Smart Access Gateway (SAG) vCPE provides an image that can be deployed on your host. After you deploy the SAG vCPE image on your host, the host serves as a virtual customer-premise equipment (CPE) device. SAG vCPE allows you to connect private networks to Alibaba Cloud in a more flexible way.
You can deploy the SAG vCPE image in various types of networks. This allows you to connect private networks to Alibaba Cloud in a more flexible way.
- You can deploy the SAG vCPE image on an on-premises server. This enables you to connect on-premises networks to Alibaba Cloud.
- You can also deploy the SAG vCPE image on an instance provided by a cloud service provider. This allows you to enable multi-cloud communication. For example, you can deploy the SAG vCPE image on an Alibaba Cloud Elastic Compute Service (ECS) instance, an Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instance, a Microsoft Azure virtual machine (VM), or a Google Cloud VM.
- The host runs one of the following operating systems:
- 64-bit CentOS 7.6 or later (recommended).
- Ubuntu 18.04 64-bit or later.
- The host uses the 3.10.0-957.21.3.el7.x86_64 kernel or a later kernel version.
- The host has an independent network interface controller (NIC) that allows the instance to connect to the Internet.
- The host supports remote logons.
- No service system is deployed on the host.
- The host allows requests from the following ports over the given protocols.
Protocol Port UDP 53, 500, 4500, 789, 801, 12345, 27890, 33336, 43337, 56543, 62345, and 10000 to 10100 TCP 53, 80, 443, 8443, and 10000 to 10100 ICMP N/A
- If your host has traffic throttling, UDP flood attack check, or ICMP flood attack check configured, we recommend that you disable the preceding features to ensure network connectivity.
- If the host is an ECS instance or an Edge Node Service (ENS) instance, the number
of vCPU cores must be one or more and the memory must be 2 GB or more. The following
table describes the performance of different specifications.
Instance type Performance 1 vCPU- 2 GB The bandwidth of the private network for encrypted connections can reach 200 Mbit/s and higher (the packet length in the performance test is 1,024 bytes). 2 vCPUs - 4 GB (recommended) The encrypted private bandwidth can reach 350 Mbit/s and higher (the packet length in the performance test is 1,024 bytes).
- Create an SAG vCPE instance.
After you create an SAG vCPE instance in the SAG console, one SAG vCPE instance can be associated with two SAG vCPE devices by default. The system assigns a serial number and a key to each SAG vCPE device. A serial number and a key are used to associate an SAG vCPE instance with an SAG vCPE device.
- Deploy the SAG vCPE image.
After you deploy the SAG vCPE image on the host, the host can serve as an SAG vCPE device. You must register the serial number and key of the SAG vCPE device to the host. The serial number and key are used to associate the SAG vCPE device with an SAG vCPE instance. Alibaba Cloud checks the validity of the serial number and key for an SAG vCPE device. If the serial number and key are invalid, the SAG vCPE device cannot be connected to Alibaba Cloud. This ensures network security.
- Configure networks on the Alibaba Cloud side.
After you deploy the SAG vCPE image, you must advertise routes to Alibaba Cloud and associate the SAG vCPE instance with a Cloud Connect Network (CCN) instance. Then, you can connect the SAG vCPE device to Alibaba Cloud.
- Configure networks on the user side.
You must configure routes for your on-premises networks to route traffic from on-premises networks to the SAG vCPE device, and then to Alibaba Cloud.
- Test network connectivity.