Secure Access Service Edge:Business resources deployed in VPCs that are connected to CEN

Manage VPCs across multiple Alibaba Cloud accounts

If you want to manage VPCs within a member of your resource directory, you must add the member first. After the member is added, you can view the VPCs within the management account and added member on the Private Access > Network Settings > Services on Alibaba Cloud page of the SASE console. If no member is added, you can view only the VPCs within the management account on the page. For more information, see Use the multi-account management feature.

Precautions

If CIDR blocks conflict, SASE cannot determine destination addresses. For example, if cross-region VPCs use the same CIDR block, a conflict occurs. If a VPC and a data center use the same CIDR block, a conflict occurs. Before you enable network connections, make sure that the CIDR blocks of your business resources do not conflict.

Network connection diagram

Turn on Network Connection

1. Log on to the SASE console.

2. In the left-side navigation pane, choose Private Access > Network Settings.

3. On the Services on Alibaba Cloud > CEN Instance tab of the Network Settings page, view the business resources that are synchronized to SASE.

   Parameter	Description
   CEN Instance ID/Name	The ID and name of the CEN instance. CEN instances within the management account and the added member of your resource directory are displayed.
   Owner Account	The account to which the CEN instance belongs. The account can be the management account or a member.
   Back-to-origin Address	The back-to-origin address of the SASE gateway and CEN instance. If you connect a VPC to the CEN instance and use an Elastic Compute Service (ECS) instance in the VPC, the system automatically adds a security group rule that allows the back-to-origin address for the ECS instance. If you connect a virtual border router (VBR) or Smart Access Gateway (SAG) instance to the CEN instance and the VBR or SAG instance is configured with access control lists (ACLs), you must configure an ACL to allow the back-to-origin address.

4. Find the CEN instance that you want to manage or a VPC that is connected to the CEN instance and turn on the switch in the Network Connection column.

   You can use one of the following methods to turn on the switch:

   • Turn on Network Connection for a CEN instance

     A back-to-origin link is established between the SASE gateway and the network resources connected to the CEN instance. The SASE gateway verifies access traffic based on zero trust policies and then forwards traffic to destination addresses. If you use this method, all CEN-connected VPCs are connected to the network of the users of the SASE client.

     When you turn on Network Connection, SASE requires you to select a VPC for back-to-origin traffic.

     

     After you select a back-to-origin VPC, the SASE console displays the back-to-origin VPC and the back-to-origin address that is automatically assigned in the back-to-origin VPC.

     The back-to-origin address is used by the SASE gateway and CEN instance. The system automatically adds a security group rule that allows the back-to-origin address for an ECS instance that you use and resides in a VPC connected to the CEN instance. After you select a back-to-origin VPC for a CEN instance, the back-to-origin addresses that are configured for your VPC, VBR, and SAG instance are automatically released.

     

   • Turn on Network Connection for a VPC that is connected to a CEN instance

     If you use this method, only the specified VPC is connected to the network of the users of the SASE client. Other VPCs that are connected to the CEN instance are not connected to the user network.

     

     After you turn on Network Connection, the SASE console displays the default back-to-origin address that is assigned in the VPC.

Enable network connections for other VPC-connected business resources

Assume that your business application is deployed in a VPC and is configured with other business resources that are connected to the VPC. If the business resources cannot be synchronized to SASE and you cannot view the resources on the Services on Alibaba Cloud or Services Outside Alibaba Cloud tab, you can manually add CIDR blocks of the resources to connect SASE to the business resources.

Allow a back-to-origin address

SASE accesses origin servers in proxy mode. If access control policies are configured on an origin server, the server identifies a back-to-origin address as suspicious based on the policies. In this case, the traffic forwarded by the proxy server to the origin server is blocked. As a result, your application or website cannot be accessed. To resolve this issue, you must allow the back-to-origin address in the access control policies on the origin server.

Change a back-to-origin VPC

If you want to change a back-to-origin VPC, you can click Select Back-to-origin VPC in the Actions column.

Turn off Network Connection

If you turn off Network Connection for a VPC or CEN instance, the back-to-origin link between the SASE gateway and resources in the VPC or resources connected to the CEN instance is terminated. The users can no longer access the resources from the SASE client.

References

• If you want to allow traffic from specific IP addresses after you configure applications, you can configure an application whitelist. For more information, see Configure an office application whitelist.

• You can connect SASE to business applications that are not deployed on Alibaba Cloud. For more information, see Enable network connections for services outside Alibaba Cloud.

• You can connect SASE to applications in global offices. For more information, see Enable network connections for applications in global office scenarios.