CCN authorization
After you connect a Cloud Connect Network (CCN) instance to a transit router, the on-premises network can access the PrivateZone service through the transit router. To enable this access, you must authorize the CCN instance. This topic describes how to perform this authorization in different scenarios.
Scenario 1: All instances belong to the same account

As shown in the preceding figure, the CCN instance, the VPC hosting the PrivateZone service, and the transit router instance all belong to the same Alibaba Cloud account. In this scenario, you can directly authorize the CCN instance in the Cloud Enterprise Network (CEN) console. The following table lists the example account IDs.
|
Resource |
Account ID |
|
transit router instance |
253460731706911258 |
|
VPC instance |
253460731706911258 |
|
CCN instance |
253460731706911258 |
Log on to the CEN console.
On the CEN Instance page, click the ID of the CEN instance that you want to manage.
-
On the tab, find the transit router in the same region as the VPC hosting the PrivateZone service, and then click the transit router's ID.
-
On the transit router instance details page, click the Access Private Zone tab, and then click Authorization. On the Resource Access Management (RAM) quick authorization page, click Authorize.
NoteYou only need to authorize Smart Access Gateway (SAG) the first time you configure access to the PrivateZone service. Because CCN is an SAG component, this one-time authorization allows any CCN instance connected to the transit router to access the PrivateZone service.
After authorization, the system automatically creates a RAM role named AliyunSmartAGAccessingPVTZRole in your account. To view the role, go to the RAM console, choose , and then search for the role.
Scenario 2: The CCN instance belongs to a different account

As shown in the preceding figure, the transit router instance and the VPC hosting the PrivateZone service belong to the same Alibaba Cloud account, but the CCN instance belongs to a different account. In this scenario, you must modify the trust policy in the VPC owner's account. The following table lists the example account IDs.
|
Resource |
Account ID |
|
transit router instance |
253460731706911258 |
|
VPC instance |
253460731706911258 |
|
CCN instance |
271598332402530847 |
-
Perform the initial authorization in the VPC owner's account.
-
Use the account that owns the VPC to log on to the CEN console.
-
On the CEN Instance page, find the target CEN instance and click its ID.
-
On the tab, find the transit router in the same region as the VPC hosting the PrivateZone service, and then click the transit router's ID.
-
On the transit router instance details page, click the Access Private Zone tab, and then click Authorization. On the Cloud Resource Access Authorization page, click Agree to Authorization.
NoteYou only need to authorize Smart Access Gateway (SAG) the first time you configure access to the PrivateZone service. Because CCN is an SAG component, this one-time authorization allows any CCN instance connected to the transit router to access the PrivateZone service.
-
-
In the VPC owner's account, modify the trust policy of the AliyunSmartAGAccessingPVTZRole role to grant access to the cross-account CCN instance.
-
Use the account that owns the VPC to log on to the RAM console.
-
In the navigation pane on the left, choose .
-
On the Roles page, enter AliyunSmartAGAccessingPVTZRole in the search box, find the role, and then click the role name.
-
On the details page of the role, click the Trust Policy tab and then click Edit Trust Policy.
-
In Service, add a record:
"Cloud Connect Network instance's Alibaba Cloud account ID@smartag.aliyuncs.com", and then click OK.{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "smartag.aliyuncs.com", "271598332402530847@smartag.aliyuncs.com" ] } } ], "Version": "1" }
-
Scenario 3: The transit router instance belongs to a different account

As shown in the preceding figure, the CCN instance and the VPC hosting the PrivateZone service belong to the same Alibaba Cloud account, but the transit router instance belongs to a different account. In this scenario, you must create a RAM role and attach policies to it in the VPC owner's account. The following table lists the example account IDs.
|
Resource |
Account ID |
|
transit router instance |
271598332402530847 |
|
VPC instance |
253460731706911258 |
|
CCN instance |
253460731706911258 |
-
Use the account that owns the VPC to log on to the RAM console.
-
In the navigation pane on the left, choose .
-
On the Roles page, click Create Role.
-
In the Create Role panel, create a role with the following settings:
-
For Principal Type, select AnyTunnel.
-
For Principal Name, select Smart Access Gateway.
-
Click OK. Then, set the Role Name to
AliyunSmartAGAccessingPVTZRoleand click OK. -
Return to the Roles page.
-
-
On the Roles page, search for and click the
AliyunSmartAGAccessingPVTZRolerole. -
On the Permissions tab, click Grant Permission to open the Grant Permission panel.
-
In the search box under Policies, enter the keyword pvtz, select the AliyunPvtzReadOnlyAccess policy, and then click OK.
-
In the Grant Permission panel, click Complete.
-
On the details page of the role, click the Trust Policy tab to view the authorization information.
The trust policy JSON shows that
Actionis set tosts:AssumeRole,Effectis set toAllow,Principal.Serviceissmartag.aliyuncs.com, andVersionis1.
Scenario 4: All instances belong to different accounts

As shown in the preceding figure, the CCN instance, the VPC hosting the PrivateZone service, and the transit router instance all belong to different Alibaba Cloud accounts. In this scenario, you must perform two authorization tasks. The following table lists the example account IDs.
|
Resource |
Account ID |
|
transit router instance |
253460731706911258 |
|
VPC instance |
283117732402483989 |
|
CCN instance |
271598332402530847 |
-
Follow the steps in Scenario 3 to create a role and complete the authorization in the account that owns the VPC.
-
Follow the steps in Scenario 2 to add permissions for the CCN instance in the account that owns the VPC.
If multiple CCN instances from different Alibaba Cloud accounts need to access the PrivateZone service, you must add all of them to the trust policy, as shown in the following example.
|
Resource |
Account ID |
|
transit router instance |
253460731706911258 |
|
VPC instance |
283117732402483989 |
|
CCN instance 1 |
271598332402530847 |
|
CCN instance 2 |
244831332402557259 |
|
CCN instance 3 |
287683832402436789 |
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"smartag.aliyuncs.com",
"271598332402530847@smartag.aliyuncs.com",
"244831332402557259@smartag.aliyuncs.com",
"287683832402436789@smartag.aliyuncs.com"
]
}
}
],
"Version": "1"
}