Connect private networks outside the Chinese mainland to Alibaba Cloud - Smart Access Gateway

This topic describes how to use Smart Access Gateway (SAG) to connect an office outside the Chinese mainland to Alibaba Cloud.

Background information

A company has an office in Singapore and the company wants to connect the clients in the office to Alibaba Cloud, as shown in the following figure.

Architecture

The following table describes how network resources are allocated in this example.

Resources	Description	Capacity
SAG devices	SAG-100WM	1
SAG bandwidth	In the Singapore (Singapore) region	2 Mbps
Cloud Enterprise Network (CEN) instances	Default edition	1
Cloud Connect Network (CCN) instances	In the Singapore (Singapore) region	1
Virtual private clouds (VPCs)	In the Singapore (Singapore) region	1
Elastic Compute Service (ECS) instances	In the Singapore (Singapore) region	2

Prerequisites

A VPC is deployed in the Singapore (Singapore) region. For more information, see Create and manage a VPC.
A Cloud Enterprise Network (CEN) instance is created and associated with the VPC. For more information, see Create a VPC connection.
An SAG device is prepared.
You cannot purchase SAG devices in the SAG console in areas outside the Chinese mainland. If you need to purchase SAG devices in areas outside the Chinese mainland, contact your account manager.

Procedure

Flowchart 3

Step 1: Purchase bandwidth for the SAG device

After you purchase an SAG device, you can purchase bandwidth for the SAG device in the SAG console. After you purchase bandwidth, Alibaba Cloud creates an SAG instance to facilitate device management.

Log on to the SAG console.
In the top navigation bar, select the region.
On the Smart Access Gateway page, choose Purchase SAG > Create SAG (CPE).

On the buy page, set the following parameters and click Buy Now.

Parameter	Description
SAG Device
Area	Select the area where you want to use the SAG device. Singapore (Singapore) is selected in this example. Note If the area that you want to select is not listed on the buy page, we recommend that you select the nearest area. For example, if you want to use SAG devices in Thailand which is not listed on the buy page, you can select China (Hong Kong).
Device Spec	Select the model of the SAG device that you want to purchase. SAG-100WM is selected in this example.
Have SAG Devices Already	Yes is selected in this example.
Quantity	Skip this parameter. The default value is used in this example.
Peak Bandwidth
Area	Select the area where you want to use the bandwidth resources. This area is the same as the Area that you specify for the SAG device.
Instance Name	Specify a name for the SAG instance. `test123` is used in this example. The name must be 2 to 128 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_). It must start with a letter.
Peak Bandwidth	Specify the maximum bandwidth that the SAG device can reach. Unit: Mbit/s. The default value is used in this example.
Subscription Duration	Select a subscription duration. The default value is used in this example.

On the Confirm Order page, confirm the information and click Confirm Purchase.
In the Shipping Address dialog box, enter the recipient address and then click Buy Now.
Note
You must provide the address of the recipient before you can complete the payment. The console does not record this information.
On the Pay page, select a payment method and complete the payment.

Step 2: Configure the SAG device

After you purchase an SAG device, you must configure the device and connect it to your private network.

Connect the SAG device to your private network.
1. After you receive the SAG device, check whether you have received all the accessories in the purchase order.
2. After you start the SAG device, connect the wide area network (WAN) port to the modem and connect the local area network (LAN) port to the client.
  In this example, a client in the Singapore (Singapore) region is directly connected to the SAG device and the default CIDR block is used. For more information about how to configure WAN and LAN ports, see Configure SAG-100WM in the web console.
Log on to the SAG console.
In the top navigation bar, select the Singapore (Singapore) region. In the left-side navigation pane, click Smart Access Gateway.
Activate the SAG device.
1. On the Smart Access Gateway page, find the SAG instance and choose > Activate in the Actions column.
2. In the Activate dialog box, click OK.
Associate the SAG device with the SAG instance.
You can associate SAG devices with SAG instances to facilitate device management and configurations.
1. Use one of the following methods to open the Device Management tab.
  - On the Smart Access Gateway, find and click the ID of the SAG instance that you want to manage. On the details page, click the Device Management tab.
  - On the Smart Access Gateway page, find the SAG instance and choose > Device Management in the Actions column.
2. On the Device Management tab, enter the serial number of the device and click Add Device.
Add routes.
1. On the Smart Access Gateway page, find the SAG instance and click Network Configuration in the Actions column.
2. On the Method to Synchronize with On-premises Routes tab, select Static Routing and click Add Static Route.
3. Enter the CIDR block of the office and click OK.
  192.168.10.0/24 is used in this example. Therefore, the IP addresses of clients are allocated from 192.168.10.0/24.

Step 3: Enable network communication

After you configure the SAG device, you must create network connections to enable the clients in the office to communicate with the VPC.

Log on to the SAG console.
In the top navigation bar, select Singapore (Singapore).
Attach the SAG instance to a CCN instance.
Note
If you have already created a CCN instance in the area, proceed to the step 3.d 3.d.
1. In the left-side navigation pane, click CCN.
2. On the CCN page, click Create CCN Instance.
3. In the Create CCN Instance panel, specify a name for the CCN instance and click OK.
  The name must be 2 to 100 characters in length and can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter. test123 is used in this example.
4. In the left-side navigation pane, click Smart Access Gateway.
5. On the Smart Access Gateway page, find the SAG instance and click Network Configuration in the Actions column.
6. Click the Network Instance Details tab and click Attach Network.
7. Set the parameters and click OK.
  - Network Type: Cloud Connect Network is selected in this example.
  - Resource Group: Default Resource Group is selected in this example.
  - Network Instance: The CCN instance created in the preceding step is selected in this example.
Attach the CCN instance to a CEN instance.
1. In the left-side navigation pane, click CCN.
2. Find the CCN instance and click Bind CEN Instance in the Actions column.
3. In the Bind CEN Instance pane that appears, select the CEN instance that you want to attach and click OK.
  After the CCN instance is attached to the CEN instance, SAG devices associated with the CCN instance can communicate with VPCs that are attached to the CEN.
Configure an ECS security group.
1. Log on to the ECS console.
2. In the top navigation bar, select the resource group and the Singapore (Singapore) region. In the left-side navigation pane, click Instances.
3. Find the ECS instance that you want to manage and choose More > Network and Security Group > Configure Security Group in the Actions column.
4. Find the security group that you want to manage and click Add Rules in the Actions column.
  Note
  If you do not create a security group when you create an ECS instance, a default security group is created. If you want to add an ECS instance to a custom security group, you can create a custom security group. For more information, see Create a security group.
5. Create a security group rule that allows access from the private network of the office to the VPC. For more information, see Add a security group rule.
  Set Authorization Object to the CIDR block of the private network. 192.168.10.0/24 is used in this example.

Step 4: Test network connectivity

After you complete the preceding steps, you can run the ping command to test the network connectivity between the office and the ECS instance. If an echo reply packet is returned, it indicates that the private network of the office is connected to Alibaba Cloud.

ping <IP address of the ECS instance>