Smart Access Gateway:Connect an AWS network to Alibaba Cloud by using an SAG vCPE instance

Sample scenario

The following figure describes how to establish network communication between cloud resources deployed on Alibaba Cloud and on AWS. For example, an enterprise has deployed cloud services on Alibaba Cloud in the Singapore region and on AWS. The enterprise wants to establish network communication between the cloud resources deployed on Alibaba Cloud and on AWS.

You can deploy an SAG vCPE image on an instance in an Amazon VPC. The instance then functions as an SAG vCPE device to connect to Alibaba Cloud. Once the device is connected to Alibaba Cloud, you can use Cloud Connect Network (CCN) and Cloud Enterprise Network (CEN) to enable communication between resources in the Amazon VPC and those in an Alibaba Cloud VPC.

Step 1: Create an SAG vCPE instance

You must create an SAG vCPE instance in the SAG console. Then, you can use the SAG vCPE instance to manage the SAG vCPE device.

1. Log on to the SAG console.

2. On the Smart Access Gateway page, choose Purchase SAG > Create SAG (vCPE).

3. On the SmartAG vCPE Software page, configure the parameters, click Buy Now, and then complete the payment. The following table describes the parameters.

   Configuration	Description
   Area	Select the area in which you want to deploy the SAG vCPE instance. In this example, Singapore is selected.
   Instance name	Enter a name for the SAG vCPE instance.
   Device Type	SAG-vCPE is selected by default.
   Edition	Basic Edition is selected by default.
   Deployment Mode	Select a deployment mode for the SAG vCPE device. The default value is Active-Standby. In Active-Standby mode, one SAG vCPE instance can connect to two SAG vCPE devices by default. You can configure the two SAG vCPE devices in active-standby mode to connect your on-premises network to Alibaba Cloud. This improves network availability. This topic uses only the active device.
   Peak Bandwidth	Select a maximum bandwidth for network communication. Unit: Mbit/s.
   Quantity	Specify the number of SAG vCPE instances that you want to create. In this example, 1 is selected.
   Duration	Select a subscription duration.

4. Return to the SAG console. In the top navigation bar, select the area where the SAG vCPE instance is deployed.

5. In the navigation pane on the left, choose Smart Access Gateway > Instances.

6. On the Smart Access GatewaySAG page, click the ID of the SAG vCPE instance.

7. On the details page of the SAG vCPE instance, click the Device Management tab, view and record the serial number and key of the active SAG vCPE device. The serial number and key are used to associate the SAG vCPE instance with the SAG vCPE device.

Step 2: Deploy the SAG vCPE image

To establish network communication between cloud resources deployed on Alibaba Cloud and on AWS, you must create an instance in the AWS VPC. Then, you can deploy the SAG vCPE image on the instance in the AWS VPC. After you deploy the SAG vCPE image, the AWS instance can serve as an SAG vCPE device and lets you connect AWS resources to Alibaba Cloud resources.

1. Create an instance in an Amazon VPC.

   For more information about how to create an instance in the AWS VPC, see the relevant AWS documentation. Make sure that the AWS instance meets the following requirements:

   • Operating system: Ubuntu 18.04 (64-bit).

   • The instance requires kernel version 3.10.0-957.21.3.el7.x86_64 or later.

   • The instance connects to the Internet via a separate network interface card.

   • You can remotely connect to an instance.

   • No business applications are running on the instance.

   • If the host is an ECS instance or an Edge Node Service (ENS) instance, the number of vCPU cores must be one or more and the memory must be 2 GB or more.

     We recommend that you select a 2-core vCPU and 4 GB of memory for the instance. In this case, the bandwidth of encrypted private connections can reach 350 Mbit/s and higher (the packet length in the performance test is 1,024 bytes).

2. Log on to the AWS instance and download the script to the /root directory of the instance. For more information, see the relevant AWS documentation.

   Important

   • You can also specify a custom path and download the script to the corresponding directory. In this case, make sure that you select the custom path when you run the script.

   • After you download the script, do not modify its content or name.

