This topic describes how to authorize a Cloud Connect Network (CCN) instance to use the Alibaba Cloud DNS PrivateZone service after you attach the CCN instance to a Cloud Enterprise Network (CEN) instance.

Scenario 1: The CEN instance, virtual private cloud (VPC), and CCN instance are under the same Alibaba Cloud account

If the CCN instance, CEN instance, and virtual private cloud (VPC) for which PrivateZone is enabled are under the same Alibaba Cloud account, you can click Authorization on the Private Zone tab to authorize the CCN instance to use the PrivateZone service.
Note You must authorize the Smart Access Gateway (SAG) instance only if this is the first time that you enable the PrivateZone service.
Service Account (UID)
CEN 111111
VPC 111111
CCN 111111
After you grant the permissions, the system automatically creates the AliyunSmartAGAccessingPVTZRole Resource Access Management (RAM) role. You can view this role on the RAM Roles page of the RAM console.

Scenario 2: The CCN instance belongs to a different Alibaba Cloud account

If the CEN instance and VPC for which PrivateZone is enabled are under the same Alibaba Cloud account but the CCN instance is under a different Alibaba Cloud account, you must modify the trust policy.
Service Account (UID)
CEN 111111
VPC 111111
CCN 333333
Perform the following steps to grant the permissions:
Notice You must perform the following steps by using the Alibaba Cloud account to which the VPC belongs.
  1. Log on to the CEN console.
  2. Click the ID of the CEN instance that you want to manage.
  3. On the Instances page, find the CEN instance that you want to manage and click the ID of the instance.
  4. On the instance details page, click the ID of the transit router that is deployed in the same region as the cloud service.
  5. Click the PrivateZone tab and then click Authorization to complete the authorization.
    Note You must authorize the SAG instance only if this is the first time that you enable the PrivateZone service.
  6. Log on to the RAM console.
  7. In the left-side navigation pane, click RAM Roles.
  8. Enter AliyunSmartAGAccessingPVTZRole in the search box to search for the trust policy and click the name of the policy.
  9. Click the Trust Policy Management tab and then click Edit Trust Policy.
  10. Add the following record to the Service parameter: The ID of the Alibaba Cloud account to which the CCN instance belongs@smartag.aliyuncs.com. Click OK.

Scenario 3: The CEN instance belongs to a different Alibaba Cloud account

If the CCN instance and VPC for which PrivateZone is enabled are under the same Alibaba Cloud account but the CEN instance is under a different Alibaba Cloud account, you must create a permission policy by using the Alibaba Cloud account to which the VPC belongs.
Service Account (UID)
CEN 333333
VPC 111111
CCN 111111

Perform the following steps to grant the permissions:

  1. Log on to the RAM console with the Alibaba Cloud account to which the VPC belongs.
  2. In the left-side navigation pane, click RAM Roles.
  3. Set the following parameters and click OK to create a RAM role:
    • Trusted entity type: Select Alibaba Cloud Service.
    • RAM Role Name: Enter AliyunSmartAGAccessingPVTZRole.
    • Select Trusted Service: Select Smart Access Gateway.
  4. Click the name of the RAM role that you have created.
  5. On the Permissions tab, click Add Permissions.
  6. Enter pvtz in the search box below System Policy, and then click AliyunPvtzReadOnlyAccess to add read-only permissions on PrivateZone.
  7. After you add the permissions, click the Trust Policy Management tab to view information about the permissions.

Scenario 4: The CEN instance, the VPC, and the CCN instance are all under different Alibaba Cloud accounts

If the CCN instance, CEN instance, and VPC are under different Alibaba Cloud accounts, perform the following steps to grant the permissions:
Service Account (UID)
CEN 111111
VPC 222222
CCN 333333
  1. Create a RAM role by using the Alibaba Cloud account to which the VPC belongs, as described in Scenario 3.
  2. Add the CCN instance to the trust policy under the Alibaba Cloud account to which the VPC belongs, as describes in Scenario 2. The format is The ID of the account to which the CCN instance belongs@aliyuncs.com.
To allow multiple CCN instances created under different Alibaba Cloud accounts to use the PrivateZone service, add all CCN instances to the trust policy, as described in the following table.
Service Account (UID)
CEN 111111
VPC 222222
CCN 333333
CCN 444444
CCN 555555