Alibaba Cloud Smart Access Gateway (SAG) uses a Software-Defined Wide Area Network (SD-WAN) architecture to enable secure access to cloud resources. After installing the SAG app on an Alibaba Cloud terminal, you can access cloud services directly from the terminal. You can also remotely access cloud resources deployed in specific virtual private clouds (VPCs) from terminals including computers and mobile phones by using the SAG app. This topic describes how to connect an on-premises terminal to a secure office network of Elastic Desktop Service (EDS) Enterprise by using the SAG app. This setup allows terminals to access cloud computers over VPCs.
Background information
SAG is an SD-WAN solution offered by Alibaba Cloud, typically used in conjunction with Cloud Connect Network (CCN). For more information, see What is SAG?
SAG provides three service types: SAG customer-premises equipment (CPE), SAG vCPE, and SAG app. This topic guides you through the network configuration for connecting to cloud services by using the SAG CPE or SAG app.
Preparations
Before accessing a cloud computer over a VPC by using the SAG app, you must make the following preparations:
Create a Cloud Enterprise Network (CEN) instance. For more information, see Create a CEN instance.
Create a CCN instance. For more information, see Create a CCN instance.
Create an office network and attach its VPC to the CEN instance. For more information, see Create and manage convenience office networks and Create and manage an enterprise AD office network.
ImportantBefore you create an office network, you must plan the IPv4 CIDR block of the office network to prevent CIDR block conflicts between the office network and the CEN instance or between the office network and your data center. For more information, see Plan a CIDR block.
If you already created a office network, attach the convenience office network to the CEN instance.
If you deploy your Active Directory (AD) system on an Elastic Compute Service (ECS) instance, you must attach the VPC of the AD server to the CEN instance. If you deploy your AD system on an on-premises server, you must connect the on-premises network to the cloud network. You can create an enterprise AD office network and establish connectivity between the on-premises server and the cloud. Then, you can configure the AD domain.
Create a cloud computer and an account. Then, assign the cloud computer to the account.
For more information about how to create an account, see Create a convenience account or Create and manage enterprise AD accounts.
For more information about how to create and assign cloud computers, see Create cloud computers and Assign cloud computers to users.
Install the SAG app and Alibaba Cloud Workspace terminal on the same device.
NoteThe SAG solution is supported by the desktop and mobile clients of Alibaba Cloud Workspace. For information about how to install the SAG app, see Install the SAG app. For information about how to download an Alibaba Cloud Workspace client, visit Download Alibaba Cloud Workspace Client.
Step 1: Purchase and configure the SAG app
After you purchase an SAG app instance, you need to configure networks. For example, you can associate the app with a CCN instance, associate the CCN instance with a CEN instance, configure cloud services for the CEN instance, and create an account to log on to the SAG app. The following section describes how to complete these settings.
Purchase an SAG app instance. For more information, see Purchase an SAG app instance.
Associate the SAG app instance with a CCN instance. For more information, see Set up network connections.
NoteYou can configure Domain Name System (DNS) either when you connect the SAG app instance to a CCN instance or on your on-premise computer or mobile device. For more information, see Step 2: Configure an enterprise VPC IP address or a cloud service route.
After you associate the SAG app instance with the CCN instance, the client with which the SAG app instance is associated can connect to gateways in the CCN instance. For more information, see Introduction to CCN.
Associate the CCN instance with a CEN instance. For more information, see Associate a CCN instance with a CEN instance.
After the CCN instance is associated with the CEN instance, gateways in the CCN instance can access resources in the CEN instance.
ImportantMake sure that the VPC of the desired office network is attached to the same CEN instance.
Create an account for logging on to the SAG app. For more information, see Create a client account.
After you configure the network settings for the SAG app instance, you can create an account and assign the account to an end user to log on to the SAG app and use cloud services.
Step 2: Configure an enterprise VPC IP address or a cloud service route
You can select one of the following solutions based on your business requirements: Solution 1 and Solution 2 explain how to configure the IP address for an enterprise VPC. The main difference is that Solution 1 uses a static IP address, which makes the process easier for end users because they do not need to configure a custom IP address.
Solution 1: Configure a static IP address for an enterprise VPC
Obtain the private gateway address of the office network.
