This document provides instructions for AliCloud Virtual Edge deployment. What to read next AliCloud Virtual Edge Deployment OverviewMore customers are moving workload to Public Cloud infrastructure and expect to extend VMware SD-WAN™ from remote sites to public cloud to guarantee SLA. There are multiple options offered by VMware, leveraging distributed VMware SD-WAN Gateways to establish IPSec towards public cloud private network or deploy virtual edge directly in AliCloud. Topology A - Virtual Edge Deployment on AliCloud VPCDescribes the Virtual Edge deployment on the AliCloud Virtual Private Cloud (VPC) with three VSwitches, each for a subnet connected to the Edge as shown in the following topology diagram. Topology B - Virtual Edge Deployment on AliCloud Single-Arm TopologyDescribes the Virtual Edge deployment on the AliCloud Virtual Private Cloud (VPC) with three VSwitches, each for a subnet connected to the Edge as shown in the following Single-Arm topology diagram. Create a Virtual Private CloudA Virtual Private Cloud (VPC) is a virtual private network in which you can deploy your cloud resources. The Cloud resources cannot be directly deployed in a VPC. They must be deployed in a VSwitch (subnet) of the VPC. Create a VSwitchA VSwitch is a basic network device of a VPC and used to connect different cloud product instances. After creating a VPC, you can further segment your virtual private network to one or more subnets by creating VSwitches. The VSwitches within a VPC are interconnected. Therefore, you can deploy different applications in the different VSwitches of different zones to improve the service availability. Create a Security GroupA security group is a virtual firewall for an ECS instance. This topic describes how to create a security group in the ECS console. Add Security Group RulesYou can use security group rules to control the access to public or internal networks of the ECS instances in a security group. To add security group rules, perform the steps on this procedure. Create Custom Route Tables and Associate VSwitchesA route table is a list of route entries in a VPC. The network traffic is routed based on the configurations of the route entries in the route table. After a VPC is created, the system automatically creates a default route table and adds system routes to the route table for traffic management. Provision an Edge on the SASE OrchestratorTo provision an SD-WAN Edge, perform the following steps: Create an Elastic Network InterfaceAn Elastic Network Interface (ENI) is a virtual network interface that can be attached to an ECS instance in a VPC. This topic describes how to create an ENI in the ECS console. Create Elastic IP and Assign it to Public Interface of the EdgeElastic IP Addresses (EIPs) are public IP address resources that you can purchase and hold independently. You can create an EIP or reinstate a released EIP through the console. This topic describes how to create an EIP and bind it to the secondary (public) interface. Bind an ENI to an Edge instanceTo bind secondary Elastic Network Interfaces (ENIs) to an Edge instance, perform the steps on this procedure. Create a LAN InstanceDescribes how to create a LAN (Linux) instance on the ECS console. Add a Custom Route Table EntryDescribes how to add a custom route entry in a custom route table. Create a Jump Host InstanceCreating a Jump Host (JH) instance is an optional step for the Edge deployment. However, to locally manage the virtual Edge, you must deploy a JH and assign an Elastic IP to it. To SSH to an Edge over a private network using a JH, create a JH (Linux instance) in VPC with one interface in the Public subnet (for Internet connectivity with EIP), and the other interface in the management subnet. SSH Login to Edge using EIPTo use SSH to log into an edge using EIP and verify activation, enter the following command. SSH to Private IP of the Edge from Jump HostThis is an optional step. To SSH to Private IP of the Edge from Jump Host (JH), enter the following command. Activate the Edge Against the SASE Orchestrator