All Products
Search

This Product

    Secure Access Service Edge:Use SASE to control access to the cloud computers of EDS

    Document Center

    Secure Access Service Edge:Use SASE to control access to the cloud computers of EDS

    Last Updated:Mar 18, 2025

    This topic describes how to use Secure Access Service Edge (SASE) to control access to the cloud computers of Elastic Desktop Service (EDS).

    Prerequisites

    • SASE is activated. If SASE is not activated, you must purchase and activate SASE. For more information, see Service purchase. You can also apply for a 7-day free trial. For more information, see Apply for a free trial.

    • The identity provider (IdP) of your enterprise is connected to SASE. In the SASE console, you can connect the IdP of your enterprise to SASE. You can connect the following types of IdPs: DingTalk, WeCom, Lark, Lightweight Directory Access Protocol (LDAP), and Identity as a Service (IDaaS). For more information, see Identity authentication and management.

    • The SASE client is installed, and logon to the client is complete. For more information about how to install the SASE client, see Install and log on to the SASE client.

    Scenario

    You want to allow only the devices managed by SASE to access the cloud computers of EDS.

    Introduction to SASE

    SASE is the first end-to-end office security management platform provided by Alibaba Cloud. SASE allows enterprises to quickly construct an office security system without investment in complex and expensive security hardware devices. The system provides capabilities such as zero trust-based private access, data leak prevention, management and audit of network access behaviors, and access acceleration. The following steps describe how to control access by using SASE:

    1. Create an advanced office network in the EDS console and set the Connection Method parameter to VPC to allow access only over a VPC.

    2. Attach this advanced office network to a Cloud Enterprise Network (CEN) instance.

    3. Add the cloud computers that you want to manage to the advanced office network.

    4. Connect the internal network of SASE with the CEN instance in the SASE console.

    5. Create an application in the SASE console and create a zero trust policy to allow access to the different endpoints of EDS.

    This way, users can access the cloud computers of EDS only over the internal network of SASE.

    Procedure

    Step 1: Create an advanced office network and attach it to a CEN instance

    In the EDS console, create an advanced office network and set the Connection Method parameter to VPC. Then, attach the office network to a CEN instance. For more information, see Create and manage convenience office networks.

    Step 2: Add cloud computers to the advanced office network

    After cloud computers are added to the advanced office network, you can use SASE to connect the internal network of SASE with the CEN instance. The system sends emails to cloud computer users to notify them of the change. Each email contains the access method for Alibaba Cloud Workspace terminals and the ID of the advanced office network.

    Step 3: Connect the internal network of SASE with the VPC of the cloud computers

    1. Log on to the SASE console.

    2. In the left-side navigation pane, choose Private Access > Network Settings.

    3. On the Network Settings page, find the CEN instance to which the advanced office network is attached and turn on the switch in the Network Connection column.

    4. Then, find the connected VPC and enter the CIDR block of the advanced office network in the Custom CIDR Block column.

    Step 4: Create an EDS application and a zero trust policy

    1. In the EDS console, find the created advanced office network and click its ID. On the Network Information page of the page that appears, obtain the value of the Private Gateway Address parameter.

    2. Obtain the endpoints of EDS. The endpoints vary based on regions and functionalities.

      For example, if the cloud computer is deployed in the China (Hangzhou) region, add the endpoints for the China (Hangzhou) region to the SASE application. For more information about the endpoints for different regions and functionalities, see Port overview.

    3. In the SASE console, create an application and add the endpoints to the application. For more information, see Add an office application to SASE.

    4. Configure a zero trust policy to allow access to the application. For more information, see Configure a zero trust policy.

    Step 4: Connect to a cloud computer from an Alibaba Cloud Workspace terminal

    In the Alibaba Cloud Workspace terminal, enter the ID of the advanced office network to which a cloud computer is added and set the Network Connection Type parameter to Alibaba Cloud VPC. This way, you can implement access control over cloud computers of EDS by using SASE. You can obtain the ID of the advanced office network in the EDS console.