If your enterprise uses Virtual Border Router (VBR) leased lines, Cloud Connect Network (CCN) instances, or VPN gateways to connect on-premises networks to Alibaba Cloud, you can extend that connectivity through Secure Access Service Edge (SASE) to reach business resources outside Alibaba Cloud. Once enabled, users access those resources over an internal network through the SASE client — no extra infrastructure required.
How it works
SASE automatically discovers VBR, CCN, and VPN gateway instances in your account and presents them as connectors in the console. Each connector maps to a network channel:
| Connector type | Network channel |
|---|---|
| VBR Leased Line | Leased Line |
| CCN | SAG |
| VPN Gateway | IPsecVPN |
To activate connectivity, you synchronize the connector, configure a back-to-origin virtual private cloud (VPC), and turn on Network Connection. SASE then routes user traffic through the connector's network channel to your on-premises network, and from there to your off-cloud business resources.
Manage connectors across multiple Alibaba Cloud accounts
By default, the Private Access > Network Settings > Services Outside Alibaba Cloud page shows only the VBRs, IPsec-VPN connections, and Smart Access Gateway (SAG) instances in your management account. To include resources from member accounts in your resource directory, add those members first. For details, see Use the multi-account management feature.
Network connection diagram
Turn on network connection
Prerequisites
Before you begin, ensure that you have:
A VBR leased line, CCN instance, or VPN gateway configured in your Alibaba Cloud account
Access to the SASE console with permission to manage Private Access > Network Settings
Step 1: Synchronize Alibaba Cloud network instances
SASE automatically synchronizes your Alibaba Cloud network instances. After synchronization, each instance appears as a connector on the Cloud Network Instance tab with the following details:
| Parameter | Description |
|---|---|
| Connector type | The connector type: VBR Leased Line, CCN, or VPN Gateway. |
| Instance ID/Name | The ID of the VBR, CCN instance, or VPN gateway that generated the connector. |
| Owner account | The account that owns the connector: the management account or a member. |
| Network channel | The underlying channel: Leased Line, SAG, or IPsecVPN — determined by the connector type. |
| Internal CIDR block | The CIDR block of your on-premises network or the vSwitch CIDR block in your VPC. |
Internal CIDR block behavior differs by network channel:
SAG or IPsecVPN: SASE retrieves the CIDR block automatically. No action needed.
Leased Line: SASE cannot retrieve the CIDR block automatically. Enter the value manually. Separate multiple CIDR blocks with commas (,). For example:
192.168.1.0/24,10.0.0.0/16.
Step 2: Configure a back-to-origin VPC
SASE accesses your on-premises network through a VPC connected to it. This VPC is the back-to-origin VPC. The configuration steps differ by connector type:
VPN Gateway: The back-to-origin VPC is fixed. Only one VPC can connect to the on-premises network, so there is nothing to configure.
VBR Leased Line: Enter a back-to-origin address in the Back-to-origin VPC column.
CCN: Click Select Back-to-origin VPC in the Actions column to choose one or more back-to-origin VPCs.
For CCN connectors, all VPCs attached to the CCN instance are theoretically connected to the on-premises network. If you have configured routing or security policies that restrict access, select only the VPCs from which on-premises access is permitted.
Step 3: Turn on network connection
On the Cloud Network Instance tab, find the connector and turn on the switch in the Network Connection column. Users can now access off-cloud business resources through the SASE client.
Turn off network connection
To disconnect a network channel, turn off Network Connection for the corresponding connector.
After you turn off Network Connection, users can no longer access office applications through the SASE client. Proceed with caution.
What's next
After you enable network connections, you must configure applications to allow users to access the applications. Configure applications and zero trust policies to enforce access controls:
Configure office applications — define the applications that users can access through SASE.
Configure zero trust policies — enforce identity-based access controls on top of the network connection.
References
To allow traffic only from specific IP addresses after configuring an application, set up an application whitelist. See Configure an office application whitelist.
To connect SASE to applications deployed on Alibaba Cloud, see Enable network connections for services on Alibaba Cloud.
To connect SASE to applications in global offices, see Enable network connections for applications in global office scenarios.