All Products
Search
Document Center

Cloud Enterprise Network:Grant a transit router permissions on a network instance that belongs to another Alibaba Cloud account

Last Updated:Jun 07, 2024

To connect a transit router of Account B to a network instance of Account A, such as virtual private clouds (VPCs), virtual border routers (VBRs), Cloud Connect Network (CCN) instances, Express Connect Routers (ECRs), and IPsec-VPN connections, you must use Account A to grant permissions to the transit router of Account B. This topic describes how to grant a transit router permissions on network instances that belong to another Alibaba Cloud account.

Billing

After you connect a VPC, VBR, ECR, or IPsec-VPN connection to an Enterprise Edition transit router, you are charged a connection fee and a data forwarding fee. When you grant a transit router permissions on a network instance, you can specify an Alibaba Cloud account to pay the fees. You can specify the Alibaba Cloud account to which the network instance belongs or the Alibaba Cloud account to which the transit router belongs as the payment account. For more information about the billing of Enterprise Edition transit routers, see Billing rules.

Limits

  • A transit router that is created by an Alibaba Cloud account on the China site can connect only to network instances that are created by Alibaba Cloud accounts on the China site. A transit router that is created by an Alibaba Cloud account on the International site can connect only to network instances that are created by Alibaba Cloud accounts on the International site.

  • You cannot change the payment account within 1 hour after you connect an Enterprise Edition transit router to a network instance that belongs to a different Alibaba Cloud account. If you want to change the payment account again, the time period from the last change of payment account must be at least 1 hour.

    For example, you connect an Enterprise Edition transit router of Account B to a VPC of Account A at 09:00:00 (UTC+8) on December 24, 2021. You specify Account A to pay the connection fee and data forwarding fee. In this case, you cannot change the payment account to Account B until 10:00:00 (UTC+8) on December 24, 2021.

  • You cannot directly change the payment account after you connect an Enterprises Edition transit router to a network instance that belongs to a different Alibaba Cloud account. You must close the connection between the Enterprises Edition transit router and the network instance before you can change the payment account. For more information, see Change the payment account.

Prerequisites

Before you grant a transit router permissions on a network instance, make sure that the following requirements are met:

  • The account to which the network instance belongs and the account to which the transit router belongs are of the same type.

    A transit router that is created by an Alibaba Cloud account on the China site can connect only to network instances that are created by Alibaba Cloud accounts on the China site. A transit router that is created by an Alibaba Cloud account on the International site can connect only to network instances that are created by Alibaba Cloud accounts on the International site.

  • The ID of the Alibaba Cloud account to which the transit router belongs is obtained.

  • The ID of the Cloud Enterprise Network (CEN) instance to which the transit router belongs is obtained.

  • If you want to grant a transit router permissions on a VBR, you are authorized to manage VBR permissions. For more information, see Attach a VBR to a CEN instance that belongs to a different account.

  • If you want to grant a transit router permissions on an IPsec-VPN connection, the IPsec-VPN connection is not associated with a resource.

    • If the IPsec-VPN connection is associated with a VPN gateway, you cannot associate the IPsec-VPN connection with a transit router of the same or a different Alibaba Cloud account.

    • If the IPsec-VPN connection is associated with a transit router, you must first disassociate the IPsec-VPN connection from the transit router. For more information, see Delete a network instance connection.

Example

The following figure shows an example on how to grant a transit router permissions on network instances. Alice wants to connect a transit router of Account B to a VPC, a VBR, a CCN instance, an ECR, and an IPsec-VPN connection of Account A. The following examples show how to grant permissions to the transit router of Account B.

image

Grant Account B permissions on network instances

Grant Account B permissions on the VPC

  1. Log on to the VPC console with Account A.

  2. In the top navigation bar, select the region in which the VPC is deployed.

  3. On the VPC page, click the ID of the VPC that you want to manage.

  4. Click the Cross-account Authorization tab. On the tab, click Authorize Cross Account Attach CEN.Authorize Cross Account Attach CEN

  5. In the Attach to CEN dialog box, set the following parameters and click OK.

    Parameter

    Description

    Peer Account UID

    Enter the ID of the Alibaba Cloud account to which the transit router belongs.

    Peer CEN Instance ID

    Enter the ID of the CEN instance to which the transit router belongs.

    Payer

    Select the account that pays the fees.

