Alibaba Cloud Smart Access Gateway (SAG) provides a solution based on the Software-defined Wide Area Network (SD-WAN) architecture. The SAG app allows terminal devices to access cloud resources. After you configure the SAG app, you can remotely access services deployed by using virtual private clouds (VPCs) in the cloud from terminal devices, such as computers and mobile phones. This topic describes how to use the SAG app to connect an Elastic Desktop Service (EDS) client on your computer to the secure office network of a cloud desktop. This enables you to access the cloud desktop from the EDS client over private networks.
Background information
- If you set Connection Method to Internet, the client can access the cloud desktop only over the Internet.
- If you set Connection Method to VPC, the client can access the cloud desktop only over a VPC.
- If you set Connection Method to Internet and VPC, the client can access the cloud desktop over the Internet or a VPC.
To use the VPC connection method, you must enable network connectivity between the on-premises network to which the client belongs and the secure office network of the cloud desktop. Alibaba Cloud provides services, such as Express Connect, SAG, and VPN Gateway, to enable network connectivity between on-premises and off-premises networks. Among these services, SAG is a SD-WAN solution that provides the SAG customer-premises equipment (CPE), SAG app, and SAG vCPE product types. The following sections describe how to use the SAG app to access a cloud desktop from the client over private networks.
Network architecture

- VPCs are logically isolated private networks in the cloud. The network architecture of EDS consists of management VPCs, desktop service VPCs, and workspace VPCs. Alibaba Cloud maintains all of these VPCs. You can use the management VPCs and desktop service VPCs to deploy management components and desktop resources. The system creates a workspace VPC based on the CIDR block that you specify when you create the workspace.
- Cloud Connect Network (CCN) is a device access matrix that consists of Alibaba Cloud distributed access gateways. After the SAG app is bound to a CCN instance, SAG can connect the on-premises network to the Alibaba Cloud network by using CCN.
- Cloud Enterprise Network (CEN) can build private network channels for different network instances, such as VPCs and CCN instances. This allows the network instances to communicate with each other. The management CEN instances in the figure are maintained by Alibaba Cloud. The user CEN instances in the figure are the CEN instances that you must create to implement network connectivity between CCN instances and workspace VPCs.
- Each cloud desktop uses two network interface controllers (NICs): eth0 and eth1. eth0 is the internal NIC that is used to manage traffic between clients and cloud desktops. The IP addresses of eth0 are assigned by EDS. eth1 is the common NIC that is used to access resources over a VPC or the Internet. The IP addresses of eth1 are assigned by the system from the CIDR blocks of the workspace VPC.
- Alibaba Cloud PrivateLink is used to connect VPCs. This service is free of charge and allows VPCs, including workspace VPCs and desktop service VPCs, to connect to Alibaba Cloud services in a secure and stable manner.
Prerequisites
- Workspace of the convenience account type
- Create a CEN instance. For more information, see Create a CEN instance.
- Create a workspace of the convenience account type and attach the workspace VPC to
the CEN instance. For more information, see Create a workspace of the convenience account type.
If you have a workspace of the convenience account type, you can attach the workspace VPC to the CEN instance on the Secure office network page in the EDS console.
- Workspace of the enterprise AD account type
- Create a CEN instance. For more information, see Create a CEN instance.
- Create a workspace of the enterprise AD account type and attach the workspace VPC
to the CEN instance. For more information, see Create a workspace of the enterprise AD account type.
Note If the AD system of an enterprise is deployed on an Elastic Compute Service (ECS) instance, you must attach the VPC that the AD server uses to the CEN instance. If the AD system of an enterprise is deployed on an on-premises server, you must enable network connectivity between on-premises and off-premises networks before EDS connects to the AD system of the enterprise. You can create a workspace of the enterprise AD account type and configure the AD domain after on-premises and off-premises networks are connected.
Step 1: Configure the SAG app
Before you configure the SAG app, you must create an SAG app instance, bind the instance to a CCN instance, and then attach the CCN instance to a CEN instance. Perform the following operations:
- Log on to the Smart Access Gateway console.
- In the left-side navigation pane, choose .
- Create an SAG app instance.
- Bind the SAG app instance to a CCN instance.
- Attach the CCN instance to the CEN instance.
- In the left-side navigation pane, click CCN.
- On the CCN page, find the CCN instance that you created in the previous step, and click Bind CEN Instance in the Actions column.
- In the Bind CEN Instance panel, choose the CEN instance to which the workspace VPC is attached.
- Click OK.
Step 2: Configure cloud services for CEN
To allow CCN to access EDS, you must configure cloud services for CEN. Perform the following operations:
Step 3: Create an account for the SAG app client
If multiple regular users need to use cloud desktops, you must create multiple accounts for the SAG app client and distribute the accounts to the regular users. This way, the regular users can use the accounts to log on to SAG app client and connect to private networks. Perform the following operations:
Step 4: Configure the SAG app client on your computer and connect to a private network
You must install the SAG app client and log on to the client on your computer or mobile device. After you configure DNS settings, you can connect to a private network with one click. Perform the following operations:
Step 5: Check whether the EDS client can access a cloud desktop over a private network
- For more information about how to create regular users, see Create a convenience user or Create AD users.
- For more information about how to create and assign a cloud desktop, see Create a cloud desktop.
The SAG app is suitable for computers that run Windows and macOS and mobile devices that run Android and iOS. In this example, the Windows EDS client is used. Perform the following operations: