This topic describes how to deploy a Smart Access Gateway (SAG) device in one-arm
mode and use the SAG device to connect on-premises networks to Alibaba Cloud.
Prerequisites
- A virtual private cloud (VPC) is created. For more information, see Create and manage a VPC.
- A Cloud Enterprise Network (CEN) instance is created and the VPC is attached to the
CEN instance. For more information, see Create a CEN instance.
Background information
In this example, an enterprise has created a VPC in the China (Beijing) region and
deployed services in the VPC. The enterprise needs to connect its on-premises network
to Alibaba Cloud to access resources on Alibaba Cloud. In this case, the enterprise
can deploy an SAG-1000 device in one-arm mode to meet the business requirements. This
deployment mode does not change the existing network topology of the enterprise and
allows the enterprise to access resources on Alibaba Cloud by using the SAG device.
Network planning
The following CIDR blocks are used in this example. When you allocate CIDR blocks
based on your requirements, make sure that the CIDR blocks do not overlap with each
other.
Node |
CIDR block |
Enterprise network |
CIDR block for business: 172.16.0.0/12 |
WAN port (port 5) of the SAG device: 192.168.100.1/30. Gateway: 192.168.100.2 |
Port G11 of the Layer 3 switch: 192.168.100.2/30 |
- Port G1 of the egress router: 192.168.80.1/30
- Port G2 of the Layer 3 switch: 192.168.80.2/30
|
VPC in the China (Beijing) region |
10.0.0.0/16 |
Procedure
Step 1: Purchase an SAG device
After you place an order in the SAG console, Alibaba Cloud delivers the SAG device
to the specified address and creates an SAG instance to facilitate the management
of the device.
Note If the area where the SAG device is used is outside the Chinese mainland, you must
purchase the device from a third-party vendor that is authorized by Alibaba Cloud.
For more information, see
Purchase SAG devices.
- Log on to the SAG console.
- On the Smart Access Gateway page, click Purchase SAG.
- Select Create SAG (CPE).
- Set the following parameters and click Buy Now:
- Area: Select the area where the SAG devices will be deployed. Mainland China is selected in this example.
- Device Spec: Select the model of the SAG device. SAG-1000 is selected in this example.
- Have SAG Devices Already: Select whether you already have an SAG device. No is selected in this example.
- Edition: Select the edition of the SAG device. Standard is selected in this example by default.
- Quantity: Select the number of SAG devices that you want to purchase. 1 is selected in this example.
- Area: Select the area where the bandwidth will be used. The area is the same as that of
the SAG device and cannot be changed.
- Name: Specify a name for the SAG instance.
The name must be 2 to 128 characters in length, and can contain digits, periods (.),
hyphens (-), and underscores (_). It must start with a letter or a Chinese character.
- Peak Bandwidth: Specify the maximum bandwidth value. 50 Mbps is specified in this example.
- Subscription Duration: Specify the subscription duration of the bandwidth resources.
- Confirm the order information and click Confirm Purchase.
- In the Shipping Address dialog box, enter the recipient address and click Buy Now.
- On the Pay page, select a payment method and complete the payment.
You can check whether the order has been placed on the Smart Access Gateway page.
After the order is placed, it will be shipped within two business days. If your order
is not shipped as expected, you can submit a ticket to query the shipping status.
Step 2: Activate the SAG devices
After you receive the SAG device, check whether you have received all the accessories.
For more information, see Descriptions of SAG-1000.
- Log on to the SAG console.
- In the top navigation bar, select the area of the SAG device.
- On the Smart Access Gateway page, find the SAG instance created for the SAG device.
- In the Actions column, click Activate.
- In the Activate dialog box, click OK.
- After the SAG device is activated, connect it to the private network based on the
preceding network topology.
Use a network cable to connect the WAN port (port 5) of the SAG device to port G11
of the Layer 3 switch.
- Optional:If the SAG device was purchased from a third-party vendor, you must manually associate
the SAG device with the SAG instance. For more information, see Add a device.
Step 3: Configure the SAG device
After the SAG device is connected to the on-premises network, you can configure the
device ports in the SAG console.
Before you begin, make sure that the SAG device is started, the 4G network works as
expected, and the SAG device is connected to Alibaba Cloud.
- Configure the ports.
- On the Smart Access Gateway page, click the ID of the SAG instance.
- On the instance details page, click the Device Management tab.
- In the left-side section, click Manage WAN Ports.
- In the WAN (Port 5) section, click Edit.