    • CEN Instance Owner: The account to which the transit router belongs pays the connection fee and data forwarding fee. This is the default value.

    • VPC Owner: The account to which the VPC belongs pays the connection fee and data forwarding fee.

    Important

    Your services may be interrupted if you change the payment account. Proceed with caution. For more information, see Change the payment account.

    After you complete the configurations, click OK to grant the permissions to the transit router. You can view the authorization information on the Cross-account Authorization tab.VPC授权

  6. Record the VPC ID and the ID of Account A, which are required when you use Account B to create a VPC connection. For more information, see Create a VPC connection.

    You can view the account ID on the Account Center page.账号查看

Grant Account B permissions on the VBR

  1. Log on to the Express Connect console with Account A.

  2. In the top navigation bar, select the region in which the VBR is deployed.

  3. In the left-side navigation pane, click Virtual Border Routers (VBRs).

  4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.

  5. Click the CEN Authorization tab. On the tab, click Authorize CEN of Another Account to Load Instance.

  6. In the Authorize CEN of Another Account to Load Instance panel, set the following parameters and click OK.

    Parameter

    Description

    Peer Account CEN ID

    Enter the ID of the CEN instance to which the transit router belongs.

    Peer Account UID

    Enter the ID of the Alibaba Cloud account to which the transit router belongs.

    Payer

    Select the account that pays the fees.

    • CEN Owner: The account to which the transit router belongs pays the connection fee and data forwarding fee. This is the default value.

    • VBR Owner: The account to which the VBR belongs pays the connection fee and data forwarding fee.

    Important

    Your services may be interrupted if you change the payment account. Proceed with caution. For more information, see Change the payment account.

    After you complete the configurations, click OK to grant the permissions to the transit router. You can view the authorization information on the CEN Authorization tab.VBR授权

  7. Record the VBR ID and the ID of Account A, which are required when you use Account B to create a VBR connection. For more information, see Connect VBRs.

    You can view the account ID on the Account Center page.账号查看

Grant Account B permissions on the CCN instance

  1. Log on to the Smart Access Gateway (SAG) console with Account A.

  2. In the top navigation bar, select the region in which the CCN instance is deployed.

  3. In the left-side navigation pane, click CCN.

  4. On the CCN page, click the ID of the CCN instance that you want to manage.

  5. On the details page of the CCN instance, click the CEN Cross Account Authorization Information tab. On this tab, click CEN Cross Account Authorization.

  6. In the Attach to CEN dialog box, enter the ID of Account B and the ID of the CEN instance of Account B, and click OK.

    After you complete the configurations, click OK to grant the permissions to the transit router. You can view the authorization information on the CEN Cross Account Authorization Information tab.CCN授权

  7. Record the CCN ID and the ID of Account A, which are required when you use Account B to create a CCN connection. For more information, see Associate a CCN instance with a transit router.

    You can view the account ID on the Account Center page.账号查看

Grant Account B permissions on the IPsec-VPN connection

  1. Log on to the VPN Gateway console.

  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, click the ID of the IPsec-VPN connection that you want to manage.

  5. On the details page, click the Authorize Cross Account Attach CEN tab, and then click Authorize Cross Account Attach CEN.

  6. In the Attach to CEN dialog box, set the following parameters and click OK.

    Parameter

    Description

    Peer Account UID

    Enter the ID of the Alibaba Cloud account to which the transit router belongs.

    Peer CEN Instance ID

    Enter the ID of the CEN instance to which the transit router belongs.

    Payer

    Select the account that pays the fees.

    • CEN Instance Owner: After the IPsec-VPN connection is associated with the transit router, the account to which the transit router belongs pays the connection fee and data forwarding fee. This is the default value.

    • VPN Owner: After the IPsec-VPN connection is associated with the transit router, the account to which the IPsec-VPN connection belongs pays the connection fee and data forwarding fee.

    Important
    • Your services may be interrupted if you change the payment account. Proceed with caution. For more information, see Change the payment account.

    • After an IPsec-VPN connection is associated with a transit router, the owner account of the IPsec-VPN connection pays the instance fee and data transfer fee of the IPsec-VPN connection.

