Secure Access Service Edge:Secure Access Service Edge:Business resources deployed in VPCs that are not connected to CEN

How it works

The SASE gateway establishes an outbound connection to the VPC and acts as a proxy. All traffic from the SASE client is routed through the gateway to the origin server. Because the gateway performs source network address translation (SNAT), the origin server sees the gateway's back-to-origin address — not the user's device IP. If the origin server has access control policies, add the back-to-origin address to the allowlist so traffic is not blocked.

Prerequisites

Before you begin, ensure that:

• CIDR blocks across your VPCs and data centers do not overlap. If cross-region VPCs share the same CIDR block, or a VPC and a data center use the same CIDR block, SASE cannot determine the destination address. Resolve any IP conflicts before proceeding.

• (Optional) If you want to manage VPCs within a member of your resource directory, add the member first. For details, see Multi-account management. Without an added member, the Services on Alibaba Cloud page shows only the VPCs in your management account.

Network connection diagram

Enable network connections for a VPC

1. Log on to the SASE console.

2. In the left-side navigation pane, choose Private Access > Network Settings.

3. On the Network Settings page, go to Services on Alibaba Cloud > VPCs (No CEN Instances Associated). The tab lists VPCs synchronized to SASE — from your management account and any added members.

   Parameter	Description
   Instance ID/Name	The ID and name of the VPC. VPCs from the management account and added members of your resource directory are shown.
   Owner Account	The account that owns the VPC — either the management account or a member.
   Region	The region where the VPC resides.
   VPC CIDR Block	The CIDR block of vSwitches in the VPC.

4. Find the VPC you want to connect, then turn on the switch in the Network Connection column. After the switch is on, SASE assigns a default back-to-origin address for the VPC. The back-to-origin address is the IP address to which the origin server sends responses after the SASE gateway initiates access requests.

Enable network connections for other VPC-connected resources

If a business application is deployed in a VPC and relies on other resources connected to that VPC — but those resources do not appear on the Services on Alibaba Cloud or Services Outside Alibaba Cloud tab — add their CIDR blocks manually.

Allow the back-to-origin address on your origin server

If the origin server has access control policies, it may flag the back-to-origin address as suspicious and block the gateway's traffic. To prevent this, add the back-to-origin address to the allowlist in the origin server's access control policies.

Change the back-to-origin address

To change a back-to-origin address, hover over the address in the Back-to-origin Address column and click the icon in the popover.

Disable network connections for a VPC

Turning off Network Connection for a VPC terminates the back-to-origin link between the SASE gateway and resources in that VPC. Users can no longer access those resources from the SASE client.

What to do next

After enabling network connections, configure access to your applications:

• Configure office applications — define which applications users can access

• Configure zero trust policies — set access control rules for those applications

• Configure an office application allowlist — restrict application access to specific IP addresses

References

• Enable network connections for services outside Alibaba Cloud — connect SASE to business applications not hosted on Alibaba Cloud

• Enable network connections for applications in global office scenarios — connect SASE to applications in global offices