All Products
Search
Document Center

Cloud Enterprise Network:Grant a transit router permissions on a network instance that belongs to another Alibaba Cloud account

Last Updated:Dec 29, 2023

To connect a transit router of Account B to a network instance of Account A, you must use Account A to grant permissions to the transit router of Account B. This topic describes how to grant a transit router permissions on network instances that belong to another Alibaba Cloud account.

Billing overview

After you connect an Enterprise Edition transit router to a virtual private cloud (VPC), a virtual border router (VBR), or an IPsec-VPN connection, you are charged for the network instance connection and data transfer. When you grant a transit router permissions on a network instance, you can specify an Alibaba Cloud account to pay the bills. You can specify the Alibaba Cloud account to which the network instance belongs or the account to which the transit router belongs as the payment account. For more information about the billing of Enterprise Edition transit routers, see Billing rules.

Limits

  • A transit router that is created by an Alibaba Cloud account on the China site can connect only to network instances that are created by Alibaba Cloud accounts on the China site. A transit router that is created by an Alibaba Cloud account on the International site can connect only to network instances that are created by Alibaba Cloud accounts on the International site.

  • You cannot change the payment account within 1 hour after you connect an Enterprise Edition transit router to a network instance that belongs to a different Alibaba Cloud account. If you want to change the payment account again, the time period from the last change of payment account must be at least 1 hour.

    For example, you connect an Enterprise Edition transit router of Account B to a VPC of Account A at 09:00:00 (UTC+8) on December 24, 2021. You specify Account A to pay the connection fee and data transfer fee. You cannot change the payment account to Account B to pay the bills until 10:00:00 (UTC+8) on December 24, 2021.

  • You cannot directly change the payment account after you connect an Enterprises Edition transit router to a network instance that belongs to a different Alibaba Cloud account. You must close the connection between the Enterprises Edition transit router and the network instance before you change the payment account. For more information, see Change the account that pays the bills.

Prerequisites

Before you grant a transit router permissions on a network instance, make sure that the following requirements are met:

  • The account to which the network instance belongs and the account to which the transit router belongs are of the same type.

  • The ID of the Alibaba Cloud account to which the transit router belongs is obtained.

  • The ID of the Cloud Enterprise Network (CEN) instance to which the transit router belongs is obtained.

  • You are authorized by your account manager to manage permissions on VBRs.

  • Before you grant a transit router permissions on an IPsec-VPN connection, make sure that the IPsec-VPN connection is not associated with a resource.

    • If the IPsec-VPN connection is already associated with a VPN gateway, you cannot associate the IPsec-VPN connection with a transit router of the same or a different Alibaba Cloud account.

    • If the IPsec-VPN connection is already associated with a transit router, you must first disassociate the IPsec-VPN connection from the transit router. For more information, see Delete a network instance connection.

Configuration examples

The example in the following figure shows how to grant a transit router permissions on network instances. Alice wants to connect a transit router of Account B to a VPC, a VBR, a Cloud Connect Network (CCN) instance, and an IPsec-VPN connection of Account A. The following example shows how to grant permissions to the transit router of Account B.

跨账号网络实例互通-2022年08月

Grant Account B permissions on a VPC

  1. Log on to the VPC console with Account A.

  2. In the top navigation bar, select the region in which the VPC is deployed.

  3. On the VPC page, click the ID of the VPC that you want to manage, and click the ID of the VPC.

  4. Click the Cross-account Authorization tab. On the tab, click Authorize Cross Account Attach CEN.

  5. In the Attach to CEN dialog box, set the following parameters and click OK.

    Parameter

    Description

    Peer Account UID

    Enter the ID of the Alibaba Cloud account to which the transit router belongs.

    Peer CEN Instance ID

    Enter the ID of the CEN instance to which the transit router belongs.

    Payer

    Select the account that pays the bills.

    • CEN Instance Owner: The account to which the transit router belongs pays the connection fee and data transfer fee. This is the default value.

    • VPC Owner: The account to which the VPC belongs pays the connection fee and data transfer fee.

    Important

    Proceed with caution. Your services may be interrupted if you change the payment account. For more information, see Change the account that pays the bills.

    After you complete the configuration, click OK to grant the permissions. You can view the information about the authorization on the Cross-account Authorization tab.VPC授权

  6. Record the VPC ID and the ID of Account A, which are required when you use Account B to create a VPC connection. For more information, see Connect VPCs.

    You can view the account ID on the Account Center page.账号查看

Grant Account B permissions on a VBR

  1. Log on to the Express Connect console with Account A.

  2. In the top navigation bar, select the region in which the VBR is deployed.

  3. In the left-side navigation pane, click Virtual Border Routers (VBRs).

  4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.

  5. Click the CEN Authorization tab. On the tab, click Authorize CEN of Another Account to Load Instance.

  6. In the Authorize CEN of Another Account to Load Instance panel, set the following parameters and click OK.

    Parameter

    Description

    Peer Account CEN ID

    Enter the ID of the CEN instance to which the transit router belongs.

    Peer Account UID

    Enter the ID of the Alibaba Cloud account to which the transit router belongs.

    Payer

    Select the account that pays the bills. Valid values:

    • CEN Owner: The account to which the transit router belongs pays the connection fee and data transfer fee. This is the default value.

    • VBR Owner: The account to which the VBR belongs pays the connection fee and data transfer fee.

    Important

    Proceed with caution. Your services may be interrupted if you change the payment account. For more information, see Change the account that pays the bills.

    After you complete the configuration, click OK to grant the permissions. You can view the permission information on the CEN Authorization tab.VBR授权

  7. Record the VBR ID and the ID of Account A, which are required when you use Account B to create a VBR connection. For more information, see Connect VBRs.

