CCN authorization

Updated at:
Copy as MD

After you connect a Cloud Connect Network (CCN) instance to a transit router, the on-premises network can access the PrivateZone service through the transit router. To enable this access, you must authorize the CCN instance. This topic describes how to perform this authorization in different scenarios.

Scenario 1: All instances belong to the same account

云连接网-场景一-架构图

As shown in the preceding figure, the CCN instance, the VPC hosting the PrivateZone service, and the transit router instance all belong to the same Alibaba Cloud account. In this scenario, you can directly authorize the CCN instance in the Cloud Enterprise Network (CEN) console. The following table lists the example account IDs.

Resource

Account ID

transit router instance

253460731706911258

VPC instance

253460731706911258

CCN instance

253460731706911258

  1. Log on to the CEN console.

  2. On the CEN Instance page, click the ID of the CEN instance that you want to manage.

  3. On the Basic Settings > Transit Router tab, find the transit router in the same region as the VPC hosting the PrivateZone service, and then click the transit router's ID.

  4. On the transit router instance details page, click the Access Private Zone tab, and then click Authorization. On the Resource Access Management (RAM) quick authorization page, click Authorize.

    Note

    You only need to authorize Smart Access Gateway (SAG) the first time you configure access to the PrivateZone service. Because CCN is an SAG component, this one-time authorization allows any CCN instance connected to the transit router to access the PrivateZone service.

    After authorization, the system automatically creates a RAM role named AliyunSmartAGAccessingPVTZRole in your account. To view the role, go to the RAM console, choose Identities > Roles, and then search for the role.

Scenario 2: The CCN instance belongs to a different account

云连接网授权-场景二-架构图

As shown in the preceding figure, the transit router instance and the VPC hosting the PrivateZone service belong to the same Alibaba Cloud account, but the CCN instance belongs to a different account. In this scenario, you must modify the trust policy in the VPC owner's account. The following table lists the example account IDs.

Resource

Account ID

transit router instance

253460731706911258

VPC instance

253460731706911258

CCN instance

271598332402530847

  1. Perform the initial authorization in the VPC owner's account.

    1. Use the account that owns the VPC to log on to the CEN console.

    2. On the CEN Instance page, find the target CEN instance and click its ID.

    3. On the Basic Settings > Transit Router tab, find the transit router in the same region as the VPC hosting the PrivateZone service, and then click the transit router's ID.

    4. On the transit router instance details page, click the Access Private Zone tab, and then click Authorization. On the Cloud Resource Access Authorization page, click Agree to Authorization.

      Note

      You only need to authorize Smart Access Gateway (SAG) the first time you configure access to the PrivateZone service. Because CCN is an SAG component, this one-time authorization allows any CCN instance connected to the transit router to access the PrivateZone service.

  2. In the VPC owner's account, modify the trust policy of the AliyunSmartAGAccessingPVTZRole role to grant access to the cross-account CCN instance.

    1. Use the account that owns the VPC to log on to the RAM console.

    2. In the navigation pane on the left, choose Identities > Roles.

    3. On the Roles page, enter AliyunSmartAGAccessingPVTZRole in the search box, find the role, and then click the role name.

    4. On the details page of the role, click the Trust Policy tab and then click Edit Trust Policy.

    5. In Service, add a record: "Cloud Connect Network instance's Alibaba Cloud account ID@smartag.aliyuncs.com", and then click OK.

      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "smartag.aliyuncs.com",
                          "271598332402530847@smartag.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }

Scenario 3: The transit router instance belongs to a different account

云连接网授权-场景三-架构图

As shown in the preceding figure, the CCN instance and the VPC hosting the PrivateZone service belong to the same Alibaba Cloud account, but the transit router instance belongs to a different account. In this scenario, you must create a RAM role and attach policies to it in the VPC owner's account. The following table lists the example account IDs.

Resource

Account ID

transit router instance

271598332402530847

VPC instance

253460731706911258

CCN instance

253460731706911258

  1. Use the account that owns the VPC to log on to the RAM console.

  2. In the navigation pane on the left, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. In the Create Role panel, create a role with the following settings:

    1. For Principal Type, select AnyTunnel.

    2. For Principal Name, select Smart Access Gateway.

    3. Click OK. Then, set the Role Name to AliyunSmartAGAccessingPVTZRole and click OK.

    4. Return to the Roles page.

  5. On the Roles page, search for and click the AliyunSmartAGAccessingPVTZRole role.

  6. On the Permissions tab, click Grant Permission to open the Grant Permission panel.

  7. In the search box under Policies, enter the keyword pvtz, select the AliyunPvtzReadOnlyAccess policy, and then click OK.

  8. In the Grant Permission panel, click Complete.

  9. On the details page of the role, click the Trust Policy tab to view the authorization information.

    The trust policy JSON shows that Action is set to sts:AssumeRole, Effect is set to Allow, Principal.Service is smartag.aliyuncs.com, and Version is 1.

Scenario 4: All instances belong to different accounts

云连接网授权-场景四-架构图

As shown in the preceding figure, the CCN instance, the VPC hosting the PrivateZone service, and the transit router instance all belong to different Alibaba Cloud accounts. In this scenario, you must perform two authorization tasks. The following table lists the example account IDs.

Resource

Account ID

transit router instance

253460731706911258

VPC instance

283117732402483989

CCN instance

271598332402530847

  1. Follow the steps in Scenario 3 to create a role and complete the authorization in the account that owns the VPC.

  2. Follow the steps in Scenario 2 to add permissions for the CCN instance in the account that owns the VPC.

If multiple CCN instances from different Alibaba Cloud accounts need to access the PrivateZone service, you must add all of them to the trust policy, as shown in the following example.

Resource

Account ID

transit router instance

253460731706911258

VPC instance

283117732402483989

CCN instance 1

271598332402530847

CCN instance 2

244831332402557259

CCN instance 3

287683832402436789

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "smartag.aliyuncs.com",
          "271598332402530847@smartag.aliyuncs.com",
          "244831332402557259@smartag.aliyuncs.com",
          "287683832402436789@smartag.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

Next steps

Configure access to the PrivateZone service