Smart Access Gateway:Use SAG vCPE to connect AWS resources to Alibaba Cloud resources

Sample scenario

The following figure describes how to establish network communication between cloud resources deployed on Alibaba Cloud and on AWS. For example, an enterprise has deployed cloud services on Alibaba Cloud in the Singapore region and on AWS. The enterprise wants to establish network communication between the cloud resources deployed on Alibaba Cloud and on AWS.

You can deploy the SAG vCPE image on an instance in an AWS VPC. This way, the instance can serve as an SAG vCPE device to connect AWS resources to Alibaba Cloud. After you connect the SAG vCPE device to Alibaba Cloud, you can enable resources in AWS VPCs and in Alibaba Cloud VPCs to access each other by using Cloud Connect Network (CCN) and Cloud Enterprise Network (CEN).

Procedure

Step 1: Create an SAG vCPE instance

You must create an SAG vCPE instance in the SAG console. Then, you can use the SAG vCPE instance to manage the SAG vCPE device.

1. Log on to the SAG console.
2. On the SAG page, choose Purchase SAG > Create SAG (vCPE).

3. On the SmartAG vCPE Software page, set the following parameters, click Buy Now, and then complete the payment.

   Parameter	Description
   Area	Select the region where you want to deploy the SAG vCPE instance. Singapore (Singapore) is selected in this example.
   Instance Name	Enter a name for the SAG vCPE instance. The name must be 2 to 128 characters in length, and can contain letters, digits, periods (.), underscores (_), and hyphens (-). It must start with a letter.
   Instance Type	SAG-vCPE is selected by default.
   Edition	Basic Edition is selected by default.
   Deployment Mode	Select a deployment mode for the SAG vCPE instance. By default, Active-Active is selected. In Active-Standby mode, one SAG vCPE instance can be associated with two SAG vCPE devices by default. You can deploy two SAG vCPE devices in active-standby mode and connect on-premises networks to Alibaba Cloud. This improves network availability. In this example, only one device is used.
   Peak Bandwidth	Select a maximum bandwidth value for network communication. Unit: Mbit/s.
   Quantity	Specify the number of SAG vCPE instances that you want to create. In this example, 1 is selected.
   Duration	Select a subscription duration.

4. Return to the SAG console. In the top navigation bar, select the region where the SAG vCPE instance is deployed.

5. In the left-side navigation pane, click Smart Access Gateway.

6. On the SAG page, click the ID of the SAG vCPE instance.

7. On the instance details page, click the Device Management tab, view and record the serial number and key of the active SAG vCPE device. The serial number and key are used to associate the SAG vCPE instance with the SAG vCPE device.

Step 2: Deploy the SAG vCPE image

To establish network communication between cloud resources deployed on Alibaba Cloud and on AWS, you must create an instance in the AWS VPC. Then, you can deploy the SAG vCPE image on the instance in the AWS VPC. After you deploy the SAG vCPE image, the AWS instance can serve as an SAG vCPE device and allows you to connect AWS resources to Alibaba Cloud resources.

1. Create an instance in the AWS VPC.

   For more information about how to create an instance in the AWS VPC, see the relevant AWS documentation. Make sure that the AWS instance meets the following requirements:

   • The operating system of the AWS instance is of one of the following types:

     • 64-bit CentOS 7.6 or later (recommended).
     • Ubuntu 18.04 64-bit or later.

   • The AWS instance supports the kernel version 3.10.0-957.21.3.el7.x86_64 or later.

   • The AWS instance has an independent network interface controller (NIC) that allows the instance to connect to the Internet.

   • The AWS instance supports remote logon.

   • No service system is running on the AWS instance.

   • If the host is an ECS instance or an Edge Node Service (ENS) instance, the number of vCPU cores must be one or more and the memory must be 2 GB or more.

     We recommend that you select a 2-core vCPU and 4 GB of memory for the instance. In this case, the bandwidth of encrypted private connections can reach 350 Mbit/s and higher (the packet length in the performance test is 1,024 bytes).

2. Log on to the AWS instance and download the script to the /root directory of the instance. For more information, see the relevant AWS documentation.

   Important

   • You can also specify a custom path and download the script to the corresponding directory. In this case, make sure that you select the custom path when you run the script.

   • After you download the script, do not modify its content or name.

