All Products
Search
Document Center

Smart Access Gateway:What is SAG?

Last Updated:Apr 01, 2026

Smart Access Gateway (SAG) is a cloud-native SD-WAN solution that connects your branch offices, data centers, and mobile endpoints to Alibaba Cloud securely. SAG supports three connection types — physical CPE devices, virtual CPE software, and a mobile app.

With SAG, you can:

  • Connect small branch offices and retail stores through physical CPE devices

  • Connect data centers through rack-mounted hardware or software-based virtual CPE

  • Connect remote employees through the SAG app on Windows, macOS, Android, or iOS

  • Link all connected sites into a unified enterprise network using Cloud Enterprise Network (CEN)

Service types

Choose a connection type based on your deployment scenario.

SAG CPE devicesSAG vCPESAG app
Best forBranch offices and data centersFlexible site connections across cloud platformsIndividual endpoints (computers, mobile devices)
DeploymentPhysical hardware installed on-siteSoftware image deployed on a server or cloud instanceApp installed on user devices
Max encrypted bandwidth50 Mbit/s (SAG-100WM) or 500 Mbit/s (SAG-1000)300 Mbit/s and higherDepends on network conditions
WAN connectivityBroadband, 4G, or Express Connect circuitsBroadband, 4G, or Express Connect circuitsBroadband or mobile data

SAG CPE devices

SAG CPE devices are physical customer-premises equipment (CPE) that you install in your on-premises locations. Two models are available:

For small branch offices and stores — SAG-100WM

  • Sits on a desk or fits in an extra-low voltage box

  • Connects WAN ports to broadband or 4G networks

  • Connects LAN ports to wired or Wi-Fi networks

  • Maximum encrypted private network bandwidth: 50 Mbit/s (packet length: 512 bytes)

For large branch offices and data centers — SAG-1000

  • Mounts in a server rack

  • Connects WAN ports to Express Connect circuits, broadband networks, or 4G networks

  • Connects LAN ports to wired networks

  • Maximum encrypted private network bandwidth: 500 Mbit/s (packet length: 512 bytes)

SAG vCPE

SAG vCPE is a software image that turns a server or cloud instance into a virtual CPE device. Deploy it on:

  • Data center servers

  • Edge Node Service (ENS) instances

  • Alibaba Cloud instances

  • Amazon Web Services (AWS) instances

  • Microsoft Azure instances

Maximum encrypted private network bandwidth: 300 Mbit/s and higher (packet length: 1,024 bytes).

SAG app

Install the SAG app on individual computers or mobile devices to connect endpoints directly to Alibaba Cloud. Supported operating systems:

  • Windows: Windows 7 SP1 and later

  • macOS: 10.11.1 and later

  • Android: 5.0 to 10.0

  • iOS: 12.0 and later

Components

The following diagram shows how SAG components work together. Data centers and branch offices connect through SAG CPE devices, individual endpoints connect through the SAG app, and other networks connect through SAG vCPE. Once connected to Alibaba Cloud, CEN links all sites across regions — virtual private clouds (VPCs), data centers, branch offices, mobile clients, and other networks — into a single enterprise network.

产品简介-架构1
ComponentDescriptionReferences
SAG CPEPhysical CPE devicesWhat is SAG?
SAG vCPEVirtual CPE devicesWhat is SAG vCPE?
SAG appMobile and desktop appWhat is the SAG app?
Cloud Connect Network (CCN)A matrix of Alibaba Cloud access pointsWhat is CCN?
Cloud Enterprise Network (CEN)Inter-region connectivity on Alibaba CloudWhat is CEN?
VPCPrivate networks on Alibaba CloudWhat is VPC?

Architecture

SAG uses a cloud-native SD-WAN architecture with three advantages over traditional SD-WAN:

Zero touch provisioning (ZTP)

Manage SAG CPE devices through the SAG console, API, and CloudMonitor — the same way you manage VPCs and Elastic Compute Service (ECS) instances.

Hybrid networks

Connect to Alibaba Cloud through a hybrid network that combines Express Connect circuits, broadband, and 4G. This maximizes Express Connect utilization while maintaining network performance.

Integrated cloud-network-edge architecture

SAG integrates your on-premises networks with Alibaba Cloud services:

  • Automatic protocol negotiation between on-premises VPN gateways and cloud VPN gateways — no additional configuration needed

  • Quick access from on-premises networks to Alibaba Cloud services

  • End-to-end security policies that cover both on-premises and cloud networks

云网端

What's next