This tutorial uses a Ningbo branch and a Hangzhou branch as an example to describe how to use a Smart Access Gateway (SAG) device to connect two local branches to VPCs located in Shanghai and Beijing. The clients of the local branches as a result can directly access the VPCs through the SAG device.


In this tutorial, a company wants to connect local branches in Hangzhou and Ningbo to VPCs hosted in Shanghai and Beijing. Given that the branches and VPCs are all in the same SAG area, you only need to attach the Cloud Connect Network (CCN) instance associated with the SAG instances to the Cloud Enterprise Network (CEN) instance.

To connect the local branches to the VPCs, you need to complete the following tasks:
  1. Purchase an SAG device.
  2. Connect the SAG device.
  3. Activate the SAG device.
  4. Configure the network connection.
  5. Configure the security group.
  6. Perform an access test.


  • A CEN instance is created.
  • A VPC is created in Shanghai and another VPC is created in Beijing. In addition, the VPCs are added to the same CEN instance. If you have not completed this step, complete the following instructions:
    1. Log on to the Smart Access Gateway console.
    2. Choose Quick Links > VPC.
    3. Select the China (Beijing) region and click the ID of the target VPC.
    4. On the VPC Details page, click Attach to CEN, and then select the target CEN instance.
    5. Repeat the preceding steps to add the VPC in Shanghai to the same CEN instance.

  • A CCN instance is created. For more information, see Create a CCN instance.

Step 1: Buy an SAG device

After you buy an SAG device on the console, Alibaba Cloud delivers the device to you and creates an SAG instance for you to manage.

To buy an SAG device, follow these steps:
  1. Log on to the Smart Access Gateway console.
  2. Click Create SmartAG.
  3. Configure the SAG device and click Buy Now.
    For more information, see Buy a Smart Access Gateway.
    Note In this tutorial, the SAG-100WM specification and the Stand-alone usage method are selected.
  4. Confirm the order information, and then click Buy Now.
  5. On the displayed Address dialog box, enter the shipping address of the gateway device and click Order Now.

    You can check whether the order is successfully placed on the SAG page. The system will deliver the device within 48 hours after the order is placed. If you do not receive the device within 48 hours, you can open a ticket to check the delivery status.

Step 2: Connect the SAG device

After receiving an SAG device, follow SAG-100WM user manual to check that all accessories are included, and then power on the device. After you start the SAG device, connect the WAN port to the network cable and connect the LAN ports to local clients.

In this tutorial, the clients in the Hangzhou and Ningbo branches can be directly connected to Alibaba Cloud through the SAG devices, so you can use the default gateway configuration. If you need to configure the WAN port and LAN ports, see Configuration guide.

Step 3: Activate the SAG device

After receiving an SAG device, you must activate it.

To activate the SAG device, follow these steps:
  1. Log on to the Smart Access Gateway console.
  2. On the SmartAG page, find the target gateway instance.
  3. Click Activate in the Actions column.

Step 4: Configure the network connection

After activating the SAG device, you need to attach it to a CCN instance and then attach the CCN instance to a CEN instance, so that local branches can be connected to Alibaba Cloud.

Complete these steps to configure the network:
  1. Log on to the Smart Access Gateway console.
  2. On the Smart Access Gateway page, find the target SAG instance.
  3. Click Configure Network in the Actions column.
  4. On the Configure Network page, follow these steps:
    1. Private CIDR Block: Configure the private CIDR blocks used by the local clients to access Alibaba Cloud. Make sure all private CIDR blocks do not conflict with one another.

      In this tutorial, enter In this tutorial, each local branch uses the default gateway configuration, so the IP address used by the local client to access Alibaba Cloud is allocated from the CIDR block.

      Note Configuring a 32-bit mask is not supported.
    2. CCN Instance ID/Name: Add the SAG instance to the CCN instance. Then, SAG devices in the CCN instance can communicate with one another.

      In this tutorial, the default CCN is used. For more information.

  5. Bind CEN Instance: Select the CEN instance to attach. After the CCN instance is attached to the CEN instance, SAG devices in the CCN instance can communicate with networks (VPCs and VBRs) attached to the CEN instance.

    In this tutorial, the CEN instance associated with the Shanghai VPC and Beijing VPC is selected.

  6. Click OK.
  7. Repeat the preceding steps to configure the network for the SAG instance of the other branch.

    Make sure the two SAG instances are attached to the same CCN instance and the same CEN instance.

Step 5: Configure a security group

Configure a security group to allow the branches to access VPC.

To configure the security groups, complete these steps:
  1. Log on to the ECS Console.
  2. In the left-side navigation pane, click Instances.
  3. Find the target ECS instance in the target VPC, and then choose More > Network and Security Group > Configure Security Group.

  4. Click Add Rules and click Add Security Group Rule.
  5. Configure a security group rule that allows access from local branches.

    The following figure shows the security group configurations in this tutorial. You need to set the authorization object as the private CIDR block of the local branch.

Step 6: Test the access

After completing the preceding configurations, you can use local clients to access cloud resources deployed in the connected VPCs to check if the configurations take effect.