If you want to access Alibaba Cloud DNS PrivateZone (PrivateZone) through your on-premises
network, you must acquire or grant relevant permissions. Make sure that the on-premises
network is associated with a Cloud Connect Network (CCN) instance that is attached
to a Cloud Enterprise Network (CEN) instance.
Scenario 1: All under the same account
If the CCN instance, CEN instance, and VPC for which PrivateZone is enabled are under
the same account, you can click
Authorization on the
Private Zone tab to complete authorization.
Note You need to confirm the authorization only when it is your first time configuring
PrivateZone.
Item |
User ID (UID) of the account |
CEN |
111111 |
VPC |
111111 |
CCN |
111111 |
After authorization is completed, the system automatically creates a Resource Access
Management (RAM) role named
AliyunSmartAGAccessingPVTZRole. You can view this role on the
RAM Roles page of the
RAM console.
Scenario 2: CCN instance under a different account
If the CEN instance and VPC are under the same account but the CCN instance is under
a different account, you must modify the authorization policy.
Item |
UID of the account |
CEN |
111111 |
VPC |
111111 |
CCN |
333333 |
Notice You must perform the following operations with the account to which the VPC belongs.
- Log on to the CEN console.
- Click the ID of the CEN instance.
- Click Private Zone, and then click Authorization to complete authorization.
Note You need to confirm the authorization only when it is your first time configuring
PrivateZone.
- Log on to the RAM console.
- In the left-side navigation pane, click RAM Roles.
- Enter AliyunSmartAGAccessingPVTZRole in the search box and click the name of the policy that appears.
- Click the Trust Policy Management tab, and then click Edit Trust Policy.
- Add
UID of the CCN account@smartag.aliyuncs.com
to the Service field, and then click OK.
Scenario 3: CEN instance under a different account
If the CCN instance and VPC are under the same account but the CEN instance is under
a different account, you must create an authorization policy with the account to which
the VPC belongs.
Item |
UID of the account |
CEN |
333333 |
VPC |
111111 |
CCN |
111111 |
- Log on to the RAM console with the account to which the VPC belongs.
- In the left-side navigation pane, click RAM Roles.
- Set the following parameters and click OK. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
- Trusted entity type: Select Alibaba Cloud Service.
- Role Type: Select Normal Service Role.
- RAM Role Name: Enter AliyunSmartAGAccessingPVTZRole.
- Select Trusted Service: Select Smart Access Gateway.
- Click the name of the newly created RAM role.
- On the Permissions tab, click Add Permissions.
- Enter pvtz in the search box below System Policy, and then click AliyunPvtzReadOnlyAccess to add read-only permissions on PrivateZone. For more information, see Grant permissions to a RAM role.
- After the authorization is completed, you can click Trust Policy Management to view authorization information.
Scenario 4: All under different accounts
If the CCN instance, CEN instance, and VPC are under different accounts, you must
perform the following operations:
Item |
UID of the account |
CEN |
111111 |
VPC |
222222 |
CCN |
333333 |
- Refer to Scenario 3 and create a RAM role with the account to which the VPC belongs.
- Refer to Scenario 2 and add
UID of the CCN account@aliyuncs.com
to an existing policy with the account to which the VPC belongs.
If you have multiple CCN instances and each CCN instance is under a different account,
only add the CCN instances that require access to PrivateZone.
Item |
UID of the account |
CEN |
111111 |
VPC |
222222 |
CCN |
333333 |
CCN |
444444 |
CCN |
555555 |