Alibaba Cloud Smart Access Gateway (SAG) provides a solution based on the Software-defined Wide Area Network (SD-WAN) architecture. The SAG app allows terminal devices to access cloud resources. After you configure the SAG app, you can remotely access services deployed by using virtual private clouds (VPCs) in the cloud from terminal devices, such as computers and mobile phones. This topic describes how to use the SAG app to connect an Elastic Desktop Service (EDS) client on your computer to the secure office network of a cloud desktop. This enables you to access the cloud desktop from the EDS client over private networks.

Background information

You can choose to connect to a cloud desktop from an EDS client over the Internet or private networks. The properties of the workspace to which the cloud desktop belongs determine the available network connection methods. You can use the following connection methods to access the cloud desktop from the client:
  • If you set Connection Method to Internet, the client can access the cloud desktop only over the Internet.
  • If you set Connection Method to VPC, the client can access the cloud desktop only over a VPC.
  • If you set Connection Method to Internet and VPC, the client can access the cloud desktop over the Internet or a VPC.
Alibaba Cloud PrivateLink is used to establish private connections between VPCs and Alibaba Cloud services. This simplifies network architectures and ensures the security of data transmission.
Note You can use PrivateLink for free. If you set Connection Method to VPC or Internet and VPC, PrivateLink is automatically activated.

To use the VPC connection method, you must enable network connectivity between the on-premises network to which the client belongs and the secure office network of the cloud desktop. Alibaba Cloud provides services, such as Express Connect, SAG, and VPN Gateway, to enable network connectivity between on-premises and off-premises networks. Among these services, SAG is a SD-WAN solution that provides the SAG customer-premises equipment (CPE), SAG app, and SAG vCPE product types. The following sections describe how to use the SAG app to access a cloud desktop from the client over private networks.

Note Cloud desktops support access from multiple types of clients, such as software clients on computers, browser clients, hardware clients, and mobile clients. If you want to use the SAG app, you must install the SAG app client. The client is suitable for software clients that run Windows and macOS on computers and mobile clients that run Android and iOS.

Network architecture

The SAG app enables network connectivity between on-premises and off-premises networks. The following figure shows how the client on your computer use the SAG app to access cloud desktops over private networks. SAG APP
The following information describes the networks in the preceding figure:
  • VPCs are logically isolated private networks in the cloud. The network architecture of EDS consists of management VPCs, desktop service VPCs, and workspace VPCs. Alibaba Cloud maintains all of these VPCs. You can use the management VPCs and desktop service VPCs to deploy management components and desktop resources. The system creates a workspace VPC based on the CIDR block that you specify when you create the workspace.
  • Cloud Connect Network (CCN) is a device access matrix that consists of Alibaba Cloud distributed access gateways. After the SAG app is bound to a CCN instance, SAG can connect the on-premises network to the Alibaba Cloud network by using CCN.
  • Cloud Enterprise Network (CEN) can build private network channels for different network instances, such as VPCs and CCN instances. This allows the network instances to communicate with each other. The management CEN instances in the figure are maintained by Alibaba Cloud. The user CEN instances in the figure are the CEN instances that you must create to implement network connectivity between CCN instances and workspace VPCs.
  • Each cloud desktop uses two network interface controllers (NICs): eth0 and eth1. eth0 is the internal NIC that is used to manage traffic between clients and cloud desktops. The IP addresses of eth0 are assigned by EDS. eth1 is the common NIC that is used to access resources over a VPC or the Internet. The IP addresses of eth1 are assigned by the system from the CIDR blocks of the workspace VPC.
  • Alibaba Cloud PrivateLink is used to connect VPCs. This service is free of charge and allows VPCs, including workspace VPCs and desktop service VPCs, to connect to Alibaba Cloud services in a secure and stable manner.

Prerequisites

Workspaces are classified into the following types: workspaces of the convenience account type and workspaces of the enterprise Active Directory (AD) account type. Before you attach a VPC to a CEN instance, you must perform the following operations:
  • Workspace of the convenience account type
    1. Create a CEN instance. For more information, see Create a CEN instance.
    2. Create a workspace of the convenience account type and attach the workspace VPC to the CEN instance. For more information, see Create a workspace of the convenience account type.

      If you have a workspace of the convenience account type, you can attach the workspace VPC to the CEN instance on the Secure office network page in the EDS console.

  • Workspace of the enterprise AD account type
    1. Create a CEN instance. For more information, see Create a CEN instance.
    2. Create a workspace of the enterprise AD account type and attach the workspace VPC to the CEN instance. For more information, see Create a workspace of the enterprise AD account type.
      Note If the AD system of an enterprise is deployed on an Elastic Compute Service (ECS) instance, you must attach the VPC that the AD server uses to the CEN instance. If the AD system of an enterprise is deployed on an on-premises server, you must enable network connectivity between on-premises and off-premises networks before EDS connects to the AD system of the enterprise. You can create a workspace of the enterprise AD account type and configure the AD domain after on-premises and off-premises networks are connected.

