This topic describes how to deploy a Smart Access Gateway (SAG) device in one-arm mode and use the SAG device to connect on-premises networks to Alibaba Cloud.

Prerequisites

  • A virtual private cloud (VPC) is created. For more information, see Create and manage a VPC.
  • A Cloud Enterprise Network (CEN) instance is created and the VPC is attached to the CEN instance. For more information, see Create a CEN instance.

Background information

In this example, an enterprise has created a VPC in the China (Beijing) region and deployed services in the VPC. The enterprise needs to connect its on-premises network to Alibaba Cloud to access resources on Alibaba Cloud. In this case, the enterprise can deploy an SAG-1000 device in one-arm mode to meet the business requirements. This deployment mode does not change the existing network topology of the enterprise and allows the enterprise to access resources on Alibaba Cloud by using the SAG device.

Architecture

Network planning

The following CIDR blocks are used in this example. When you allocate CIDR blocks based on your requirements, make sure that the CIDR blocks do not overlap with each other.

Node CIDR block
Enterprise network CIDR block for business: 172.16.0.0/12
WAN port (port 5) of the SAG device: 192.168.100.1/30. Gateway: 192.168.100.2
Port G11 of the Layer 3 switch: 192.168.100.2/30
  • Port G1 of the egress router: 192.168.80.1/30
  • Port G2 of the Layer 3 switch: 192.168.80.2/30
VPC in the China (Beijing) region 10.0.0.0/16

Procedure

Procedure

Step 1: Purchase an SAG device

After you place an order in the SAG console, Alibaba Cloud delivers the SAG device to the specified address and creates an SAG instance to facilitate the management of the device.

Note If the area where the SAG device is used is outside the Chinese mainland, you must purchase the device from a third-party vendor that is authorized by Alibaba Cloud. For more information, see Purchase SAG devices.
  1. Log on to the SAG console.
  2. On the Smart Access Gateway page, click Purchase SAG.
  3. Select Create SAG (CPE).
  4. Set the following parameters and click Buy Now:
    • Area: Select the area where the SAG devices will be deployed. Mainland China is selected in this example.
    • Device Spec: Select the model of the SAG device. SAG-1000 is selected in this example.
    • Have SAG Devices Already: Select whether you already have an SAG device. No is selected in this example.
    • Edition: Select the edition of the SAG device. Standard is selected in this example by default.
    • Quantity: Select the number of SAG devices that you want to purchase. 1 is selected in this example.
    • Area: Select the area where the bandwidth will be used. The area is the same as that of the SAG device and cannot be changed.
    • Name: Specify a name for the SAG instance.

      The name must be 2 to 128 characters in length, and can contain digits, periods (.), hyphens (-), and underscores (_). It must start with a letter or a Chinese character.

    • Peak Bandwidth: Specify the maximum bandwidth value. 50 Mbps is specified in this example.
    • Subscription Duration: Specify the subscription duration of the bandwidth resources.
  5. Confirm the order information and click Confirm Purchase.
  6. In the Shipping Address dialog box, enter the recipient address and click Buy Now.
  7. On the Pay page, select a payment method and complete the payment.

You can check whether the order has been placed on the Smart Access Gateway page. After the order is placed, it will be shipped within two business days. If your order is not shipped as expected, you can submit a ticket to query the shipping status.

The order status

Step 2: Activate the SAG devices

After you receive the SAG device, check whether you have received all the accessories. For more information, see Descriptions of SAG-1000.

  1. Log on to the SAG console.
  2. In the top navigation bar, select the area of the SAG device.
  3. On the Smart Access Gateway page, find the SAG instance created for the SAG device.
  4. In the Actions column, click Activate.
  5. In the Activate dialog box, click OK.
  6. After the SAG device is activated, connect it to the private network based on the preceding network topology.
    Use a network cable to connect the WAN port (port 5) of the SAG device to port G11 of the Layer 3 switch.
  7. Optional:If the SAG device was purchased from a third-party vendor, you must manually associate the SAG device with the SAG instance. For more information, see Add a device.

Step 3: Configure the SAG device

After the SAG device is connected to the on-premises network, you can configure the device ports in the SAG console.

Before you begin, make sure that the SAG device is started, the 4G network works as expected, and the SAG device is connected to Alibaba Cloud.

