If your business resources are deployed in Alibaba Cloud VPCs that are not connected via Cloud Enterprise Network (CEN), you can use a SASE gateway to connect your on-premises network to these resources. This allows employees to access cloud resources from your internal network. This topic describes how to enable or disable the network connection, and how to modify the back-to-origin address.
Manage VPC resources across accounts
If you need to manage VPC resources in member accounts, you must first add the member accounts. Once added, the tab displays VPC resources from your management account and any added member accounts. For more information, see Multi-account management.
Precautions
If CIDR blocks overlap, SASE cannot determine the destination address. For example, conflicts occur if VPCs in different regions use the same CIDR block, or if a VPC and a data center use the same CIDR block. Before you enable a network connection, ensure that your network has no CIDR block conflicts.
Network connection diagram
Enable network connection
Log on to the Secure Access Service Edge console.
-
In the left-side navigation pane, choose .
-
On the Network Settings page, click the tab to view business resources synchronized with SASE.
Parameter
Description
Instance ID/Name
The VPC resources from the management account and all added member accounts.
Owner Account
The account to which the VPC belongs. This can be the management account or a member account.
Region
The region where the VPC is located.
VPC CIDR Block
The CIDR block of the vSwitches in the VPC.
-
Find the VPC that you want to manage and turn on the switch in the Network Connection column.
After you turn on Network Connection, SASE displays the default back-to-origin IP address that is assigned to the business resource.
The origin server uses the back-to-origin address to respond to requests from the SASE gateway.
Enable connections for other VPC-connected resources
Your business applications may be deployed not only in VPCs but also on other business resources that are connected to the VPC network. If these resources, including both Alibaba Cloud and non-Alibaba Cloud services, cannot be synchronized to SASE, you can manually add one or more of their business CIDR blocks to establish a network connection between SASE and these resources.
When you configure a custom CIDR block for a VPC, the VPC's back-to-origin IP address also applies to the custom CIDR block. Ensure that the VPC can access the applications in the custom CIDR block.
To modify the configuration, find the target VPC and click the edit icon in the Custom CIDR Block column.
Allow the back-to-origin address
Because SASE uses a proxy model to access the origin server, if your origin server has security control policies deployed, the policies will identify the back-to-origin address as suspicious and block traffic forwarded from the proxy server. This prevents your website or application from opening. Therefore, you need to allow the back-to-origin address in your origin server's security control policies.
Modify the back-to-origin address
To modify the back-to-origin address, click the
icon in the Back-to-origin Address column.
Modifying the back-to-origin address interrupts the network connection between the VPC and SASE for about one minute. Proceed with caution.
Disable network connection
Turning off the Network Connection switch for a specified VPC disconnects the origin-bound link between the SASE gateway and VPC network resources. As a result, SASE end users cannot access the service resources.
If you turn off Network Connection, end users cannot access internal applications with the SASE Client. Proceed with caution.
Next steps
Once the network is connected, configure the applications that your employees can access. For more information, see Configure office applications and Configure zero trust policies.
References
-
If your business applications are deployed on resources outside Alibaba Cloud, see Enable network connections for services outside Alibaba Cloud.
-
To support global office access, see Enable network connections for applications in global office scenarios.
-
After you configure applications, you can configure an application whitelist to allow traffic from specific IP addresses. For more information, see Configure an application whitelist.