Secure cloud-native application access and eliminate public exposure with SASE - Secure Access Service Edge

Secure Access Service Edge (SASE) supports connections to cloud-native application resources, allowing you to view and manage their public access addresses. For enhanced security, we recommend that you disable public network access if your business allows and restrict application access to the private network of a VPC. This document describes how to access cloud-native applications by using a private network and how to disable public network access.

Prerequisites

You have purchased Workspace Security Platform.
You have authorized SASE to access your Alibaba Cloud resources.

Supported cloud-native applications

Cloud storage: Object Storage Service (OSS).
Cloud Network: PrivateLink.
Cloud Databases: RDS, PolarDB, Tair (Redis OSS-compatible), Lindorm, MongoDB, AnalyticDB for MySQL, AnalyticDB for PostgreSQL, ClickHouse, ClickHouse Enterprise Edition, SelectDB, PolarDB for Xscale, DMS, DAS, Bastionhost.
Cloud middleware: RocketMQ 5.0, Kafka, MSE registry, and MSE cloud-native gateway.
Development tools: Alibaba Cloud Management Console, Alibaba Cloud DevOps.

Configure private access for cloud-native applications

Private access is based on Software-Defined Perimeter (SDP) technology and provides SaaS-based zero-trust network access, allowing enterprise employees to securely access cloud resources and precisely control access permissions through a SASE solution without exposing public IP addresses or modifying the existing network architecture.

Step 1: Configure an identity source

An identity provider (IdP) primarily provides identity authentication for enterprise employees, and SASE supports third-party and self-built identity authentication systems. The currently supported IdPs include LDAP, DingTalk, WeChat Work, Feishu, IDaaS, and custom identity providers. If your business uses multiple IdPs, you can configure each of them and enable their authentication status. This allows you to use the SASE service with different IdPs.

For a quick demonstration, this topic uses a custom identity source as an example.

Log on to the Cloud Security Access Service console.
In the left navigation bar, select Identity Authentication > Identity Access.
On the Identity synchronization tab, find Custom IdP and click Edit in the Actions column. Follow the wizard to configure the custom identity source. For more information, see Connect to a custom identity source.

Step 2: Configure a user group

When you configure a policy, you must specify the user group to which it applies.

In the left navigation bar, select Identity Authentication > Identity Access.
On the User Group Management tab, click Create User Group.
In the Create User Group panel, configure parameters for the user group, such as Organizational Structure, Account Name, Email Address, and Mobile Phone Number. Then, click OK. For more information, see Manage user groups.

Step 3: Enable network connection

In the left navigation bar, select Private Access > Network Settings.
On the Services on Alibaba Cloud > CEN Instance tab of the Network Settings page, view the network resources synchronized by SASE.
On the right side of the specified CEN instance or a VPC instance associated with the CEN instance, turn on the Network Connection switch.
In the Network Connection dialog box, select either Enable Network Connection for All Cloud Applications or Custom Connection to Cloud Applications.
- Enable Network Connection for All Cloud Applications: If you select this option, all cloud-native applications connect automatically. You can connect to non-cloud applications by configuring ACL rules. Any new cloud-native applications created in this VPC also connect by default.
  
  Note
  Currently, only specific types of cloud-native applications are supported. To see the supported types, go to the Services on Alibaba Cloud > Cloud-native Application tab and check the Application Type column.
- Custom Connection to Cloud Applications:
  - Select Custom Connection to Cloud Applications and click OK.
  - In the Custom Connection to Cloud Applications panel, select the applications you want to connect and click OK.

Step 4: Create a private application

Before you can use SASE private access, you must configure the IP addresses or domain names of your enterprise office applications in SASE. Only configured office applications can be accessed by employees through the SASE App.

Log on to the Office Security Platform console.
In the left navigation bar, select Private Access > Application Management.

Click Add Application. On the Manual Configuration tab of the Add Application panel, configure the parameters as described in the following table.

Parameter	Description	Example
Application Name	The name of the application. The name must be 2 to 100 characters in length and can contain Chinese characters, letters, digits, hyphens (-), underscores (_), and periods (.).	Cloud-native Application
Status	The status of the application. You can enable or disable it.	Enable
Access Mode	Select an access mode. Client-based Access: You must install the SASE App to access office applications. The feature supports access to Layer 4 and Layer 7 applications for employee office work and O&M, and provides rich endpoint security detection and control policies. Browser-based Access: You can use a browser to access your enterprise's web-based office applications without installing the SASE App. This mode does not support endpoint security checks or control policies.	Client-based Access

Click Next. Configure the Application Address, Port, and Protocol for the application, and then click OK.

To trace access to the application, enable the Web Application Access Reinforcement feature. Select Access Tracing, choose the fields to add to the HTTP header, and then extract the information from your application.

Available header fields include Username, Device ID, and Device IP.

Step 5: Create a zero trust policy

In the left navigation bar, select Private Access > Access Control.
On the Zero Trust Policies tab, click Create Policy.
In the Create Policy panel, configure the policy to allow authorized users to access the cloud-native application, and then click OK.

Set Policy name to Cloud-native application zero trust policy, Priority to 1, and Action to Allow Access. In the Selected applications section, add the Cloud-native application.

Step 6: Verify the configuration

Open your installed SASE App.
Enter the enterprise verification ID and click OK.
You can log on to the Secure Access Service Edge console. In the navigation pane on the left, on the Settings page, obtain the Enterprise Authentication Identifier.
Log on by using the initial username and password that you received by email or phone.
Click Connect to Private Network.
Access the private application. A successful connection to the private application verifies your configuration.

Disable public access for cloud-native applications

In the left navigation bar, select Private Access > Network Settings.
On the Services on Alibaba Cloud > Cloud-native Application tab, view the application types that support disabling public network access and the list of instances with enabled network connections.
For an instance that is exposed to the public internet, click Not Disabled in the Actions column.
In the Disable dialog box, Select the public endpoint for which you want to disable access., and then click OK.

Important
Once disabled, all public network access is denied, which restricts access points to enhance security. This action is irreversible. You can still access applications through SASE. Please ensure that a zero trust policy is configured and enabled for all cloud applications.
Try to access the cloud application by using its public address. A failed attempt verifies the configuration.