   • If your host is deployed in the Chinese mainland, run the following commands to download the script:

     wget -O /root/sag_vcpe_v2.3.0_deployment.sh https://sdwan-oss-shanghai.oss-cn-shanghai.aliyuncs.com/vcpe_vm/sag_vcpe_v2.3.0_deployment.sh

   • If your host is deployed outside the Chinese mainland, run the following commands to download the script:

     wget -O /root/sag_vcpe_v2.3.0_deployment.sh https://sdwan-oss-shanghai.oss-accelerate.aliyuncs.com/vcpe_vm/sag_vcpe_v2.3.0_deployment.sh

3. Grant the execute permission to the script.

   chmod +x /root/sag_vcpe_v2.3.0_deployment.sh

4. Run the script.

   /root/sag_vcpe_v2.3.0_deployment.sh -n sage6nniq3**** -k **** -t aws  -w eth0

   The following table describes the parameters of the script. For more information about the script, see Descriptions of the script parameters.

   Parameter	Description
   -n	The serial number of the SAG vCPE device.
   -k	The key of the SAG vCPE device.
   -t	The service provider of the host on which you want to install the SAG vCPE image. Valid values: aliyun (default): deploys the SAG vCPE image on an Alibaba Cloud Elastic Compute Service (ECS) instance. aws: deploys the SAG vCPE image on an Amazon Elastic Compute Cloud (EC2) instance. azure: deploys the SAG vCPE image on a Microsoft Azure virtual machine (VM). If you want to deploy the SAG vCPE image on an on-premises server, set the value to a string of letters other than aliyun, aws, or azure.
   -w	The name of the NIC for the WAN port. You can run the ifconfig command to view the NIC name of the host.

5. When you run the script, the system automatically checks whether the deployment environment meets the requirements. If the deployment environment requires more components, the following prompt appears. In this case, enter yes and the system will automatically install the required components.

   

6. If the deployment environment meets the requirements, the system automatically starts to deploy the SAG vCPE image. After the image is deployed, the following prompt appears.

   

7. Check the deployment result.

   After the deployment is complete, run the docker ps command to check whether the following two containers exist:

   If the system contains the vsag-core container and the vsag-manager-base container, the SAG vCPE image is deployed.

Step 3: Configure network settings on Alibaba Cloud

After the SAG vCPE image is deployed, you must configure network settings for the SAG vCPE device in the SAG console. This allows the SAG vCPE device to connect to Alibaba Cloud.

1. Configure on-premises route synchronization.

   1. Log on to the SAG console.

   2. In the top navigation bar, select the region.

   3. On the Smart Access Gateway page, find the instance and click Network Configuration in the Actions column.

   4. Choose Network Configuration > Method to Synchronize with On-premises Routes and click Add Static Route.

   5. In the Add Static Route dialog box, enter the private CIDR block of the AWS service and click OK.

      

2. Associate the SAG instance with the CCN instance.

   CCN is an important component of SAG. SAG connects your on-premises networks to Alibaba Cloud through CCN.

   1. Create a CCN instance. For more information, see Create a CCN instance.

      The SAG vCPE instance and CCN instance must be deployed in the same region.

   2. In the navigation pane on the left, choose Smart Access Gateway > Instances.

   3. On the Smart Access Gateway page, find the instance and click Network Configuration in the Actions column.

   4. On the details page of the SAG vCPE instance, choose Network Configuration > Network Instance Details.

   5. In the Associated Instances Under Current Account section, click Attach Network, select a CCN instance, and then click OK.

   6. After you associate the SAG vCPE instance with the CCN instance, click the Device Management tab. If the VPN Status and Control Status of the SAG vCPE device are Normal, it indicates that the SAG vCPE device is connected to Alibaba Cloud.

      

3. Create and configure a Cloud Enterprise Network (CEN) instance.

   You must perform the following operations to connect the SAG vCPE instance to a CEN instance and attach the Alibaba Cloud VPC to the CEN instance. Then, the SAG vCPE instance and the Alibaba Cloud VPC can learn routes from each other. The SAG vCPE device can communicate with the resources in the Alibaba Cloud VPC.

   1. In the navigation pane on the left, click CCN.

   2. On the CCN page, find the CCN instance and click Bind CEN Instance in the Actions column.

   3. In the Bind CEN Instance panel, select the CEN instance you want to associate and click OK.

      You can use one of the following methods to select a CEN instance. In this example, Create CEN is selected.