- In the Configure WAN (Port 5) dialog box, set the following parameters and click OK.
Parameter |
Description |
Connection Type |
Select Static IP.
|
Priority |
Use the default value 1.
|
IP Address |
The IP address of the WAN port. In this example, 192.168.100.1 is used.
|
Subnet Mask |
The subnet mask of the IP address of the WAN port. In this example, 255.255.255.252 is used.
|
Gateway |
The IP address of the gateway. In this example, 192.168.100.2 is used.
Note After the gateway is configured, the SAG device automatically adds a default route.
|
- Select a method to advertise routes to Alibaba Cloud.
You must specify how routes are advertised to Alibaba Cloud. These routes are used
for network communication between the on-premises network and cloud resources.
- On the SAG instance details page, click the Network Configuration tab.
- In the left-side navigation tree, click Methods to Synchronize with On-premises Routes.
- Select Static Routing, click Add Static Route to add a static route, and then click OK.
Enter the CIDR block used to connect the on-premises network to Alibaba Cloud. 172.16.0.0/12
is used in this example.
- Configure static routes
You must add a route that points to the WAN port for the on-premise network. This
way, the backup feature is enabled for the 4G network.
- On the Smart Access Gateway page, click the ID of the SAG instance.
- On the instance details page, click the Device Management tab.
- On the Device Management tab, click Manage Routes.
- On the Manage Routes page, click Add Static Route.
- On the Add Static Route page, set the following parameters and use the default values for the other parameters,
and then click OK.
Example
Parameter |
Description |
Destination CIDR Block |
Enter the destination CIDR block for which network traffic is destined. In this example,
172.16.0.0/12 is used.
|
Next Hop |
Enter the IP address of the next hop. In this example, 192.168.100.2 is used, which is the peer IP address of the WAN port.
|
Port |
Select the egress port of the destination CIDR block. In this example, the WAN port
configured in Step1 is selected.
|
Step 4: Configure switches and egress routers
You must configure the peer switch and egress router for the SAG device. The switch
and router used in this example may be different from yours. For more information,
refer to the manuals issued by the providers of your devices.
- Configure routes for the Layer 3 switch.
interface GigabitEthernet 0/11
no switchport
ip address 192.168.100.2 255.255.255.252 #The IP address of the peer switch of the SAG device
ip route 10.0.0.0 255.255.0.0 192.168.100.1 #The route that points to the VPC in the China (Beijing) region
ip route 0.0.0.0 0.0.0.0 192.168.80.1 #The route that points to the Internet
- Configure routes for the egress router. The following example provides sample configurations.
ip route 192.168.100.0 255.255.255.252 192.168.80.2 #The route that points to the SAG device
Step 5: Set up network connections
After you configure the SAG device, you must set up network connections to connect
the private network to Alibaba Cloud.
- Create a Cloud Connect Network (CCN) instance.
- Log on to the SAG console.
- In the top navigation bar, select Mainland China.
The area of the CCN instance must be the same as that of the SAG device.
- In the left-side navigation pane, click CCN.
- On the CCN page, click Create CCN Instance.
- In the Create CCN Instance pane, specify a name for the CCN instance and click OK.
The name must be 2 to 100 characters in length, and can contain digits, underscores
(_), and hyphens (-). It must start with a letter or a Chinese character.
- Associate the SAG instance with the CCN instance.
- In the left-side navigation pane, click Smart Access Gateway.
- On the Smart Access Gateway page, find the SAG instance that you want to manage and click Network Configuration in the Actions column.
- In the left-side navigation tree, click Network Instance Details.
- On the Network Instance Details tab, click Attach Network, select the CCN instance, and then click OK.
- Associate the CCN instance with a CEN instance.
After the CCN instance is associated with a CEN instance, SAG devices associated with
the CCN instance can communicate with VPC networks associated with the CEN instance.
- In the left-side navigation pane, click CCN.
- Find the CCN instance and click Bind CEN Instance in the Actions column.
- In the Bind CEN Instance pane, select Existing CEN, select the CEN instance that you want to associate with the CCN instance, and then
click OK.
- Create a security group rule.
You must create a security group rule for the Elastic Compute Service (ECS) instance
in the VPC network to allow clients in the CIDR block 172.16.0.0/12 of the private
network to access resources deployed on the ECS instance. For more information, see
Add a security group rule.
Step 6: Test the network connectivity
After you complete the preceding steps, check whether you can access cloud resources
deployed in the VPC from a client in the on-premises network.