Log on to the EDS Enterprise console.
In the left-side navigation pane, choose .
On the Office Networks page, find the desired office network and click the network ID.
In the Network Information section of the office network details page, find the Private Gateway Address parameter and copy the parameter value. The private gateway address is required in subsequent steps.
Configure a CNAME record on the enterprise DNS server and point the
private.wuying.comdomain name to the private gateway address.Configure the network access mode on an Alibaba Cloud Workspace client as an end user.
Open a Windows client.
In the upper-right corner of the logon page, click the icon and then click Connection Configuration.
In the Connection Configuration dialog box, configure the following parameters:
ImportantMake sure that the version of your Windows client is 7.7 or later. Otherwise, you cannot configure an enterprise VPC IP address.
Connection Type: Set the value to Alibaba Cloud VPC.
Alibaba Cloud VPC Address: Set the value to Default Address.
Click Confirm.
Solution 2: Configure a custom IP address for an enterprise VPC
Obtain the private gateway address of the office network.
Log on to the EDS Enterprise console.
In the left-side navigation pane, choose .
On the Office Networks page, find the desired office network and click the network ID.
In the Network Information section of the office network details page, find the Private Gateway Address parameter and copy the parameter value. The private gateway address is required in subsequent steps.
Configure the network access mode on an Alibaba Cloud Workspace client as an end user.
Open a Windows client.
In the upper-right corner of the logon page, click the icon and then click Connection Configuration.
In the Connection Configuration dialog box, configure the following parameters:
ImportantMake sure that the version of your Windows client is 7.7 or later. Otherwise, you cannot configure an enterprise VPC IP address.
Connection Type: Set the value to Alibaba Cloud VPC.
Alibaba Cloud VPC Address: Set the value to Custom Address.
Custom Address: Enter the obtained private gateway address of the office network.
Click Confirm.
Solution 3: Configure routing and DNS for cloud services
Configure cloud services for the CEN instance. For more information, see Manage access to cloud services.
You can manage the access to EDS Enterprise by using a Basic Edition or Enterprise Edition transit router to allow the CCN instance can access EDS Enterprise.
NoteIf you want to use cloud computers in multiple regions, specify
100.96.0.0/11as the CIDR block of EDS Enterprise. If you want to configure more detailed network settings, specify CIDR blocks by referring to Port overview. Note that the IP address of a domain name associated with a VPC service matches the IP address of the cloud service.(Optional) Before you configure DNS, run the following command to test whether the domain name can be resolved:
nslookup ecd-vpc.cn-hangzhou.aliyuncs.comIf an IP address is returned, the domain name can be resolved. In this case, you can skip the next step. If no IP address is returned, perform the following steps to configure DNS.
Configure DNS on your on-premises computer.
a. Add 100.100.2.136 or 100.100.2.138 to the DNS server list.
In this example, an on-premises computer that runs Windows 10 is used.
i. Open the Start menu and search for Control Panel.
ii. In the Control Panel window, click Network and Sharing Center under the Network and Internet category.
iii. In the left-side navigation pane, click Change adapter settings.
iv. Right-click the network adapter that corresponds to OpenVPN and select Properties.
v. In the This connection uses the following items section, double-click Internet Protocol Version 4 (TCP/IPv4).
vi. In the panel that appears, enter the specified DNS server address.
You can set the IP address of your preferred DNS server to 100.100.2.136 and the IP address of your alternative DNS server to 100.100.2.138.
b. Run the following command to check whether the DNS server settings take effect:
nslookup ecd-vpc.cn-hangzhou.aliyuncs.comStep 3: Verify whether a cloud computer can be connected over the VPC
Open a Windows client.
In the upper-right corner of the logon page, click the icon and then click Connection Configuration.
In the Connection Configuration dialog box, set the Connection Type parameter to Alibaba Cloud VPC.
Enter the logon credentials sent to your email address, which includes an office network ID or organization ID, username, and password. Then, click the Next icon to proceed.
Find the cloud computer from the resource list. Then, start and connect to the cloud computer.
NoteIf errors such as network request timeout occur, network connectivity is not established. Check whether the preceding network settings are correctly configured. Then, re-log on to the client and connect to the cloud computer.