When your corporate resources are deployed in Alibaba Cloud Virtual Private Clouds (VPCs) that are interconnected using Cloud Enterprise Network (CEN), you can use a SASE Gateway to establish a secure connection between your private network and your cloud resources. This lets employees access cloud resources privately. This topic describes how to enable and disable the network connection, and how to modify the back-to-origin address for your services.
Manage VPCs across multiple Alibaba Cloud accounts
To manage VPCs that belong to other Alibaba Cloud accounts, first add them as member accounts. After you add the accounts, all VPC resources from your management account and the member accounts are displayed on the tab on the SASE console. If you do not add any member accounts, only the VPC resources from your current management account are displayed. For more information, see multi-account management.
Usage notes
If CIDR blocks conflict, such as when VPCs in different regions use the same CIDR block, or a VPC and a data center use the same CIDR block, SASE cannot determine the destination address. Before you enable a network connection, ensure that no CIDR blocks conflict in your network.
How it works
Enable a network connection
Log on to the Secure Access Service Edge console.
-
In the left-side navigation pane, choose .
-
On the Network Settings page, go to the tab to view the network resources synchronized by SASE.
Parameter
Description
CEN instance ID/name
All CEN instances that belong to your management account and added member accounts.
Owner Account
The account to which the CEN instance belongs. This can be the management account or a member account.
Back-to-origin Address
The address the SASE Gateway uses to communicate with CEN.
For ECS instances in a VPC attached to the CEN instance, a security group rule is automatically added to allow traffic from this back-to-origin address. For other resources attached to CEN, such as VBRs or SAGs that use ACLs, you must manually add a rule to allow traffic from this address.
-
Find the CEN instance or a specific VPC attached to the CEN instance, and turn on the Network Connection switch.
You can enable the connection in two ways:
-
Enable Network Connection for the entire CEN instance
This establishes a back-to-origin link between the SASE Gateway and all network resources attached to the CEN instance. After SASE verifies the traffic against zero-trust policies, the SASE Gateway forwards it to its destination. This method connects all VPCs attached to the CEN instance to your end users.
When you turn on the Network Connection switch, SASE prompts you to select a VPC for back-to-origin traffic.
In the Select Back-to-origin VPC dialog box, find the target VPC in the list and click Select in the Actions column.
After you select the back-to-origin VPC, SASE displays the VPC and the automatically assigned back-to-origin address.
The SASE Gateway and CEN use the back-to-origin address to communicate. For ECS instances in a VPC attached to the CEN instance, SASE automatically adds a security group rule to allow traffic from the back-to-origin address. When you enable the connection at the CEN instance level, SASE automatically releases any previously configured back-to-origin addresses for individual VPCs, VBRs, or SAGs.
-
Enable Network Connection for a specific VPC
This connects only the specified VPC to your end users. Other VPCs attached to the same CEN instance remain disconnected.
After you enable the connection, the Network Connection switch for the target VPC turns green, and the assigned back-to-origin address appears in the Back-to-origin address column.
-
-
In the Network Connection dialog box, select either Enable Network Connection for All Cloud Applications or Custom Connection to Cloud Applications.
-
Enable Network Connection for All Cloud Applications: If you select this option, all cloud-native applications connect automatically. You can connect to non-cloud applications by configuring ACL rules. Any new cloud-native applications created in this VPC also connect by default.
NoteCurrently, only specific types of cloud-native applications are supported. To see the supported types, go to the tab and check the Application Type column.
-
Custom Connection to Cloud Applications:
-
Select Custom Connection to Cloud Applications and click OK.
-
In the Custom Connection to Cloud Applications panel, select the applications you want to connect and click OK.
-
-
-
After you turn on the Network Connection switch, SASE displays the default back-to-origin address assigned to the resource.
-
After you connect your applications, you can view their details by navigating to .
Connect to custom resources
If your applications are deployed on resources that SASE cannot automatically synchronize, you can manually add their CIDR blocks to establish a network connection with SASE. You can add multiple CIDR blocks.
After you configure a custom CIDR block for a VPC, the custom CIDR block also uses the VPC's back-to-origin address. Ensure that the specified VPC can access the applications within the custom CIDR block.
In the VPC list for the target CEN instance, find the VPC for which you want to configure a custom CIDR block. Click the edit icon in the Custom CIDR Block column and add the required CIDR blocks.
Allow the back-to-origin address
SASE uses a proxy model to access your origin servers. If security policies are configured on your origin server, traffic from the back-to-origin address might be blocked as suspicious. This can prevent access to your website or application. To avoid this, you must add the back-to-origin address to the allowlist in your origin server's security policies.
Modify the back-to-origin VPC
To change the back-to-origin VPC for your services, click Select Back-to-origin VPC in the Actions column.
Disable a network connection
Turning off the Network Connection switch for a specific VPC or an entire CEN instance removes the back-to-origin link between the SASE Gateway and the network resources. This prevents SASE end users from accessing the resources.
Disabling the network connection will prevent users from accessing private applications through the SASE Client. Proceed with caution.
Next steps
After you establish a network connection, you must configure the private applications your employees can access. For more information, see Configure private applications and Configure zero-trust policies.
Related topics
-
To allow traffic from specific IP addresses after configuring an application, create an application whitelist. For more information, see Configure a whitelist for a private application.
-
If your business applications are deployed on networks outside of Alibaba Cloud, see Connect to resources outside Alibaba Cloud.
-
To enable access for a global workforce, see Enable global office connectivity.
-
SASE allows you to manage public access for cloud-native applications. As a best practice, we recommend disabling public access and restricting access to the private VPC network whenever possible. For more information, see Best practices for accessing cloud-native applications with SASE.