When you enable Internet access for the office applications of your enterprise, you can configure a whitelist mechanism for the applications to improve security. For example, you can use security groups of Elastic Compute Service (ECS) or access control policies of Cloud Firewall to allow only a specific CIDR block to access the applications. In this case, Secure Access Service Edge (SASE) automatically assigns common back-to-origin IP addresses. The SASE client uses the assigned IP addresses to send requests to the origin servers that house the Internet applications. If your enterprise has high security requirements, you can configure exclusive back-to-origin services for the Internet applications to obtain exclusive back-to-origin IP addresses. This topic describes how to configure exclusive back-to-origin services for Internet applications.
Prerequisites
Private Access Advanced of SASE is activated. For more information, see Billing overview.
A whitelist mechanism is configured to control access to the Internet applications. For example, you can configure ECS security groups to allow only users within your enterprise to access the applications.
Network connections are enabled in the regions where the applications reside. For more information, see Enable network connections for services on Alibaba Cloud.
If you disable the network connection for a business resource that resides in a VPC or delete the VPC, the exclusive back-to-origin service is interrupted, and your business is affected.
Step 1: Configure exclusive back-to-origin services
If your Internet applications are deployed in the same region, enable the exclusive back-to-origin service in the region in which the Internet applications reside. If your Internet applications reside in multiple regions, enable exclusive back-to-origin services in all the regions.
Log on to the SASE console. In the left-side navigation pane, choose .
On the Exclusive Back-to-origin Service tab, click Add Exclusive Back-to-origin Service. In the dialog box that appears, select the region in which the VPC to be associated resides, select the VPC, and then turn on the switch for Status.
Click OK.
After you configure the exclusive back-to-origin service, SASE automatically assigns two exclusive public IP addresses that are used to send back-to-origin requests. You can view the assigned exclusive back-to-origin IP addresses in the exclusive back-to-origin service list.
Step 2: Allow the assigned exclusive back-to-origin IP addresses
To ensure normal network connections, you must allow the exclusive back-to-origin IP addresses assigned by SASE.
After you configure the exclusive back-to-origin service, zero trust gateways of SASE communicate with your Internet applications by using the exclusive public IP addresses assigned by SASE. The actual IP addresses that the SASE client uses to access your Internet applications are invisible to the origin servers that house your Internet applications. In addition, the whitelist mechanism is configured for your Internet applications. If you do not allow the exclusive back-to-origin IP addresses, the SASE client cannot access the origin servers.
What to do next
After you enable the network connections, you must add the Internet applications that users can access. For more information, see Add an office application to SASE and Configure a zero trust policy.
References
For more information about allowing network traffic in an office application, see Configure an office application whitelist.
For more information about enabling network connections for office applications deployed on Alibaba Cloud, see Enable network connections for services on Alibaba Cloud.
For more information about enabling network connections for office applications deployed outside Alibaba Cloud, see Enable network connections for services outside Alibaba Cloud.
For more information about enabling network connections for global office, see Enable network connections for global office.