Smart Access Gateway (SAG) is a cloud-native SD-WAN solution that connects your branch offices, data centers, and mobile endpoints to Alibaba Cloud securely. SAG supports three connection types — physical CPE devices, virtual CPE software, and a mobile app.
With SAG, you can:
Connect small branch offices and retail stores through physical CPE devices
Connect data centers through rack-mounted hardware or software-based virtual CPE
Connect remote employees through the SAG app on Windows, macOS, Android, or iOS
Link all connected sites into a unified enterprise network using Cloud Enterprise Network (CEN)
Service types
Choose a connection type based on your deployment scenario.
| SAG CPE devices | SAG vCPE | SAG app | |
|---|---|---|---|
| Best for | Branch offices and data centers | Flexible site connections across cloud platforms | Individual endpoints (computers, mobile devices) |
| Deployment | Physical hardware installed on-site | Software image deployed on a server or cloud instance | App installed on user devices |
| Max encrypted bandwidth | 50 Mbit/s (SAG-100WM) or 500 Mbit/s (SAG-1000) | 300 Mbit/s and higher | Depends on network conditions |
| WAN connectivity | Broadband, 4G, or Express Connect circuits | Broadband, 4G, or Express Connect circuits | Broadband or mobile data |
SAG CPE devices
SAG CPE devices are physical customer-premises equipment (CPE) that you install in your on-premises locations. Two models are available:
For small branch offices and stores — SAG-100WM
Sits on a desk or fits in an extra-low voltage box
Connects WAN ports to broadband or 4G networks
Connects LAN ports to wired or Wi-Fi networks
Maximum encrypted private network bandwidth: 50 Mbit/s (packet length: 512 bytes)
For large branch offices and data centers — SAG-1000
Mounts in a server rack
Connects WAN ports to Express Connect circuits, broadband networks, or 4G networks
Connects LAN ports to wired networks
Maximum encrypted private network bandwidth: 500 Mbit/s (packet length: 512 bytes)
SAG vCPE
SAG vCPE is a software image that turns a server or cloud instance into a virtual CPE device. Deploy it on:
Data center servers
Edge Node Service (ENS) instances
Alibaba Cloud instances
Amazon Web Services (AWS) instances
Microsoft Azure instances
Maximum encrypted private network bandwidth: 300 Mbit/s and higher (packet length: 1,024 bytes).
SAG app
Install the SAG app on individual computers or mobile devices to connect endpoints directly to Alibaba Cloud. Supported operating systems:
Windows: Windows 7 SP1 and later
macOS: 10.11.1 and later
Android: 5.0 to 10.0
iOS: 12.0 and later
Components
The following diagram shows how SAG components work together. Data centers and branch offices connect through SAG CPE devices, individual endpoints connect through the SAG app, and other networks connect through SAG vCPE. Once connected to Alibaba Cloud, CEN links all sites across regions — virtual private clouds (VPCs), data centers, branch offices, mobile clients, and other networks — into a single enterprise network.

| Component | Description | References |
|---|---|---|
| SAG CPE | Physical CPE devices | What is SAG? |
| SAG vCPE | Virtual CPE devices | What is SAG vCPE? |
| SAG app | Mobile and desktop app | What is the SAG app? |
| Cloud Connect Network (CCN) | A matrix of Alibaba Cloud access points | What is CCN? |
| Cloud Enterprise Network (CEN) | Inter-region connectivity on Alibaba Cloud | What is CEN? |
| VPC | Private networks on Alibaba Cloud | What is VPC? |
Architecture
SAG uses a cloud-native SD-WAN architecture with three advantages over traditional SD-WAN:
Zero touch provisioning (ZTP)
Manage SAG CPE devices through the SAG console, API, and CloudMonitor — the same way you manage VPCs and Elastic Compute Service (ECS) instances.
Hybrid networks
Connect to Alibaba Cloud through a hybrid network that combines Express Connect circuits, broadband, and 4G. This maximizes Express Connect utilization while maintaining network performance.
Integrated cloud-network-edge architecture
SAG integrates your on-premises networks with Alibaba Cloud services:
Automatic protocol negotiation between on-premises VPN gateways and cloud VPN gateways — no additional configuration needed
Quick access from on-premises networks to Alibaba Cloud services
End-to-end security policies that cover both on-premises and cloud networks
