All Products
Search

This Product

    Cloud Enterprise Network:CreateTransitRouterVbrAttachment

    Document Center

    Cloud Enterprise Network:CreateTransitRouterVbrAttachment

    Last Updated:Jul 17, 2025

    Connects a virtual border router (VBR) with a transit router in the same region.

    Operation description

    • For information about the regions and zones supported by Enterprise Edition transit routers, see What is CEN?

    • You can create a VBR connection with or without an Enterprise Edition transit router:

      • If you already have an Enterprise Edition transit router in the target region, specify the VbrId, RegionId, and TransitRouterId parameters.

      • If you do not have an Enterprise Edition transit router in the target region, specify the VbrId, CenId, and RegionId parameters, and the system will automatically create an Enterprise Edition transit router when executing the operation.

    • This operation is executed asynchronously. After receiving a request, the system returns a VBR connection ID before the VBR connection is fully ready, and it continues the creation task in the backend. You can call ListTransitRouterVbrAttachments to check whether the connection has been created.

      • If the VBR connection is in the Attaching state, it hasn't been created. In this case, you can query information about the connection but cannot perform other operations on it.

      • If the VBR connection is in the Attached state, the creation task has been completed.

    • The transit router and VBR can be in the same or different Alibaba Cloud accounts. In a cross-account scenario, both accounts must belong to the same enterprise, and you need to grant the required permissions on the VBR to the transit router.

    • A newly created VBR connection is not in route learning or associated forwarding correlations with any route table on the transit router.

    Try it now

    Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

    Test

    RAM authorization

    The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

    • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

    • API: The API that you can call to perform the action.

    • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

    • Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

      • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

      • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

    • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

    • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

    Action

    Access level

    Resource type

    Condition key

    Dependent action

    cen:CreateTransitRouterVbrAttachment

    create

    CenInstance

    acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}

    TransitRouter

    acs:cen:*:{#accountId}:centransitrouter/{#TransitRouterId}

    None

    None

    Request parameters

    Parameter

    Type

    Required

    Description

    Example

    ClientToken

    string

    No

    The unique, one-use client token that is used to ensure the idempotence of the request. It can contain only ASCII characters.

    Note

    If you leave this parameter empty, the system automatically uses the request ID as the client token.

    02fb3da4-130e-11e9-8e44-001****

    CenId

    string

    No

    The ID of the Cloud Enterprise Network (CEN) instance.

    cen-j3jzhw1zpau2km****

    TransitRouterId

    string

    No

    The ID of the Enterprise Edition transit router.

    tr-bp1su1ytdxtataupl****

    RegionId

    string

    No

    The region ID of the VBR.

    You can obtain the latest region list by calling the DescribeRegions operation.

    cn-hangzhou

    TransitRouterAttachmentName

    string

    No

    The name of the VBR connection.

    The name can be empty or 1 to 128 characters in length. It cannot start with http:// or https://.

    testname

    TransitRouterAttachmentDescription

    string

    No

    Description of the VBR connection.

    The description can be empty or 1 to 256 characters in length. It cannot start with http:// or https://.

    testdesc

    VbrId

    string

    Yes

    The ID of the VBR.

    vbr-bp1svadp4lq38janc****

    VbrOwnerId

    integer

    No

    The ID of the Alibaba Cloud account to which the VBR belongs. If you leave this parameter empty, the ID of the account calling this operation is used.

    Note

    For a cross-account connection, this parameter is required.

    1250123456123456

    AutoPublishRouteEnabled

    boolean

    No

    Specifies whether to enable the Enterprise Edition transit router to automatically advertise routes to the VBR. Valid values:

    • false (default)

    • true

    false

    DryRun

    boolean

    No

    Specifies whether to perform a dry run. Default values:

    • false (default): executes the request without performing a dry run.

    • true: performs a dry run without actually creating the VBR connection. The system checks the required parameters and request syntax. If the request fails the dry run, an error message is returned. If the request passes the dry run, the system returns the ID of the request.

    false

    Tag

    array

    No

    Tag information.

    You can specify up to 20 tags.

    object

    No

    Key

    string

    No

    The tag key.

    The tag key cannot be an empty string. The tag key can be up to 64 characters in length and cannot start with acs: or aliyun. It cannot contain http:// or https://.

    You can specify up to 20 tag keys.

    TagKey

    Value

    string

    No

    The tag value.

    The tag value can be 0 to 128 characters in length, and cannot start with aliyun or acs:. It cannot contain http:// or https://.

    Each tag key must have a unique tag value. You can specify up to 20 tag values.

    TagValue

    Response parameters

    Parameter

    Type

    Description

    Example

    object

    The response.

    TransitRouterAttachmentId

    string

    The ID of the VBR connection.

    tr-attach-ia340z7xis7t5s****

    RequestId

    string

    The ID of the request.

    C087A369-82B9-43EF-91F4-4B63A9C6E6B6

    Examples

    Success response

    JSON format

    {
  "TransitRouterAttachmentId": "tr-attach-ia340z7xis7t5s****",
  "RequestId": "C087A369-82B9-43EF-91F4-4B63A9C6E6B6"
}

    Error codes

    HTTP status code

    Error code

    Error message

    Description

    400

    NoPermission.AliyunServiceRolePolicyForCEN

    You are not authorized to create the service linked role. Role Name: AliyunServiceRolePolicyForCEN. Service Name: cen.aliyuncs.com. Make sure that the user has been granted the ram:CreateServiceLinkedRole permission.

