPC of the AD server to the CEN instance. If you deploy your AD system on an on-premises server, you must connect the on-premises network to the cloud. This way, WUYING Workspace can connect to your AD system. Before you configure an AD domain, you need to create an AD office network and connect the on-premises network to the cloud.
An end user and a cloud computer are created. The cloud computer is assigned to the end user.
If no end user or cloud computer exists, create an end user and a cloud computer based on the type of the office network, and assign the cloud computer to the end user.
For information about how to create an end user, see Create a convenience user or Create and configure an AD office network.
For information about how to create and assign a cloud computer, see Create a cloud computer or Assign cloud computers to end users.
A device is prepared. You need to install the SAG app client and the Alibaba Cloud Workspace client on the device. Make sure that the clients are installed on the same device.
NoteTo use an SAG app, install the SAG app on a device that runs Windows, macOS, Android, or iOS. For more information about the OS and how to obtain the SAG app, see Install the SAG app.
An Alibaba Cloud Workspace client such as the Windows client, macOS client, or web client is installed on your on-premises device. You can log on to the installed client and check whether you can access your cloud computer over the VPC.
Step 1: Purchase and configure an SAG app
After you purchase an SAG app instance, configure the network for the instance. To configure the SAG app instance, associate the SAG app instance with a CCN instance, attach the CCN instance to a Cloud Enterprise Network (CEN) instance, configure cloud services for CEN, and then create an SAG app account. The following section describes how to configure these settings.
Purchase an SAG app instance. For more information, see Purchase an SAG app instance.
Associate the SAG app instance with a CCN instance. For more information, see Set up network connections.
NoteYou can configure Domain Name System (DNS) settings when you associate the SAG app instance with a CCN instance, or configure DNS settings on your local computer or mobile device. For more information, see Step 2: Configure network settings on your local device and connect to a private network.
After you associate the SAG app instance with a CCN instance, all clients that are associated with the SAG app instance can communicate with gateways that are associated with the CCN instance. For more information, see Introduction to CCN.
Attach the CCN instance to a CEN instance. For more information, see Associate a CCN instance with a CEN instance.
After you attach a CCN instance to the CEN instance, gateways that are associated with the CCN instance can communicate with the resources in the CEN instance.
ImportantMake sure that the VPC of your office network and the CCN instance are attached to the same CEN instance.
Configure cloud services for the CEN instance. For more information, see Access to cloud services.
You can configure a cloud service to access on a Basic Edition transit router or an Enterprise Edition transit router based on your business requirements. This way, your end users can access the cloud service by using the CCN instance.
NoteIf you want to use WUYING Workspace in multiple regions, specify 100.96.0.0/11 as the CIDR block of the service. If you want to configure more detailed network settings, specify CIDR blocks. For more information, see Port overview. Among these CIDR blocks, take note that the IP address of a domain name that corresponds to a private network service is the same as that of the cloud service.
Create an account to log on to an SAG app. For more information, see Create a client account.
After you complete the network settings, you can create an account and send the account to an end user. Then, the end user can use the account to log on to the SAG app and access Alibaba Cloud services.
Step 2: Configure network settings on your local device and connect to a private network
On your local device, such as a local computer or a mobile phone, install and log on to the SAG app. After you configure DNS, you can connect to the private network with a few clicks. The following section describes how to configure the network settings. In this section, SAG app V2.5.0 for Windows is used as an example.
Download and install the SAG app on your local computer.
For more information about the OS and how to obtain the SAG app, see Install the SAG app.
Open the SAG app, enter the required information, select a protocol, and then click Login. The system automatically initiates a connection.
NoteBefore you perform this step, obtain the logon information that is sent to the associated email address. If no logon information is sent to the email address, check whether the email address that you entered when you created the SAG app account is valid.
In the message that appears, click CONNECT.
Configure DNS settings on your local computer.
Before you configure DNS settings, run the following command to check whether domain names can be resolved.
nslookup ecd-vpc.cn-hangzhou.aliyuncs.comIf an IP address is returned, the domain name can be resolved as expected. Then, skip this step. If no IP address is returned, perform the following steps to configure DNS settings:
Add 100.100.2.136 or 100.100.2.138 to the DNS server list.
NoteThe following section describes how to configure DNS. In this section, a local computer that runs Windows 10 is used as an example.
Go to Control Panel and open Network and Sharing Center.
In the left-side navigation pane, click Change adapter settings.
Right-click the network adapter that you want to use for the SAG app and select Properties.
In the This connection uses the following items section, double-click Internet Protocol Version 4 (TCP/IPv4).
In the dialog box that appears, specify a DNS server that you want to manage and click OK.
You can set the Preferred DNS server parameter to 100.100.2.136 and the Alternative DNS server parameter to 100.100.2.138.
Run the following command to check whether the DNS server works as expected.
nslookup ecd-vpc.cn-hangzhou.aliyuncs.com
Step 3: Check whether you can access a cloud computer over a VPC
In this example, a Windows client of Alibaba Cloud Workspace V5.2.0 is used to check whether the access to a cloud computer over a VPC is allowed. You can also use another client to access your cloud computer over a VPC based on your business requirements.
Obtain information, such as the office network ID, username, and password, that is required to log on to the Windows client from the received email.
Double-click the
icon to open the Windows client. Follow the on-screen instructions to enter the username and password.
ImportantIf you log on to a client by using only an office network ID, select Alibaba Cloud VPC.
Click Switch Connection Type, select Alibaba Cloud VPC, and then click OK.
Click Next.
Follow the on-screen instructions to enter the username and password. Then, click Next.
Connect to the cloud computer.
If the client logon is successful, your cloud computer is displayed as a card on your screen. You can click Connect Desktop on the card to connect to your cloud computer. If the connection is successful, you can view and use your cloud computer in a new window.
ImportantIf a network request timeout error is reported, the network is inaccessible. In this case, you need to check your parameter settings. After you confirm your parameter settings, you can log on to your client and connect to your cloud computer again.