Alibaba Cloud Smart Access Gateway (SAG) provides a solution based on the Software-defined Wide Area Network (SD-WAN) architecture. The SAG app installed on terminals is suitable to access cloud resources. After you configure the SAG app, you can remotely access services in virtual private clouds (VPCs) from terminals, such as computers and mobile phones. This topic describes how to connect the SAG app installed on your local device to the office network in which a cloud computer resides. This way, the app can access the cloud computer over a private network.
Background information
SAG is an SD-WAN solution provided by Alibaba Cloud. In most cases, SAG takes effect together with Cloud Connect Network (CCN). For more information, see What is SAG? SAG provides the following service types: SAG customer-premises equipment (CPE), SAG vCPE, and SAG app. If you use the SAG CPE or SAG app to connect cloud services, you can refer to this topic to configure network settings.
Preparations
Before you access a cloud computer over a private network from the SAG app, make sure that you complete the following preparations:
Create a Cloud Enterprise Network (CEN) instance. For more information, see Create a CEN instance.
Make sure that a CCN instance is available. If you do not have a CCN instance, create one. For more information, see Create a CCN instance.
Create an office network and attach its VPC to the CEN instance. For more information, see Create and manage a convenience office network and Create and manage an enterprise AD office network.
ImportantBefore you create an office network, you must plan the IPv4 CIDR block of the office network to prevent CIDR block conflicts between the office network and the CEN instance or between the office network and your data center. For more information, see Plan a CIDR block.
If you create a convenience office network, attach the convenience office network to the CEN instance.
If you deploy your AD system on an Elastic Compute Service (ECS) instance, you must attach the VPC of the AD server to the CEN instance. If you deploy your AD system on a local server, you must connect the local network to the cloud network. You can create an enterprise AD office network and implement connectivity between the local server and the cloud, and then configure the AD domain.
Create a cloud computer and an account. Then, assign the cloud computer to the account.
For more information about how to create an account, see Create a convenience account or Create and manage an enterprise AD office network.
For more information about how to create and assign cloud computers, see Create cloud computers and Assign cloud computers to users.
Install the SAG app and Alibaba Cloud Workspace client on the same device.
NoteTo apply the solution in actual practice for accessing cloud computers by using the SAG app, the Windows client or macOS client of Alibaba Cloud Workspace is supported. If you need to obtain the SAG app, see Install the SAG app. If you need to obtain the Alibaba Cloud Workspace client, visit Download Alibaba Cloud Workspace Client.
Step 1: Purchase and configure the SAG app
After you purchase an SAG app instance, you need to configure networks. For example, you can associate the app with a CCN instance, associate the CCN instance with a Cloud Enterprise Network (CEN) instance, configure cloud services for the CEN instance, and create an account to log on to the SAG app. The following section describes how to configure these settings.
Purchase an SAG app instance. For more information, see Purchase an SAG app.
Associate the SAG app instance to a CCN instance. For more information, see Set up network connections.
NoteYou can configure Domain Name System (DNS) either when you connect the SAG app instance to a CCN instance or on your local computer or mobile device. For more information, see Step 2: Configure network settings on your local device and connect to a private network.
After you associate the SAG app instance to the CCN instance, the client with which the SAG app instance is associated can connect to gateways in the CCN instance. For more information, see Introduction to CCN.
Associate the CCN instance with a CEN instance. For more information, see Associate a CCN instance with a CEN instance.
After the CCN instance is associated with the CEN instance, gateways in the CCN instance can access resources in the CEN instance.
ImportantMake sure that the VPC of the desired office network is attached to the same CEN instance.
Configure access to cloud services for the CEN instance. In this topic, EDS is used as an example. For more information, see Manage access to cloud services.
You can manage the access to EDS by using a Basic Edition or Enterprise Edition transit router to allow the CCN instance can access EDS.
NoteIf you want to use cloud computers in multiple regions, specify 100.96.0.0/11 as the CIDR block of EDS. If you need more specific network settings, refer to Port overview to configure the CIDR block of EDS and use the IP address of the domain name for managing cloud computers over a private network.
Create an account for logging on to the SAG app. For more information, see Create a client account.
After you configure the network settings for the SAG app instance, you can create an account and assign the account to an end user to log on to the SAG app and use cloud services.
Step 2: Configure network settings on your local device and connect to a private network
On your local computer or mobile device, you must install the SAG app and connect to a private network. You can connect to the private network with a few clicks after you configure DNS. This section uses the SAG app V2.5.0 as an example.
Download and install the SAG app on your computer. Then, click Connect to Intranet.
NoteBefore you perform this operation, obtain the logon information from the email sent to you. If you do not receive the relevant email, check whether the email address that you entered when you create account is correct.
(Optional) Before you configure Domain Name System (DNS), run the following command to test whether the domain name can be resolved:
nslookup ecd-vpc.cn-hangzhou.aliyuncs.comIf an IP address is returned, the domain name can be resolved. In this case, you can skip the next step. If no IP address is returned, perform the following step to configure DNS.
(Optional) Configure DNS.
To access cloud computers over a private network, DNS is required to resolve the domain names involved in the EDS API and streaming gateways that reside in the private network. In this example, use the following IP addresses for your DNS server:
100.100.2.136
100.100.2.138
You can use one of the following methods to configure DNS addresses:
Add the preceding DNS addresses to the Dynamic Host Configuration Protocol (DHCP) service of the data center.
Configure transit routers on the DNS server of the data center to route domain name resolution requests that end with
aliyuncs.comto 100.100.2.136 or 100.100.2.138.
Step 3: Verify whether a cloud computer can be connected over a private network
Launch the Windows client.
In the lower part of the logon page, choose and select Alibaba Cloud VPC.
Enter the logon credentials, including an office network ID or organization ID, username, and password, sent to your email address. Then, click the Next icon to proceed.
Find the cloud computer from the resource list. Then, start and connect to it.
NoteIf errors such as network request timeout occur, network connectivity is not established. Check whether the preceding network settings are correctly configured. Then, re-log on to the client and connect to the cloud computer.