  1. Configure the ports.
    1. On the Smart Access Gateway page, click the ID of the SAG instance.
    2. On the instance details page, click the Device Management tab.
    3. In the left-side section, click Manage WAN Ports.
    4. In the WAN (Port 5) section, click Edit.
    5. In the Configure WAN (Port 5) dialog box, set the following parameters and click OK.
      WAN (Port 3)
      Parameter Description
      Connection Type Select Static IP.
      Priority Use the default value 1.
      IP Address The IP address of the WAN port. In this example, 192.168.100.1 is used.
      Subnet Mask The subnet mask of the IP address of the WAN port. In this example, 255.255.255.252 is used.
      Gateway The IP address of the gateway. In this example, 192.168.100.2 is used.
      Note After the gateway is configured, the SAG device automatically adds a default route.
  2. Select a method to advertise routes to Alibaba Cloud.
    You must specify how routes are advertised to Alibaba Cloud. These routes are used for network communication between the on-premises network and cloud resources.
    1. On the SAG instance details page, click the Network Configuration tab.
    2. In the left-side navigation tree, click Methods to Synchronize with On-premises Routes.
    3. Select Static Routing, click Add Static Route to add a static route, and then click OK.

      Enter the CIDR block used to connect the on-premises network to Alibaba Cloud. 172.16.0.0/12 is used in this example.

      On-premises route 2
  3. Configure static routes
    You must add a route that points to the WAN port for the on-premise network. This way, the backup feature is enabled for the 4G network.
    1. On the Smart Access Gateway page, click the ID of the SAG instance.
    2. On the instance details page, click the Device Management tab.
    3. On the Device Management tab, click Manage Routes.
    4. On the Manage Routes page, click Add Static Route.
    5. On the Add Static Route page, set the following parameters and use the default values for the other parameters, and then click OK.
      Example
      Parameter Description
      Destination CIDR Block Enter the destination CIDR block for which network traffic is destined. In this example, 172.16.0.0/12 is used.
      Next Hop Enter the IP address of the next hop. In this example, 192.168.100.2 is used, which is the peer IP address of the WAN port.
      Port Select the egress port of the destination CIDR block. In this example, the WAN port configured in Step1 is selected.

Step 4: Configure switches and egress routers

You must configure the peer switch and egress router for the SAG device. The switch and router used in this example may be different from yours. For more information, refer to the manuals issued by the providers of your devices.

  1. Configure routes for the Layer 3 switch. 
    
interface GigabitEthernet 0/11
no switchport
ip address 192.168.100.2 255.255.255.252 #The IP address of the peer switch of the SAG device  


ip route 10.0.0.0 255.255.0.0 192.168.100.1 #The route that points to the VPC in the China (Beijing) region
 
ip route 0.0.0.0 0.0.0.0 192.168.80.1 #The route that points to the Internet
  2. Configure routes for the egress router. The following example provides sample configurations. 
    
ip route 192.168.100.0 255.255.255.252 192.168.80.2 #The route that points to the SAG device

Step 5: Set up network connections

After you configure the SAG device, you must set up network connections to connect the private network to Alibaba Cloud.

  1. Create a Cloud Connect Network (CCN) instance.
    1. Log on to the SAG console.
    2. In the top navigation bar, select Mainland China.
      The area of the CCN instance must be the same as that of the SAG device.
    3. In the left-side navigation pane, click CCN.
    4. On the CCN page, click Create CCN Instance.
    5. In the Create CCN Instance pane, specify a name for the CCN instance and click OK.
      The name must be 2 to 100 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter or a Chinese character.Create a CCN instance
  2. Associate the SAG instance with the CCN instance.
    1. In the left-side navigation pane, click Smart Access Gateway.
    2. On the Smart Access Gateway page, find the SAG instance that you want to manage and click Network Configuration in the Actions column.
    3. In the left-side navigation tree, click Network Instance Details.
    4. On the Network Instance Details tab, click Attach Network, select the CCN instance, and then click OK.
      Attach a network
  3. Associate the CCN instance with a CEN instance.
    After the CCN instance is associated with a CEN instance, SAG devices associated with the CCN instance can communicate with VPC networks associated with the CEN instance.
    1. In the left-side navigation pane, click CCN.
    2. Find the CCN instance and click Bind CEN Instance in the Actions column.
    3. In the Bind CEN Instance pane, select Existing CEN, select the CEN instance that you want to associate with the CCN instance, and then click OK.
      Associate with a CEN instance
  4. Create a security group rule.
    You must create a security group rule for the Elastic Compute Service (ECS) instance in the VPC network to allow clients in the CIDR block 172.16.0.0/12 of the private network to access resources deployed on the ECS instance. For more information, see Add a security group rule.

Step 6: Test the network connectivity

After you complete the preceding steps, check whether you can access cloud resources deployed in the VPC from a client in the on-premises network.