      • Existing CEN: If you have already created a CEN instance, you can select an existing CEN instance from the drop-down list.

      • Create CEN: If you have not created a CEN instance, enter an instance name. The system then automatically creates a CEN instance and associates the CEN instance with the CCN instance.

   4. Attach the Alibaba Cloud VPC to the CEN instance. For more information, see Create a VPC connection.

Step 4: Configure network settings on AWS

To enable communication between AWS resources and Alibaba Cloud resources, you must configure network settings for the AWS VPC. For more information about specific commands, consult AWS.

1. You can configure routing for the cloud service.

   Add the following route entry to the AWS VPC: The destination CIDR block of the route entry is the CIDR block of the Alibaba Cloud VPC and the next hop points to the AWS instance. The AWS instance is used to enable communication between AWS resources and Alibaba Cloud resources.

2. Configure the security group of the AWS service.

   Allow the private CIDR blocks of Alibaba Cloud and AWS services to communicate with each other.

3. Disable source checks and destination checks for the AWS instance.

   

Step 5: Interconnect networks on the cloud

1. Purchase a bandwidth plan.

   1. Log on to the Cloud Enterprise Network console.

   2. On the Instances page, click the ID of the CEN instance that you want to manage.

   3. On the CEN instance details page, on the Basic Information > Bandwidth Plans tab, click Purchase Bandwidth Plan.

   4. On the buy page, configure the parameters, click Buy Now, and then complete the payment. The following table describes the parameters.

      Configuration	Description
      Cloud Enterprise Network	Select the CEN instance for which you want to purchase a bandwidth plan. In this example, the CEN instance created in Step 3 is selected.
      Area A	Select the region of one of the network instances that you want to connect. This topic uses Chinese Mainland as an example.
      Area B	Select the other area where you want to enable inter-region communication. In this example, Asia Pacific is selected.
      Metering Method	Select a metering method for the bandwidth plan. Pay-By-Bandwidth is selected by default.
      Bandwidth	Select a maximum bandwidth value for the bandwidth plan. Unit: Mbit/s.
      Bandwidth Plan Name	Enter a name for the bandwidth plan.
      Subscription Duration	Select a subscription period for the bandwidth plan. 1 Month is selected by default. You can select Auto-renewal to enable auto-renewal for the bandwidth plan.

2. Create an inter-region connection.

   1. On the Instances page, click the ID of the CEN instance that you want to manage.

   2. On the details page of the CEN instance, choose Basic Information > Bandwidth Plans and click Allocate Bandwidth for Inter-region Communication.

   3. On the Create Inter-region Connection page, configure the inter-region connection, and then click OK.

      Parameter	Description
      Region	Select one of the regions to be connected. In this example, China (Hangzhou) is selected.
      Transit Router	The ID of the transit router in the selected region is automatically displayed.
      Attachment Name	Enter a name for the inter-region connection.
      Peer Region	Select the other region to be connected. In this example, Singapore is selected.
      Transit Router	The ID of the transit router in the selected region is automatically displayed.
      Bandwidth Allocation Mode	Inter-region connections support the Allocate from Bandwidth Plan and Pay-By-Data-Transfer allocation modes. In this example, Allocate from Bandwidth Plan is selected.
      Bandwidth Plan	Select the bandwidth plan that is associated with the CEN instance. In this example, the bandwidth plan purchased in the preceding step is selected.
      Bandwidth	Specify a bandwidth value for inter-region connections. Unit: Mbit/s.
      Default Line Type	Inter-region connections support multiple line types. The network performance varies based on the line type.
      Advanced Settings	Use the default settings. All advanced features are enabled.

Step 6: Test network connectivity

After you complete the preceding operations, services deployed in the Alibaba Cloud VPC and the Amazon VPC can communicate with each other. This topic describes how to test the connectivity between the two VPCs.

1. Log on to an ECS instance in the Alibaba Cloud VPC. For more information, see Connection method overview.

2. Use the ping command on a cloud service instance in an Amazon VPC to test the connectivity between the two VPCs.

   Testing confirms that an ECS instance in an Alibaba Cloud VPC can communicate with a cloud service instance in an Amazon VPC.

References

• What is CEN?

• Introduction to CCN