After a Cloud Connect Network (CCN) instance is connected to a transit router, the on-premises networks that are attached to the CCN instance can access the PrivateZone service through the transit router. Before the on-premises networks can access PrivateZone, you must grant the required permissions to the CCN instance. This topic describes how to grant permissions to a CCN instance in different scenarios.

Scenario 1: All instances belong to the same Alibaba Cloud account

CCN - scenario 1 - diagram
The preceding figure shows a scenario where the following instances belong to the same Alibaba Cloud account: the CCN instance, the virtual private cloud (VPC) where PrivateZone is deployed, and the transit router. In this scenario, you can grant permissions to CCN in the CEN console. The following table lists the accounts to which the instances belong.
Resource Owner account ID
Transit router 253460731706911258
VPC 253460731706911258
CCN instance 253460731706911258
  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click the instance ID.
  3. On the Basic Settings > Transit Router tab, click the ID of the transit router in the region where the VPC that is associated with PrivateZone is deployed.
  4. On the details page of the transit router, click the Private Zone tab and click Authorization. On the Cloud Resource Access Authorization page, click Agree to Authorization.
    Authorize CCN instances to use the PrivateZone service
    Note You must grant permissions to Smart Access Gateway (SAG) only if this is the first time that you configure access to PrivateZone. After you grant permissions to SAG, the CCN instance (a component of SAG) that is attached to the CEN instance can access PrivateZone.
    After you grant the permissions, the system automatically creates the AliyunSmartAGAccessingPVTZRole Resource Access Management (RAM) role for the current Alibaba Cloud account. You can log on to the RAM console and navigate to the Identities > Roles page to search and view roles. View the role AliyunSmartAGAccessingPVTZrole

Scenario 2: The CCN instance belongs to another Alibaba Cloud account

CCN authorization - scenario 2 - diagram
The preceding figure shows a scenario where the transit router and the VPC where PrivateZone is deployed belong to the same Alibaba Cloud account, but the CCN instance belongs to another Alibaba Cloud account. In this scenario, you must modify the policy that is attached to the Alibaba Cloud account to which the VPC belongs. The following table lists the accounts to which the instances belong.
Resource Owner account ID
Transit router 253460731706911258
VPC 253460731706911258
CCN instance 271598332402530847
  1. Use the Alibaba Cloud account to which the VPC belongs to authorize the CCN instance to access PrivateZone.
    1. Log on to the CEN console with the Alibaba Cloud account to which the VPC belongs.
    2. On the Instances page, find and click the CEN instance that you want to manage.
    3. On the Basic Settings > Transit Router tab, click the ID of the transit router in the region where the VPC that is associated with PrivateZone is deployed.
    4. On the details page of the transit router, click the Private Zone tab and click Authorization. On the Cloud Resource Access Authorization page, click Agree to Authorization.
      Note You must grant permissions to Smart Access Gateway (SAG) only if this is the first time that you configure access to PrivateZone. After you grant permissions to SAG, the CCN instance (a component of SAG) that is attached to the CEN instance can access PrivateZone.
  2. Modify the policy attached to the role AliyunSmartAGAccessingPVTZRole to allow the CCN instance to access PrivateZone.
    1. Log on to the RAM console with the Alibaba Cloud account to which the VPC belongs.
    2. In the left-side navigation pane, choose Identities > Roles.
    3. In the search bar of the Roles page, enter AliyunSmartAGAccessingPVTZRole to search for the role, and then click the role name.
    4. On the details page, click the Trust Policy Management tab, and then click Edit Trust Policy.
    5. In the Edit Trust Policy panel, add the following record to the Service parameter: "CCN instance account ID@smartag.aliyuncs.com", and then click OK.
      CCN authorization - scenario 2

Scenario 3: The transit router belongs to another Alibaba Cloud account

CCN authorization - scenario 3 - diagram
The preceding figure shows a scenario where the CCN instance and the VPC where PrivateZone is deployed belong to the same Alibaba Cloud account, but the transit router belongs to another Alibaba Cloud account. In this scenario, you must create a policy for the Alibaba Cloud account to which the VPC belongs. The following table lists the accounts to which the instances belong.
Resource Owner account ID
Transit router 271598332402530847
VPC 253460731706911258
CCN instance 253460731706911258
  1. Log on to the RAM console with the Alibaba Cloud account to which the VPC belongs.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, click Create Role.
  4. In the Create Role panel, set the following parameters.
    1. In the Select Role Type step, select Alibaba Cloud Service and click Next.
    2. In the Configure Role step, set the following parameters and click OK.
      Scenario 3
      • Role Type: Select Normal Service Role.
      • RAM Role Name: Enter AliyunSmartAGAccessingPVTZRole.
      • Select Trusted Service: Select Smart Access Gateway.
      For more information, see Create a RAM role for a trusted Alibaba Cloud service.
    3. In the Create Role panel, click Close to return to the Roles page.
  5. In the search bar of the Roles page, enter AliyunSmartAGAccessingPVTZRole to search for the role and click the role name.
  6. On the Permissions tab, click Add Permissions to go to the Add Permissions panel.
  7. In the search bar below System Policy, enter pvtz to search for the policy AliyunPvtzReadOnlyAccess and click the policy name. Then, add the read-only permission on PrivateZone and click OK.
    Add the read-only permission on PrivateZone
  8. In the Add Permissions panel, click OK to return to the role details page.
  9. On the details page, click the Trust Policy Management tab to view authorization information.
    Scenario 3: View the policy

Scenario 4: All instances belong to different Alibaba Cloud accounts

CCN authorization - scenario 4 - diagram
The preceding figure shows a scenario where the CCN instance, the transit router, and the VPC where PrivateZone is deployed belong to different Alibaba Cloud accounts. In this scenario, you must perform two authorization operations. The following table lists the accounts to which the instances belong.
Resource Owner account ID
Transit router 253460731706911258
VPC 283117732402483989
CCN instance 271598332402530847
  1. Refer to Scenario 3 and create a role for the Alibaba Cloud account to which the VPC belongs, and then attach the policy to the role.
  2. Refer to Scenario 2 and grant permissions to the CCN instance with the Alibaba Cloud account to which the VPC belongs.
To allow multiple CCN instances that belong to different Alibaba Cloud accounts to access PrivateZone, add the CCN instances to the policy, as shown in the following figure.
Resource Owner account ID
Transit router 253460731706911258
VPC 283117732402483989
CCN Instance 1 271598332402530847
CCN Instance 2 244831332402557259
CCN Instance 3 287683832402436789
CCN authorization - scenario 4

What to do next

Configure PrivateZone