   • If your host is deployed in the Chinese mainland, run the following commands to download the script:

     wget -O /root/sag_vcpe_v2.3.0_deployment.sh https://sdwan-oss-shanghai.oss-cn-shanghai.aliyuncs.com/vcpe_vm/sag_vcpe_v2.3.0_deployment.sh

   • If your host is deployed outside the Chinese mainland, run the following commands to download the script:

     wget -O /root/sag_vcpe_v2.3.0_deployment.sh https://sdwan-oss-shanghai.oss-accelerate.aliyuncs.com/vcpe_vm/sag_vcpe_v2.3.0_deployment.sh

3. Run the following command to make the script executable:

   chmod +x /root/sag_vcpe_v2.3.0_deployment.sh

4. Run the script.

   /root/sag_vcpe_v2.3.0_deployment.sh -n sage6nniq3**** -k **** -t aws  -w eth0

   The following table describes the parameters of the script. For more information about more parameters of the script, see Descriptions of the script parameters.

   Parameter	Description
   -n	The serial number of the SAG vCPE device.
   -k	The key of the SAG vCPE device.
   -t	The service provider of the host on which you want to install the SAG vCPE image. Valid values: aliyun (default): deploys the SAG vCPE image on an Alibaba Cloud Elastic Compute Service (ECS) instance. aws: deploys the SAG vCPE image on an Amazon Elastic Compute Cloud (EC2) instance. azure: deploys the SAG vCPE image on a Microsoft Azure virtual machine (VM). If you want to deploy the SAG vCPE image on an on-premises server, set the value to a string of letters other than aliyun, ens, aws, or azure.
   -w	The name of the NIC for the WAN port. You can view the NIC name of the host by running the ifconfig command.

5. When you run the script, the system automatically checks whether the deployment environment meets the requirements. If the deployment environment requires more components, the following prompt appears. In this case, enter yes and the system will automatically install the required components.

   

6. If the deployment environment meets the requirements, the system automatically starts to deploy the SAG vCPE image. After the image is deployed, the following prompt appears.

   

7. Query the deployment result.

   After you deploy the SAG vCPE image, run the docker ps command to check whether the system has the following containers installed:

   If the system contains the vsag-core container and the vsag-manager-base container, the SAG vCPE image is deployed.

Step 3: Configure network settings on Alibaba Cloud

After the SAG vCPE image is deployed, you must configure network settings for the SAG vCPE device in the SAG console. This allows the SAG vCPE device to connect to Alibaba Cloud.

1. Select a method to advertise routes to Alibaba Cloud.

   1. Log on to the SAG console.

   2. In the top navigation bar, select the region where the SAG vCPE instance is deployed.

   3. On the Smart Access Gateway page, find the SAG vCPE instance and click Network Configuration in the Actions column.

   4. Choose Network Configuration > Method to Synchronize with On-premises Routes and click Add Static Route.

   5. In the Add Static Route dialog box, enter the private CIDR block of the AWS service and click OK.

      

2. Associate the SAG vCPE instance with a CCN instance.

   CCN is an important component of SAG. SAG connects your on-premises networks to Alibaba Cloud through CCN.

   1. Create a CCN instance. For more information, see Create a CCN instance.

      The SAG vCPE instance and CCN instance must be deployed in the same region.

   2. In the left-side navigation pane, click Smart Access Gateway.

   3. On the Smart Access Gateway page, find the SAG vCPE instance and click Network Configuration in the Actions column.

   4. On the instance details page, choose Network Configuration > Network Instance Details.

   5. In the Associated Instances Under Current Account section, click Attach Network, select a CCN instance, and then click OK.

   6. After you associate the CCN instance, click the Device Management tab. If the VPN Status and Controller Status of the SAG vCPE device are Normal, it indicates that the SAG vCPE device is connected to Alibaba Cloud.

      

3. Create and configure a Cloud Enterprise Network (CEN) instance.

   You must perform the following operations to connect the SAG vCPE instance to a CEN instance and attach the Alibaba Cloud VPC to the CEN instance. Then, the SAG vCPE instance and the Alibaba Cloud VPC can learn routes from each other. The SAG vCPE device can communicate with the resources in the Alibaba Cloud VPC.

   1. In the left-side navigation pane, click CCN.

   2. On the CCN page, find the CCN instance and click Bind CEN Instance in the Actions column.

   3. In the CEN Instance panel, select a CEN instance and click OK.

      You can use one of the following methods to select a CEN instance. Create CEN is selected in this example.

