All Products
Search
Document Center

Secure Access Service Edge:Access resources in non-CEN VPCs

Last Updated:Jun 21, 2026

If your business resources are deployed in Alibaba Cloud VPCs that are not connected via Cloud Enterprise Network (CEN), you can use a SASE gateway to connect your on-premises network to these resources. This allows employees to access cloud resources from your internal network. This topic describes how to enable or disable the network connection, and how to modify the back-to-origin address.

Manage VPC resources across accounts

If you need to manage VPC resources in member accounts, you must first add the member accounts. Once added, the Network Settings > Services on Alibaba Cloud tab displays VPC resources from your management account and any added member accounts. For more information, see Multi-account management.

Precautions

If CIDR blocks overlap, SASE cannot determine the destination address. For example, conflicts occur if VPCs in different regions use the same CIDR block, or if a VPC and a data center use the same CIDR block. Before you enable a network connection, ensure that your network has no CIDR block conflicts.

Network connection diagram

image

Enable network connection

  1. Log on to the Secure Access Service Edge console.

  2. In the left-side navigation pane, choose Private Access > Network Settings.

  3. On the Network Settings page, click the Services on Alibaba Cloud > VPCs (No CEN Instances Associated) tab to view business resources synchronized with SASE.

    Parameter

    Description

    Instance ID/Name

    The VPC resources from the management account and all added member accounts.

    Owner Account

    The account to which the VPC belongs. This can be the management account or a member account.

    Region

    The region where the VPC is located.

    VPC CIDR Block

    The CIDR block of the vSwitches in the VPC.

  4. Find the VPC that you want to manage and turn on the switch in the Network Connection column.

    After you turn on Network Connection, SASE displays the default back-to-origin IP address that is assigned to the business resource.

    The origin server uses the back-to-origin address to respond to requests from the SASE gateway.

Enable connections for other VPC-connected resources

Your business applications may be deployed not only in VPCs but also on other business resources that are connected to the VPC network. If these resources, including both Alibaba Cloud and non-Alibaba Cloud services, cannot be synchronized to SASE, you can manually add one or more of their business CIDR blocks to establish a network connection between SASE and these resources.

Important

When you configure a custom CIDR block for a VPC, the VPC's back-to-origin IP address also applies to the custom CIDR block. Ensure that the VPC can access the applications in the custom CIDR block.

To modify the configuration, find the target VPC and click the edit icon in the Custom CIDR Block column.

Allow the back-to-origin address

Because SASE uses a proxy model to access the origin server, if your origin server has security control policies deployed, the policies will identify the back-to-origin address as suspicious and block traffic forwarded from the proxy server. This prevents your website or application from opening. Therefore, you need to allow the back-to-origin address in your origin server's security control policies.

Modify the back-to-origin address

To modify the back-to-origin address, click the image.png icon in the Back-to-origin Address column.

Important

Modifying the back-to-origin address interrupts the network connection between the VPC and SASE for about one minute. Proceed with caution.

Disable network connection

Turning off the Network Connection switch for a specified VPC disconnects the origin-bound link between the SASE gateway and VPC network resources. As a result, SASE end users cannot access the service resources.

Warning

If you turn off Network Connection, end users cannot access internal applications with the SASE Client. Proceed with caution.

Next steps

Once the network is connected, configure the applications that your employees can access. For more information, see Configure office applications and Configure zero trust policies.

References