Step 1: Configure the SAG app

Before you configure the SAG app, you must create an SAG app instance, bind the instance to a CCN instance, and then attach the CCN instance to a CEN instance. Perform the following operations:

  1. Log on to the Smart Access Gateway console.
  2. In the left-side navigation pane, choose Smart Access Gateway APP > SAG APP Instances.
  3. Create an SAG app instance.
    1. On the SAG APP Instances page, click Create SAG APP.
    2. On the buy page, configure the SAG app parameters.
      The following table describes the parameters. For more information, see Purchase SAG APP.
      Parameter Description Example
      Region The region where you want to use the SAG app client. Mainland China
      Number of Client Accounts The number of accounts that you want to create for the SAG app client. You must create one account for each regular user that needs to use cloud desktops.
      Note You can create only 5 to 1,000 client accounts. Pricing is tiered based on the number of client accounts. For more information, see Billing and pricing of the SAG app.
      		10
    3. Click Buy Now and complete the payment.
  4. Bind the SAG app instance to a CCN instance.
    1. On the SAG APP Instances page, find the SAG app instance that you created in the previous step and click Network Configuration.
    2. In the Network Configuration dialog box, complete the network settings.
      The following table describes the parameters. For more information, see Set up network connections.
      Parameter Description Example
      CCN Bind the SAG app instance to a CCN instance. After you bind the SAG app instance to the CCN instance, the SAG app client can connect to the Alibaba Cloud network from the on-premises network by using CCN. You can select an existing CCN instance or create a CCN instance based on your business requirements. A new CCN instance
      Private CIDR Block The private CIDR block that is used by the SAG app client to connect to Alibaba Cloud. When the SAG app client is connected, the system assigns an available IP address to the client from the private CIDR block. Make sure that the CIDR block does not overlap with the existing CIDR blocks of the user CEN instances. 192.168.123/24
    3. Click OK.
  5. Attach the CCN instance to the CEN instance.
    1. In the left-side navigation pane, click CCN.
    2. On the CCN page, find the CCN instance that you created in the previous step, and click Bind CEN Instance in the Actions column.
    3. In the Bind CEN Instance panel, choose the CEN instance to which the workspace VPC is attached.
    4. Click OK.

Step 2: Configure cloud services for CEN

To allow CCN to access EDS, you must configure cloud services for CEN. Perform the following operations:

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click the instance ID.
  3. Click the AnyTunnel tab. Then, click Configure AnyTunnel.
  4. Configure the cloud service parameters.
    The following table describes the parameters. For more information, see Access cloud services.
    Parameter Description Example
    Service IP Address Specify the CIDR block that is used in EDS, which includes the OpenAPI endpoint that is required by VPCs in all available regions to access cloud desktops. The CIDR block is fixed at 100.96.0.0/11. 100.96.0.0/11
    Service Region Select the region where the workspace VPC resides. China (Shanghai)
    Host VPC Select the workspace VPC. -/vpc-uf6fhc4c97or7pdvs****
    Access Region Select the CCN instance that is bound to the SAG app instance. The CCN instance that is deployed in Mainland China
  5. Click OK.

Step 3: Create an account for the SAG app client

If multiple regular users need to use cloud desktops, you must create multiple accounts for the SAG app client and distribute the accounts to the regular users. This way, the regular users can use the accounts to log on to SAG app client and connect to private networks. Perform the following operations:

  1. On the SAG APP Instances page in the SAG console, find the SAG app instance that you created in Step 1 and click the instance ID.
  2. Click the Client Accounts tab and click Create Client Account.
  3. In the Create Client Account dialog box, configure the account settings.
    Enter the email address of a regular user. After the settings are complete, the system sends an email that includes the SAG instance ID, username and password, and client download method to the email address. For more information, see Create a client account.
  4. Click OK.

Step 4: Configure the SAG app client on your computer and connect to a private network

You must install the SAG app client and log on to the client on your computer or mobile device. After you configure DNS settings, you can connect to a private network with one click. Perform the following operations:

  1. Download and install the SAG app client on your computer or mobile device.
    The SAG app client supports the following OSs: Windows, Android, macOS, and iOS. For more information about client adaptation details and download methods, see Install the SAG app.
  2. Launch and log on to the SAG app client on your computer or mobile device, and initiate a connection.
    Before you perform this operation, obtain the client logon information from the email. If you find no client logon information in the email, check whether the email address that you specified in Step 3 is valid.
    In this example, the Windows client is used. To initiate the connection, perform the following operations:
    1. Launch the SAG app client.
    2. Enter the SAG instance ID, username, and password, read and agree to the privacy agreement, and then click Login.
    3. Click CONNECT.
  3. Configure DNS settings on your computer or mobile device.
    1. Add 100.100.2.136 or 100.100.2.138 to the list of DNS servers.
      In this example, Windows 10 is used. To configure DNS settings, perform the following operations:
      Note In this example, a computer is used to describe how to configure DNS settings. If you use a mobile device, configure DNS settings on your own.
      1. Open Network and Sharing Center in Control Panel.
      2. In the left-side navigation pane, click Change adapter settings.
      3. Right-click the network adapter that you want to use for the SAG app and select Properties.
      4. In the This connection uses the following items section, double-click Internet Protocol Version 4 (TCP/IPv4).
      5. In the dialog box that appears, specify a DNS server that you want to manage.

        You can set the IP address of your preferred DNS server to 100.100.2.136 and the IP address of your alternative DNS server to 100.100.2.138.

    2. Run the following command to check whether the DNS server works as expected: 
      nslookup ecd-vpc.cn-beijing.aliyuncs.com

Step 5: Check whether the EDS client can access a cloud desktop over a private network

Before you perform the check, create regular users based on the workspace type and create and assign cloud desktops for the regular users.

The SAG app is suitable for computers that run Windows and macOS and mobile devices that run Android and iOS. In this example, the Windows EDS client is used. Perform the following operations:

  1. Install and launch the EDS client.
  2. On the Configuration page, enter the workspace ID, select Use VPC tunnel as Network Access Mode, and then click Next.
    If a request timeout error is reported, the network is inaccessible. Check whether the network configurations are valid.
  3. In the dialog box that appears, enter the username and password, and click Next.
  4. In the desktop card, select the cloud desktop in the Running state, and click Connect.
    If you can log on to the client and connect to the cloud desktop, the network configurations take effect.