You can connect to a cloud desktop over the Internet or a virtual private cloud (VPC) when you connect to the cloud desktop from an Alibaba Cloud Workspace client. If you want to connect to the cloud desktop over a VPC, you must establish connections between the on-premises network (the network that is used by the client) and off-premises network (the secure office network of the cloud desktop). To help you better understand the desktop connection mechanism and establish the connectivity between on-premises and off-premises networks, we recommend that you read this topic before you proceed.
Overview
| Connection method | Description |
|---|---|
| Internet | If the cloud desktop gateway accepts only client connection requests from the Internet,clients can connect to cloud desktops in Elastic Desktop Service (EDS) only over the Internet. |
| VPC | If the cloud desktop gateway accepts only client connection requests from VPCs, clients can connect to cloud desktops in Elastic Desktop Service (EDS) only over the enterprise private network. |
| Internet and VPC | If the cloud desktop gateway accepts client connection requests from both the Internet and VPCs, clients can connect to cloud desktops over the Internet and enterprise private network. |
Network architecture
The following figure shows the network architecture that allows users to access all VPC resources from a data center. To implement such access, you can use Express Connect, Smart Access Gateway (SAG), or VPN Gateway to attach the internal network of the data center and a workspace VPC to the same Cloud Enterprise Network (CEN) instance.
- The solution of workspace access over private networks depends on the capabilities of hybrid cloud deployment that are provided by CEN. You can access cloud desktops over the private network connection that is established between a data center and a VPC. The following clients can be used to connect to cloud desktops in Elastic Desktop Service (EDS): Windows client, macOS client, iOS client, Android client, and Web client. If you want to access one of the clients, management links and data links are required. Therefore, you must consider the router configurations of both links. CEN can establish private connections between different network instances, such as VPCs, virtual border routers (VBRs), and cloud connect networks (CCNs). This way, on-premises and off-premises resources can communicate with each other. For more information, see What is CEN? or Combine multiple connection methods to build an enterprise-class hybrid cloud.
- VPCs are logically isolated private networks in the cloud. In Elastic Desktop Service (EDS), VPCs can be divided into management VPCs and workspace VPCs. Both management VPCs and workspace VPCs are maintained by Alibaba Cloud. A management VPC can be used to control service components, and a workspace VPC is a dedicated VPC that is created by the system based on the CIDR block that you specified when you created the workspace. A workspace VPC is a secure office network.
- Express Connect helps to connect the internal network in a data center to an Alibaba Cloud endpoint by using an Express Connect circuit. One end of the circuit connects the gateways in the data center, and the other to a VBR. When you attach the VBR and workspace VPC to the same CEN instance, the data center can access resources that use the VPC. For more information, see What is Express Connect?
- SAG is a software-defined wide area network (SD-WAN) service provided by Alibaba Cloud. In most cases, SAG takes effect together with CCN. For more information, see What is SAG?
- VPN Gateway is a service for network connectivity. You can establish secure and reliable connections between a data center and an Alibaba Cloud VPC by creating encrypted tunnels. In the preceding figure, a user VPC is used to create a server in the cloud. The cloud server is required when you use VPN Gateway. In this case, you must provide a cloud VPC (user VPC) to create a cloud server. For more information, see What is VPN Gateway?
Network connection
If you connect to a cloud desktop in Elastic Desktop Service (EDS) from an Alibaba Cloud Workspace client over a private network of your enterprise, you must establish a connection between the on-premises network that is used by the client and the off-premises network that is used by the workspace to which the cloud desktop belongs. Alibaba Cloud provides services, such as SAG, VPN Gateway, and Express Connect, to establish network connection.
| Method | Description | References |
|---|---|---|
| SAG app | You can install an SAG app on a terminal device, such as a computer or a mobile phone, to implement desktop access by using CCN. | Use an SAG app to access a cloud desktop from an Alibaba Cloud Workspace client over a private network |
| VPN Gateway (IPsec-VPN) | VPN Gateway supports IPsec-VPN and SSL-VPN connections. For more information, see VPN gateways. You can use IPsec-VPN to establish a secure connection between a data center and a VPC or between VPCs. | Use IPsec-VPN to access cloud desktops from an Alibaba Cloud Workspace client over private networks |
| VPN Gateway (SSL-VPN) | You can use SSL-VPN to connect an Alibaba Cloud Workspace client to applications and services that are deployed by using the same VPC to implement desktop access. | Use SSL-VPN to access cloud desktops from an Alibaba Cloud Workspace client over a private network |
| Express Connect | Alibaba Cloud Express Connect can establish high-speed, stable, and secure private network connections between a data center and a VPC by using an Express Connect circuit. For more information, see What is a connection over an Express Connect circuit? You can use an Express Connect circuit and an IPsec-VPN gateway to connect on-premises and off-premises networks to implement desktop access by using active/standby links. |