When your enterprise has offices on both sides of the Chinese mainland border, users in each location need secure access to business resources on the other side. The global office feature combines SASE with your enterprise's private cross-border leased line to give all users—whether inside or outside the Chinese mainland—authenticated, low-latency access to business resources across borders.
How it works
The global office feature uses dynamic routing to connect users to business resources through the nearest POP cluster:
Users outside the Chinese mainland: The enterprise administrator establishes a fixed route using specific points of presence (POPs), a SASE connector, and the private cross-border leased line.
Users in the Chinese mainland: The SASE client uses intelligent routing to connect through the nearest available POP cluster. Deploy a SASE connector in the Chinese mainland region where your business resources are located.
The following diagrams show the three supported cross-border access scenarios.
Users outside the Chinese mainland access business resources outside the Chinese mainland
Users outside the Chinese mainland access enterprise business in the Chinese mainland
Users in the Chinese mainland access business resources outside the Chinese mainland
Prerequisites
Before you begin, ensure that you have:
The Private Access Advanced Edition of SASE enabled. For details, see Billing overview.
Your enterprise's cross-border leased line registered with carriers, with cross-border connections between office zones enabled.
A SASE connector created. For details, see Enable network connections for services outside Alibaba Cloud.
To minimize network latency, place the SASE connector closest to the POP cluster that serves your office zone.
Step 1: Enable the global office feature
Enabling the global office feature synchronizes your application management configurations and zero-trust policies to SASE POP clusters outside the Chinese mainland. This lets users outside the Chinese mainland authenticate against the nearest SASE server.
Log on to the SASE console.
In the left-side navigation pane, choose Private Access > Network Settings.
On the Global Office tab, click Authorization Management.
In the Authorization Management dialog box, turn on Global Office and select the authorized POP clusters outside the Chinese mainland. The following POP clusters outside the Chinese mainland are supported:
POP Cluster (Singapore)
POP Cluster (Virginia)
POP Cluster (Silicon Valley)
Step 2: Create a dynamic route
Create a dynamic route to associate the SASE POP clusters with your enterprise's private cross-border leased line. The route connects POP clusters to your business resources through a SASE connector.
On the Global Office tab, click Create Route.
In the Create Route panel, configure the following parameters.
Parameter Description Route name The name of the route. Route description The description of the route. Priority The priority of the route. Routing mode Fixed as Private Leased Line. Cross-border connections between office zones must be enabled before using this mode. Select application The office applications that users are allowed to access through this route. POP access point The authorized POP clusters outside the Chinese mainland. Status The route only takes effect when enabled. Click Next, select an existing SASE connector, and click OK.
Dynamic routes take priority over SASE connectors. If a dynamic route and a SASE connector are associated with different applications, users can only access the applications associated with the dynamic route.
What's next
After users log on to the SASE client, they can access business applications across borders by selecting the corresponding POP access point. For details, see Install and log on to the SASE client and Enable or disable network protection for private access on the SASE client.