    You can view the account ID on the Account Center page.账号查看

Grant Account B permissions on a CCN instance

  1. Log on to the Smart Access Gateway (SAG) console with Account A.

  2. In the top navigation bar, select the region in which the CCN instance is deployed.

  3. In the left-side navigation pane, click CCN.

  4. On the CCN page, click the ID of the CCN instance that you want to manage.

  5. On the details page of the CCN instance, click the CEN Cross Account Authorization Information tab. On the tab, click CEN Cross Account Authorization.

  6. In the Attach to CEN dialog box, enter the ID of Account B and the ID of the CEN instance of Account B, and click OK.

    After you complete the configuration, click OK to grant the permissions. You can view the information about the authorization on the CEN Cross Account Authorization Information tab.CCN授权

  7. Record the CCN ID and the ID of Account A, which are required when you use Account B to create a CCN connection. For more information, see Associate a CCN instance with a transit router.

    You can view the account ID on the Account Center page.账号查看

Grant Account B permission on an IPsec-VPN connection

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, click the ID of the IPsec-VPN connection that you want to manage.

  5. On the details page, click the Authorize Cross Account Attach CEN tab, and then click Authorize Cross Account Attach CEN.

  6. In the Attach to CEN dialog box, set the following parameters and click OK.

    Parameter

    Description

    Peer Account UID

    Enter the ID of the Alibaba Cloud account to which the transit router belongs.

    Peer CEN Instance ID

    Enter the ID of the CEN instance to which the transit router belongs.

    Payer

    Select the account that pays the bills.

    • CEN Instance Owner (default): After the IPsec-VPN connection is associated with a transit router, the owner of the transit router pays the connection fee and data transfer fee of the transit router.

    • VPN Owner: After the IPsec-VPN connection is associated with a transit router, the owner of the IPsec-VPN connection pays the connection fee and data transfer fee of the transit router.

    Important
    • Proceed with caution. Your services may be interrupted if you change the payment account. For more information, see Change the account that pays the bills.

    • After the IPsec-VPN connection is associated with a transit router, the owner account of the IPsec-VPN connection pays the instance fee and data transfer fee of the IPsec-VPN connection.

    After you complete the configuration, click OK to grant the permissions. You can view the information about the authorization on the Authorize Cross Account Attach CEN tab.IPsec连接授权

  7. We recommend that you record the ID of the IPsec-VPN connection and the ID of the Alibaba Cloud account to which the IPsec-VPN connection belongs. This facilitates the creation of VPN connections. For more information, see Attach an IPsec-VPN connection to a transit router.

    You can view the account ID on the Account Center page.账号查看

Change the account that pays the bills

  • If you want to change the account that pays the bills before you connect an Enterprise Edition transit router to a network instance of another Alibaba Cloud account, you must revoke the permissions that the transit router has on the network instance and regrant the transit router permissions on the network instance.

  • If you want to change the payment account after you connect an Enterprise Edition transit router to a network instance of another Alibaba Cloud account, perform the following steps:

  1. Delete the network instance connections on the Enterprise Edition transit router. For more information, see Delete a network instance connection.

    Warning

    Before you delete a network instance connection from an Enterprise Edition transit router, switch service traffic to prevent network interruptions.

  2. Revoke the permissions that the Enterprise Edition transit router has on the network instance. For more information, see Delete a network instance connection.

  3. Grant permissions on the network instance to the Enterprise Edition transit router. For more information, see Grant Account B permissions on a VPC, Grant Account B permissions on a VBR, and Grant Account B permissions on an IPsec-VPN connection.

    Change the account that pays the bills when you grant the permissions.

  4. Connect the Enterprise Edition transit router to the network instance. For more information, see Use an Enterprise Edition transit router to connect VPCs, Connect a VBR to an Enterprise Edition transit router, and Attach an IPsec-VPN connection to a transit router.

Revoke permissions on network instances

Before you revoke the permissions that the transit router has on a network instance, close the connections between the network instance and the transit router. For more information, see Delete a network instance connection.

Revoke permission on a VPC

  1. Log on to the VPC console with Account A.

  2. In the top navigation bar, select the region in which the VPC is deployed.

  3. On the VPC page, click the ID of the VPC that you want to manage.

  4. Click the Cross-account Authorization tab. On this tab, find the authorization record that you want to manage and click Revoke Permissions in the Actions column.

  5. In the Revoke Permissions message, confirm the information and click OK.

Revoke permissions on a VBR

  1. Log on to the Express Connect console with Account A.

  2. In the top navigation bar, select the region where the VBR is created.

  3. In the left-side navigation pane, click Virtual Border Routers (VBRs).

  4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.

  5. Click the CEN Authorization tab. On this tab, find the authorization record that you want to manage and click Delete in the Actions column.

  6. In the Revoke Authorization message, confirm the information and click OK.

Revoke permissions on a CCN instance

  1. Log on to the SAG console with account A.

  2. In the top navigation bar, select the region where the CCN instance is deployed.

  3. In the left-side navigation pane, click CCN.

  4. On the CCN page, click the ID of the CCN instance that you want to manage.

  5. Click the CEN Cross Account Authorization Information tab. On this tab, find the authorization record that you want to manage and click Revoke Authorization in the Actions column.

  6. In the Note message, confirm the information and click OK.

Revoke permission on an IPsec-VPN connection

  1. Log on to the VPN Gateway console by using account A.

  2. In the top navigation bar, select the region where the IPsec-VPN connection is created.

  3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  4. On the IPsec Connections page, find the IPsec-VPN connection and click its ID.

  5. On the Authorize Cross Account Attach CEN tab, find the authorization record and click Revoke Permissions in the Actions column.

  6. In the Revoke Permissions message, confirm the information and click OK.