    The error message returned because you do not have the permissions to create the service-linked role whose role name is AliyunServiceRolePolicyForCEN and service name is cen.aliyuncs.com. You must acquire the ram:CreateServiceLinkedRole permission before you can create the service-linked role.

    400

    OperationUnsupported.TransitRouterRegionId

    The specified TransitRouterRegion does not support the operation.

    400

    InvalidCenId.NotFound

    CenId is not found.

    The error message returned because the specified CEN instance does not exist.

    400

    InvalidStatus.ResourceStatus

    The resource is not in a valid state for the attachment operation.

    The error message returned because the status of the specified resource does not support this operation. Try again later.

    400

    InvalidTransitRouterId.NotFound

    TransitRouterId is not found.

    The error message returned because the ID of the transit router does not exist.

    400

    Forbbiden.TransitRouterServiceNotOpen

    The user has not open transit router service.

    The error message returned because the transit router is disabled. Enable the transit router and try again.

    400

    OperationUnsupported.TransitRouterType

    The specified TransitRouterType does not support the operation.

    The error message returned because this operation is not supported by the specified type of transit router.

    400

    MissingParam.CenIdOrRegionId

    Either CenId or RegionId must be specified.

    The error message returned because the CenId or RegionId parameter is not set.

    400

    IncorrectStatus.Vpc

    The resource is not in a valid state for the attachment operation.

    The error message returned because the status of the VPC does not support this operation. Try again later.

    400

    Forbidden.VbrDeviceModel

    Attach VBR on some access device models are forbidden.

    The error message returned because the mode of the VBR does not support this operation.

    400

    IllegalParam.AssociateRouteTableId

    The specified AssociateRouteTableId is illegal.

    The error message returned because the specified route table ID (AssociateRouteTableId) is invalid.

    400

    Forbbiden.AttachChildInstanceAcrossBid

    Operation is invalid, please apply for cross-bid attaching.

    400

    IllegalParam.RegionId

    RegionId is illegal.

    The error message returned because the specified region is invalid.

    400

    OperationUnsupported.CenFullLevel

    CEN full level does not support TransitRouter

    The error message returned because CEN instances of the Full type do not support Enterprise Edition transit routers.

    400

    OperationUnsupported.VbrAttachment

    This region not support vbr attachment.

    The error message returned because VBR attachments are not supported in the specified region.

    400

    InvalidOperation.CenInstanceStatus

    The CEN instance is not in a valid state for the operation.

    400

    OperationUnsupported.CloudBoxVbrNotSupport

    Cloud Box Vbr does not support.

    The error message returned because the instance cannot be connected to a CloudBox.

    400

    IncorrectStatus.VbrResource

    The resource is not in a valid state for the attachment operation.

    The error message returned because this operation is not supported when the specified VBR is in an unstable state. Wait until all operations related to the VBR are completed.

    400

    IncorrectStatus.TransitRouter

    The status of TransitRouter is incorrect.

    The error message returned because the status of the transit router does not support this operation. Try again later.

    400

    QuotaExceeded.CenQuotaVbrAttachPerTransitRouter

    The maximum number of VBR attachment per Transit Router is exceeded.

    The error message returned because specified number of VBRs to be attache to the transit router exceeds the upper limit. You can submit a ticket to request a quota increase.

    400

    QuotaFull.ChildInstanceRelatedCen

    The childinstance has exceed the quota of the times that a childinstance can be attached as an attachment.

    The error message returned because the number of CEN instances to which the instance is attached has reached the upper limit. You cannot attach the instance to more CEN instances.

    400

    Forbidden.ResourceOwnerTransitRouterServiceNotOpen

    The resource owner user has not opened transit router service.

    The transit router service for the resource owner's account is not currently opened. Please inform them to open the transit router service and then try again.

    400

    InvalidOperation.VbrAttachedToEcr

    VBR has alreay attached to ECR.

    VBR has alreay attached to ECR.

    400

    Forbidden.ResourceOwnerTransitRouterServiceExpired

    The transit router service of the account to which the resource belongs has been suspended due to arrears. Please notify the other party to renew the service and try again.

    The transit router service of the account to which the resource belongs has been suspended. Please notify the other party to renew the service and try again.

    400

    Forbidden.TransitRouterServiceExpired

    The transit router service is out of service.

    The transit router service has been suspended due for payment. Please renew the service and try again.

    400

    InvalidParameter

    Invalid parameter.

    The error message returned because the parameter is set to an invalid value.

    400

    Unauthorized

    The AccessKeyId is unauthorized.

    The error message returned because you do not have the permissions to perform this operation.

    400

    InvalidParameter.ResourceType

    The specified parameter ResourceType is invalid.

    403

    Forbidden.VbrDeviceModel

    The attached VBR on some access device models are not supported. Please submit a ticket to continue using this VBR on CEN.

    The error message returned because the mode of the VBR does not support this operation.

    See Error Codes for a complete list.

    Release notes

    See Release Notes for a complete list.