All Products
Search
Document Center

Secure Access Service Edge:Cross-region acceleration best practices

Last Updated:Jun 02, 2026

Integrate Alibaba Cloud SASE (Secure Access Service Edge) with Global Accelerator (GA) by configuring a connector to deliver high-speed, stable, and secure cross-region acceleration for distributed employees.

Prerequisites

Ensure the following:

  • Alibaba Cloud SASE activated.

  • An Alibaba Cloud account with permissions for SASE, GA, VPC, and ECS.

  • SASE client installed on employee devices.

Acceleration traffic flow

image

Costs

Enabling Global Accelerator automatically creates a pay-as-you-go Global Accelerator instance, which incurs additional fees.

Configure SASE identities and users

Step 1: Create an identity source

  1. Go to the Identity Access page and switch to the Identity synchronization tab.

  2. Click Create IdP. This document uses a Custom IdP as an example.

    Note

    In production, integrate SASE with your enterprise identity provider (IdP), such as Active Directory (AD), LDAP, DingTalk, or WeCom.

    1. In the Basic Configurations section, enter an IdP Name and Description. Set IdP Status to Enabled. Click Next.

    2. In the Logon Settings section, set the PC Logon Method and Mobile Device Logon Method. This example uses the default settings. You can enable Two-factor Authentication based on your requirements.

    3. After you confirm the settings, click Ok.

Step 2: Create users and user groups

  1. Go to the Identity Access page and switch to the Employee Center tab. From the drop-down list on the left, select the identity source you created, and then click Add User.

    image

  2. In the Add User panel, enter the username, password, and other required information. In the Department field, assign the user to a department within the selected identity source.

    image

  3. Switch to the User Group Management tab. Click Create User Group, set a name such as dev-group, and select a Group Scope as needed.

    image

  4. Click OK.

Configure a connector for network connectivity

Deploy a SASE connector on a server at your cross-region egress point to establish network connectivity. Then, enable the connector and configure the GA instance for acceleration.

Step 1: Add an SASE connector

  1. Log on to the SASE console. In the left-side navigation pane, choose Private Access > Network Settings.

  2. On the Non-Alibaba Cloud services tab, add a connector.

    1. On the Connectors tab, click Add Connector.

    2. In the Add Connector dialog box, configure the parameters as required. Then, click OK.

      image

      Parameter

      Description

      Region

      Select the region closest to your server for optimal access quality.

      Instance Name

      Enter a connector name.

      Instance Switch

      Only when the instance switch is in the Enable state, SASE end users can access the applications associated with the connector.

      You can also turn on the instance switch from the connector list or on the connector Details panel.

      Important

      If you turn off the connector instance switch, end users cannot use the SASE client to access internal applications. Proceed with caution.

      The connector then appears in the connector list.

  3. Enable Global Accelerator.

    1. For the connector instance you created, click Details in the Actions column.

    2. On the instance details page, find the Global Acceleration section and turn it on.

      image

    3. In the Enable GA dialog box, enter the following information:

      Important

      When you enable Global Accelerator for the first time, you are prompted to authorize the automatic creation of the AliyunServiceRoleForGaCdt and AliyunServiceRoleForGaVpcEndpoint service-linked roles. Global Accelerator uses these roles to access your resources in SASE.

      Parameter

      Description

      GA Instance Name

      Required. Enter a name for the Global Accelerator instance.

      Important

      Global Accelerator fees include instance fees, capacity unit (CU) fees, and data transfer fees.

      Resource Group

      Select a resource group.

      Terms of service

      By clicking submit, you agree to the relevant terms of service.

      Click Next.

    4. Configure the Acceleration Region and Allocate Bandwidth.

      Parameter

      Description

      Acceleration Region

      Select the region closest to your users.

      Note

      The Dubai region is not supported as an acceleration region.

      Allocate Bandwidth

      Range: 2 to 10,000 Mbit/s. Allocation methods:

      • Allocate Bandwidth by Region: Specify a peak bandwidth for each acceleration region.

      • Batch Set: Specify a uniform peak bandwidth for all acceleration regions.

      After you complete the configuration, click OK. The acceleration instance is created within a few minutes.

    5. After the instance is created, its details appear on the details page.

      image

Step 2: Deploy the connector

  1. In the Operation column for the connector you added, click Deploy. On the Deploy panel, copy the deployment command.

  2. Log on to the server or virtual machine where you want to deploy the connector as the root user and run the deployment command. On the Deploy panel, you can also find commands to upgrade the connector, uninstall the connector, and export logs.

    image

  3. After deployment, the instance status changes to Connected. You can also view other information, such as the instance ID.

    image

Step 3: Configure an enterprise acceleration policy

  1. On the Access control page, switch to the Enterprise Acceleration tab, and then click Create Policy.

  2. In the Create Policy panel, configure the parameters as required. Then, click OK.

    Parameter

    Description

    Policy Name

    The name of the enterprise acceleration policy.

    Description

    The description of the policy.

    Priority

    Valid values: 1 to 100. A smaller value indicates a higher priority.

    Acceleration Instance

    Supported instance types:

    • CEN: You must enter the Instance IP Address and Instance Port.

    • Connector: Select a connector instance.

      Note

      Select the connector instance you created in the Add an SASE connector step.

    Acceleration Mode

    The following modes are supported:

    • Global Acceleration: Routes all Internet traffic through the accelerated connection. Acceleration stops when a user clicks the "Stop acceleration" button in the client.

    • Custom Acceleration: Requires configuring custom acceleration addresses after policy creation. Only traffic to specified addresses uses the accelerated connection.

    Accelerated User Group

    Select one or more user groups for acceleration.

    Display on Client

    If you select this option, users can choose from different acceleration policies in the SASE client.

  3. If you selected Acceleration Mode for the Custom Acceleration, you must configure acceleration addresses:

    1. For the policy you created, click Accelerated URL in the Actions column.

    2. In the Accelerated URL panel, click Add Accelerated URL. Configure acceleration addresses:

      Parameter

      Description

      Acceleration address

      Manually enter the acceleration addresses. You can add up to 500 addresses.

      Local bulk upload

      Use a template file to upload acceleration addresses in bulk. The file must be in .xlsx format and cannot exceed 100 MB.

    3. Click OK.

Step 4 (optional): Configure managed objects

To improve network transmission quality, change the Transmission network quality type.

  1. Go to the Instances page on the Global Accelerator console to view the managed objects and their statuses.

    image

  2. If the current account supports Cross-border Express Connect, the automatically created managed GA instance defaults to the Cross-border Express Connect mode. Otherwise, the instance defaults to the BGP (Multi-ISP) Pro mode.

    image

Configure an enterprise acceleration whitelist

To exempt specific domains or users from enterprise acceleration audits, add them to a whitelist.

image

  1. Go to the whitelist page and switch to the Enterprise Acceleration tab.

  2. In the Domain Name Whitelist section, add domains to the whitelist. You can add multiple domains.

  3. In the User Whitelist section, add users to the whitelist. You can add multiple users.

    Important

    For users on the enterprise acceleration whitelist, the Network acceleration page is not displayed in the Network section of the SASE client.

  4. Click Submit.

Log audit

Go to the Acceleration logs page. After a client accesses an application, you can search for and view the corresponding acceleration logs.

image