      • Existing CEN: If you have already created a CEN instance, you can select an existing CEN instance from the drop-down list.

      • Create CEN: If you have not created a CEN instance, enter an instance name. The system then creates a CEN instance and automatically associates it with the CCN instance.

        The instance name must be 2 to 100 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter.

   4. Attach the Alibaba Cloud VPC to the CEN instance. For more information, see Create a VPC connection.

Step 4: Configure network settings on AWS

To enable communication between AWS resources and Alibaba Cloud resources, you must configure network settings for the AWS VPC. For more information about specific commands, consult AWS.

1. Configure routes for the AWS service.

   Add the following route entry to the AWS VPC: The destination CIDR block of the route entry is the CIDR block of the Alibaba Cloud VPC and the next hop points to the AWS instance. The AWS instance is used to enable communication between AWS resources and Alibaba Cloud resources.

2. Configure the security group of the AWS service.

   Allow the private CIDR blocks of Alibaba Cloud and AWS services to communicate with each other.

3. Disable source checks and destination checks for the AWS instance.

   

Step 5: Enable network communication between Alibaba Cloud and AWS

1. Purchase a bandwidth plan.

   1. Log on to the CEN console.

   2. On the Instances page, find the CEN instance that you want to manage and click its ID.

   3. On the details page of the CEN instance, choose Basic Settings > Bandwidth Plans, and click Purchase Bandwidth Plan (Subscription).

   4. On the buy page, set the following parameters, click Buy Now, and then complete the payment.

      Parameter	Description
      Product Type	Select the type of bandwidth plan that you want to purchase. Cross-border is selected in this example.
      Cloud Enterprise Network	Select the CEN instance for which you want to purchase a bandwidth plan. In this example, the CEN instance created in Step 3 is used.
      Area A	Select one of the areas where you want to enable inter-region communication. Mainland China is selected in this example.
      Area B	Select the other area where you want to enable inter-region communication. Asia Pacific is selected in this example.
      Metering Method	Select a metering method for the bandwidth plan. Pay-By-Bandwidth is selected by default.
      Bandwidth	Select a maximum bandwidth value for the bandwidth plan. Unit: Mbit/s.
      Bandwidth Plan Name	Enter a name for the bandwidth plan.
      Subscription Duration	Select a subscription period for the bandwidth plan. 1 Month is selected by default. You can select Auto-renewal to enable auto-renewal for the bandwidth plan.

2. Create an inter-region connection

   1. On the Instances page, find the CEN instance that you want to manage and click its ID.

   2. On the details page of the CEN instance, choose Basic Settings > Bandwidth Plans, and click Purchase Bandwidth Plan (Subscription).

   3. On the Connection with Peer Network Instance page, set the following parameters and click OK.

      Parameter	Description
      Network Type	Select a network type. Inter-region Connection is selected in this example.
      Region	Select one of the regions to be connected. China (Hangzhou) is selected in this example.
      Transit Router	The ID of the transit router in the selected region is displayed.
      Attachment Name	Enter a name for the inter-region connection.
      Peer Region	Select the other region to be connected. Singapore (Singapore is selected in this example.
      Transit Router	The ID of the transit router in the selected region is displayed.
      Bandwidth Allocation Mode	Inter-region connections support the Allocate from Bandwidth Plan and Pay-By-Data-Transfer allocation modes. In this example, Allocate from Bandwidth Plan is selected.
      Bandwidth Plan	Select the bandwidth plan that is associated with the CEN instance. In this example, the bandwidth plan purchased in the preceding step is selected.
      Bandwidth	Specify a bandwidth value for the inter-region connection. Unit: Mbit/s.
      Advanced Settings	Keep the default values. All advanced features are enabled.

Step 6: Test network connectivity

After you complete the preceding steps, resources deployed in the Alibaba Cloud VPC can communicate with resources deployed in the AWS VPC. This step shows how to test the network connectivity between the Alibaba Cloud VPC and the AWS VPC.

1. Log on to the ECS instance in the Alibaba Cloud VPC. For more information, see Connection methods.

2. Test the connectivity between the Alibaba Cloud VPC and AWS VPC by running the ping command to ping an instance in the AWS VPC.

   The following figure shows that the resources in the Alibaba Cloud VPC can communicate with the resources in the AWS VPC.

References

• What is CEN?

• Introduction to CCN