Describes the Virtual Edge deployment on the AliCloud Virtual Private Cloud (VPC) with three VSwitches, each for a subnet connected to the Edge as shown in the following topology diagram.

High-Level Workflow

To deploy a Virtual SD-WAN Edge on Alibaba Cloud ECS, perform the following steps:

  1. Create a Virtual Private Cloud (VPC). For steps, see Create a VPC.
  2. Create three VSwitches, each for a subnet connected to the Edge as shown in the topology diagram. For steps, see Create a VSwitch.
    • Management Subnet/VSwitch for console/management access to the Edge through Management Interface GE1.
    • Public Subnet/VSwitch for Internet access from the Edge through WAN-side Interface GE2.
    • Private Subnet/VSwitch for LAN-side device access through LAN-side Interface GE3.
  3. Create a Security Group (velo_vVCE_SG) and add inbound rules. For steps, see Create a Security Group.
  4. Create two custom (secondary) route tables (Velo_vVCE_Public_RT and Velo_vVCE_Private_RT) and associate it with the respective VSwitches (Public and Private). For steps, see Create Custom Route Tables and Associate VSwitches.
  5. Provision a SD-WAN Edge on the SASE Orchestrator as follows:
    1. Create an edge of type Virtual Edge.
    2. Change GE2 interface to Routed from Switched.
    3. Deactivate WAN Overlay for GE3 interface and NAT Direct Traffic, which will be the next hop for devices connected to Private Subnets (LAN devices).
    4. Add JH IP in firewall SSH access list.

      For more information, see Provision an Edge on the VCO.

  6. Create and launch a virtual SD-WAN Edge (vVCE) instance with Management Interface (GE1). For steps, see Create a vVCE Instance on the ECS Console.
  7. Create two Elastic Network Interfaces (ENIs): one Private LAN-side interface (GE3) and another Public WAN-side interface (GE2). For steps, see Create an Elastic Network Interface.
  8. Create an Elastic IP and assign it to the Public Interface (GE2) of the Edge. For steps, see Create Elastic IP and Assign it to Public Interface of the Edge.
  9. Bind the Public (GE2) and Private (GE3) interfaces to the Edge instance (vVCE) and then restart the Edge instance to make sure the interfaces are connected to the Edge. For steps, see Bind an ENI to an Edge instance.

    The Edge instance will be activated against the SASE Orchestrator and the Edge will be able to establish the VCMP tunnel to the Gateway.

  10. (Optional) Within the VPC, if you want to access your Edge from a Private subnet, not over the Internet, then you have to create a Jump Host (JH) instance (Linux instance) with one interface in Public subnet for Internet connectivity with EIP and the other interface in Management subnet, over which the Edge will be accessed. For steps, see Create a Jump Host Instance.
    1. Create a Jump Host.
    2. Create an EIP and bind it to the Jump Host Instance.
      Note: VCAdmin users will be able to access the Edge over Management subnet interface from JH.
    3. Login to the virtual Edge (vVCE) from Jump Host.
    4. Activate the Edge Against the SASE Orchestrator from Shell.
      Note: After the Edge activation starts, if you want to SSH to the Edge from a Private subnet then you must ensure to add the JH IP in the firewall SSH access list.
  11. Create a LAN instance with the Primary interface connected to Private subnet. For steps, see Create a LAN Instance.
    1. In the Private routing table (Velo_vVCE_Private_RT), create a new route entry that points to GE3 interface of edge for default route. For steps, see Add a Custom Route Table Entry.
  12. Verify if the virtual Edge is up in the SASE Orchestrator.