Integrate Alibaba Cloud SASE (Secure Access Service Edge) with Global Accelerator (GA) by configuring a connector to deliver high-speed, stable, and secure cross-region acceleration for distributed employees.
Prerequisites
Ensure the following:
-
Alibaba Cloud SASE activated.
-
An Alibaba Cloud account with permissions for SASE, GA, VPC, and ECS.
-
SASE client installed on employee devices.
Acceleration traffic flow
Costs
Enabling Global Accelerator automatically creates a pay-as-you-go Global Accelerator instance, which incurs additional fees.
Configure SASE identities and users
Step 1: Create an identity source
-
Go to the Identity Access page and switch to the Identity synchronization tab.
-
Click Create IdP. This document uses a Custom IdP as an example.
NoteIn production, integrate SASE with your enterprise identity provider (IdP), such as Active Directory (AD), LDAP, DingTalk, or WeCom.
-
In the Basic Configurations section, enter an IdP Name and Description. Set IdP Status to Enabled. Click Next.
-
In the Logon Settings section, set the PC Logon Method and Mobile Device Logon Method. This example uses the default settings. You can enable Two-factor Authentication based on your requirements.
-
After you confirm the settings, click Ok.
-
Step 2: Create users and user groups
-
Go to the Identity Access page and switch to the Employee Center tab. From the drop-down list on the left, select the identity source you created, and then click Add User.

-
In the Add User panel, enter the username, password, and other required information. In the Department field, assign the user to a department within the selected identity source.

-
Switch to the User Group Management tab. Click Create User Group, set a name such as
dev-group, and select a Group Scope as needed.
-
Click OK.
Configure a connector for network connectivity
Deploy a SASE connector on a server at your cross-region egress point to establish network connectivity. Then, enable the connector and configure the GA instance for acceleration.
Step 1: Add an SASE connector
-
Log on to the SASE console. In the left-side navigation pane, choose .
-
On the Non-Alibaba Cloud services tab, add a connector.
-
On the Connectors tab, click Add Connector.
-
In the Add Connector dialog box, configure the parameters as required. Then, click OK.

Parameter
Description
Region
Select the region closest to your server for optimal access quality.
Instance Name
Enter a connector name.
Instance Switch
Only when the instance switch is in the Enable state, SASE end users can access the applications associated with the connector.
You can also turn on the instance switch from the connector list or on the connector Details panel.
ImportantIf you turn off the connector instance switch, end users cannot use the SASE client to access internal applications. Proceed with caution.
The connector then appears in the connector list.
-
-
Enable Global Accelerator.
-
For the connector instance you created, click Details in the Actions column.
-
On the instance details page, find the Global Acceleration section and turn it on.

-
In the Enable GA dialog box, enter the following information:
ImportantWhen you enable Global Accelerator for the first time, you are prompted to authorize the automatic creation of the AliyunServiceRoleForGaCdt and AliyunServiceRoleForGaVpcEndpoint service-linked roles. Global Accelerator uses these roles to access your resources in SASE.
Parameter
Description
GA Instance Name
Required. Enter a name for the Global Accelerator instance.
ImportantGlobal Accelerator fees include instance fees, capacity unit (CU) fees, and data transfer fees.
Resource Group
Select a resource group.
Terms of service
By clicking submit, you agree to the relevant terms of service.
Click Next.
-
Configure the Acceleration Region and Allocate Bandwidth.
Parameter
Description
Acceleration Region
Select the region closest to your users.
NoteThe Dubai region is not supported as an acceleration region.
Allocate Bandwidth
Range: 2 to 10,000 Mbit/s. Allocation methods:
-
Allocate Bandwidth by Region: Specify a peak bandwidth for each acceleration region.
-
Batch Set: Specify a uniform peak bandwidth for all acceleration regions.
After you complete the configuration, click OK. The acceleration instance is created within a few minutes.
-
-
After the instance is created, its details appear on the details page.

-
Step 2: Deploy the connector
-
In the Operation column for the connector you added, click Deploy. On the Deploy panel, copy the deployment command.
-
Log on to the server or virtual machine where you want to deploy the connector as the root user and run the deployment command. On the Deploy panel, you can also find commands to upgrade the connector, uninstall the connector, and export logs.

-
After deployment, the instance status changes to Connected. You can also view other information, such as the instance ID.

Step 3: Configure an enterprise acceleration policy
-
On the Access control page, switch to the Enterprise Acceleration tab, and then click Create Policy.
-
In the Create Policy panel, configure the parameters as required. Then, click OK.
Parameter
Description
Policy Name
The name of the enterprise acceleration policy.
Description
The description of the policy.
Priority
Valid values: 1 to 100. A smaller value indicates a higher priority.
Acceleration Instance
Supported instance types:
-
CEN: You must enter the Instance IP Address and Instance Port.
-
Connector: Select a connector instance.
NoteSelect the connector instance you created in the Add an SASE connector step.
Acceleration Mode
The following modes are supported:
-
Global Acceleration: Routes all Internet traffic through the accelerated connection. Acceleration stops when a user clicks the "Stop acceleration" button in the client.
-
Custom Acceleration: Requires configuring custom acceleration addresses after policy creation. Only traffic to specified addresses uses the accelerated connection.
Accelerated User Group
Select one or more user groups for acceleration.
Display on Client
If you select this option, users can choose from different acceleration policies in the SASE client.
-
-
If you selected Acceleration Mode for the Custom Acceleration, you must configure acceleration addresses:
-
For the policy you created, click Accelerated URL in the Actions column.
-
In the Accelerated URL panel, click Add Accelerated URL. Configure acceleration addresses:
Parameter
Description
Acceleration address
Manually enter the acceleration addresses. You can add up to 500 addresses.
Local bulk upload
Use a template file to upload acceleration addresses in bulk. The file must be in .xlsx format and cannot exceed 100 MB.
-
Click OK.
-
Step 4 (optional): Configure managed objects
To improve network transmission quality, change the Transmission network quality type.
-
Go to the Instances page on the Global Accelerator console to view the managed objects and their statuses.

-
If the current account supports Cross-border Express Connect, the automatically created managed GA instance defaults to the Cross-border Express Connect mode. Otherwise, the instance defaults to the BGP (Multi-ISP) Pro mode.

Configure an enterprise acceleration whitelist
To exempt specific domains or users from enterprise acceleration audits, add them to a whitelist.

-
Go to the whitelist page and switch to the Enterprise Acceleration tab.
-
In the Domain Name Whitelist section, add domains to the whitelist. You can add multiple domains.
-
In the User Whitelist section, add users to the whitelist. You can add multiple users.
ImportantFor users on the enterprise acceleration whitelist, the Network acceleration page is not displayed in the Network section of the SASE client.
-
Click Submit.
Log audit
Go to the Acceleration logs page. After a client accesses an application, you can search for and view the corresponding acceleration logs.
