Learn how to purchase, configure, and useSecure Access Service Edge (SASE). This guide helps you get started withSASE.
Intended users
First-time users of SASE.
Learn about SASE
What is SASE
Secure Access Service Edge (SASE) leverages Alibaba Cloud's nationwide edge nodes and leased line networks to extend zero trust security to the network edge. It provides remote zero trust access, private access behavior auditing, data loss prevention (DLP), network access control, and office application acceleration for enterprises with distributed branches, retail stores, or remote workforces. What is Secure Access Service Edge?.
Capabilities supported by different SASE editions
SASE supports only subscription (prepaid) billing. Select an edition from the following table. Billing methods and billable items are covered in Billing Overview of SASE.
Edition | Description |
Private Access (VPN) | SASE Private Access (VPN) provides a zero trust VPN for employees to remotely access enterprise applications on the cloud or on-premises. This edition is suitable for enterprises with fewer than 100 employees and an office bandwidth of no more than 10 Mbps. |
Private Access (Basic) | SASE Private Access (Basic) provides a zero trust VPN for employees to remotely access enterprise applications on the cloud or on-premises. This edition is suitable for enterprises with more than 100 employees. You must purchase office bandwidth as needed. |
Private Access (Advanced) | SASE Private Access (Advanced) provides a zero trust VPN for employees to remotely access enterprise applications on the cloud or on-premises. It also supports office network access control and global office access. |
Internet Access (DLP) | Internet Access (DLP) is built on the Cloud Data Loss Prevention (DLP) service architecture. It helps enterprises instantly detect, monitor, and protect office data. |
Endpoint Protection (Antivirus) | Endpoint Protection (Antivirus) integrates with the Alibaba Cloud malicious file detection platform. It provides real-time defense against file viruses and real-time detection of endpoint security alert events. |
Configure SASE
Prerequisites
Before you connect to SASE, configure your enterprise identity provider (IdP) and user groups. Connect to an LDAP IdP and Manage user groups.
SASE supports both third-party and self-managed identity systems. Employees use their assigned credentials to log in to the SASE App. Supported third-party IdPs include LDAP, DingTalk, WeCom, Lark, and IDaaS. You can also use the custom IdP to manage your organization.
Configure private access
Built on software-defined perimeter (SDP) technology, this feature provides SaaS-based zero trust network access. Control access to private applications without exposing public IPs or modifying your network architecture.
Step 1: Configure private business applications
Private business applications are internal resources such as web applications, servers, or databases that do not require public IPs. Employees must use a company device with the SASE App installed. After passing identity and security checks, they can access private applications. Configure office applications.
Step 2: Connect the application network
Choose a network connectivity solution based on your business deployment.
Service deployment environment | Solution | Environment requirements |
Enterprise services and resources are deployed on Alibaba Cloud | Use the network configuration feature to establish network connections between specified Alibaba Cloud VPC resources and SASE end users. On the page, enable the network connection for the VPC where the target service server is located. | Requirements for office computers:
|
Enterprise services and resources are deployed in a non-Alibaba Cloud environment, such as AWS or Tencent Cloud, and an Alibaba Cloud Virtual Border Router (VBR), Cloud Connect Network (CCN), or VPN Gateway is already used for network connectivity. | Use Alibaba Cloud network channels, such as Leased Lines, SAG, or IPsec-VPN, to allow SASE clients to access service resources in non-Alibaba Cloud environments. On the tab, configure the origin fetch VPC and enable the network connection. | Requirements for office computers:
|
Enterprise services and resources are deployed in a non-Alibaba Cloud environment | SASE provides a connector feature that you can use to connect to your non-Alibaba Cloud network. This lets you use the SASE app to access services in the non-Alibaba Cloud environment. This method does not depend on other network products for network access. On the tab, manually add an SASE connector. Then, run commands to deploy the connector and ensure that the connector instance is enabled. | Requirements for office computers:
Server requirements for deploying the connector:
|
Step 3: Zero trust access policy
Zero trust policies control employee and partner access to applications by linking user groups to business applications. By default, all access is denied. Configure allow policies to grant resources to specific user groups. Configure zero trust policies.
Step 4: Log in to the SASE app
Users log in to the SASE App with their credentials to connect to the private network. Access is governed by your configured policies. Install and log on to the SASE App and Enable or disable private access security.
Network access control
Network access control uses EAP-TLS certificate authentication to connect to the corporate office network without a username or password. When users connect to the office network by usingSASE, SASE App access is determined by your configured IP allowlist.
Step 1: Create wireless network instance
Create a corporate wireless network instance in SASE and use EAP-TLS certificate-based authentication to connect to your enterprise office network.
Step 2: Get SASE server information
Configure the region, IP address, UDP port, and secret key of the SASE RADIUS server on your network access controller (NAC) to establish a connection between the SASE RADIUS server and the NAC.
-
To isolate and manage office network access, configure network access permissions. Use VLAN IDs to create granular access rights for different users and devices.
-
If the default certificate does not fit your scenario, modify its scope and validity period, or replace it with your enterprise certificate.
Configure data loss prevention (DLP)
DLP includes sensitive file detection, peripheral device management, and watermark management. Choose the appropriate solution, or enable all three for strict data control requirements.
Outbound file detection
Use sensitive file detection to check whether employees transfer sensitive files through channels such as instant messaging or email. Define a data dictionary, build data templates, and create detection policies to track outbound data. Detect files transferred outbound to ensure data security.
Step 1: Configure detection policy
The SASE sensitive file detection uses custom keywords to identify sensitive content. Keywords, data types, and sensitivity levels form a data template. The template plus handling actions create a detection policy to identify sensitive files.
To configure a detection policy:
-
Create a sensitive data dictionary to define the characteristics of sensitive content.
-
Build a data template based on the sensitive data dictionary.
-
Create a detection policy and associate it with the appropriate data template, which includes specifying the policy's target users, detection channels, and handling actions.
Step 2: View detection statistics
After configuration, DLP automatically detects transferred files and analyzes outbound behaviors and abnormal events over the last 30 days, 7 days, and 24 hours.
-
Sensitive file detection scans outbound files up to 30 MB and reports the top 5 triggered sensitive file types.
-
Abnormal events log actions such as sending files larger than 30 MB, copying to external devices, or a user sending over 1 GB cumulative. File content is not inspected — review abnormal events manually for sensitive information.
Peripheral device management
Use peripheral device management to create policies that disable USB drives, printers, or optical drives to prevent sensitive data transfers. Manage peripherals for data security.
Step 1: Configure device policy
Set the target user group and configure control policies for peripheral devices on Windows and macOS.
Step 2: View peripheral device statistics
If you configure USB Drive with Read/Write permissions, sensitive behavior detection triggers when an employee transfers files via USB drive or storage. The system analyzes detection results from the last 30 days, 7 days, and 24 hours.
Watermark management
Use watermark management to add watermarks to screens and printed documents for specified users. Manage watermarks.
Step 1: Configure watermark policy
Specify the target user group and configure screen and printer watermarks.
Step 2: View print activity results
When an employee prints a file, DLP inspects the content and analyzes detection results from the last 30 days, 7 days, and 24 hours.
Developer tools
Use APIs to manage your cloud resources and build custom applications. API overview.
OpenAPI Explorer dynamically generates SDK code to simplify usage.
Feedback and suggestions
Use the following channels to provide feedback or get technical support for SASE.
-
Online Help: Ask questions and get online assistance.
-
Submit a ticket: Contact technical support.
-
Documentation Feedback: To report broken links, content errors, or API errors, clickFeedback in the right-side floating menu, or select the problematic content to submit feedback.