    After you complete the configurations, click OK to grant the permissions to the transit router. You can view the authorization information on the Authorize Cross Account Attach CEN tab.IPsec连接授权

  7. Record the ID of the IPsec-VPN connection and the ID of the Alibaba Cloud account to which the IPsec-VPN connection belongs, which are required when you use Account B to create a VPN attachment. For more information, see Attach an IPsec-VPN connection to a transit router.

    You can view the account ID on the Account Center page.账号查看

Grant Account B permissions on the ECR

  1. Log on to the Express Connect console with Account A.

  2. In the left-side navigation pane, click Express Connect Router (ECR).

  3. On the Express Connect Router (ECR) page, click the ID of the ECR that you want to manage.

  4. Click the CEN Authorization tab. On the CEN Authorization tab, click Authorize CEN of Another Account to Load Instance.

  5. In the Join CEN dialog box, set the following parameters and click OK.

    Parameter

    Description

    CEN Instance ID

    Enter the ID of the CEN instance to which the transit router belongs.

    CEN Account

    Enter the ID of the Alibaba Cloud account to which the transit router belongs.

    Payer

    Select the account that pays the fees.

    • CEN Owner: The account to which the transit router belongs pays the connection fee and data forwarding fee. This is the default value.

    • ECR Owner: The account to which the ECR belongs pays the connection fee and data forwarding fee.

    Important

    Your services may be interrupted if you change the payment account. Proceed with caution. For more information, see Change the payment account.

    After you complete the configurations, click OK to grant the permissions to the transit router. You can view the authorization information on the CEN Authorization tab.ECR授权.png

  6. Record the ID of the ECR and the ID of Account A, which are required when you use Account B to create an ECR connection. For more information, see Create an ECR connection.

    You can view the account ID on the Account Center page.账号查看

Change the payment account

  • If you want to change the payment account before you connect an Enterprise Edition transit router to a network instance of another Alibaba Cloud account, you must revoke the permissions of the transit router on the network instance. Then, regrant the transit router permissions on the network instance.

  • If you want to change the payment account after you connect an Enterprise Edition transit router to a network instance of another Alibaba Cloud account, perform the following steps:

  1. Delete the network instance connections from the Enterprise Edition transit router. For more information, see Delete a network instance connection.

    Warning

    Before you delete a network instance connection from an Enterprise Edition transit router, switch service traffic to prevent network interruptions.

  2. Revoke the permissions of the Enterprise Edition transit router on the network instance. For more information, see Delete a network instance connection.

  3. Grant permissions on the network instance to the Enterprise Edition transit router. For more information, see Grant Account B permissions on the VPC, Grant Account B permissions on the VBR, Grant Account B permissions on the IPsec-VPN connection, and Grant Account B permissions on the ECR.

    Change the payment account when you grant the permissions.

  4. Connect the Enterprise Edition transit router to the network instance. For more information, see Use an Enterprise Edition transit router to connect VPCs, Connect a VBR to an Enterprise Edition transit router, Attach an IPsec-VPN connection to a transit router, and Create an ECR connection.

Revoke permissions on network instances

Before you revoke the permissions of a transit router on a network instance, close the connections between the network instance and the transit router. For more information, see Delete a network instance connection.

Revoke permission on a VPC

  1. Log on to the VPC console with Account A.

  2. In the top navigation bar, select the region in which the VPC is deployed.

  3. On the VPC page, click the ID of the VPC that you want to manage.

  4. Click the Cross-account Authorization tab. On the Cloud Enterprise Network, find the CEN instance that you want to manage and click Revoke Permissions in the Actions column.

  5. In the Revoke Permissions message, review the information and click OK.

Revoke permissions on a VBR

  1. Log on to the Express Connect console with Account A.

  2. In the top navigation bar, select the region in which the VBR is created.

  3. In the left-side navigation pane, click Virtual Border Routers (VBRs).

  4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.

  5. Click the CEN Authorization tab. On this tab, find the authorization record that you want to manage and click Delete in the Actions column.

  6. In the Revoke Authorization message, confirm the information and click OK.

Revoke permissions on a CCN instance

  1. Log on to the SAG console with account A.

  2. In the top navigation bar, select the region in which the CCN instance is deployed.

  3. In the left-side navigation pane, click CCN.

  4. On the CCN page, click the ID of the CCN instance that you want to manage.

  5. Click the CEN Cross Account Authorization Information tab. On this tab, find the authorization record that you want to manage and click Revoke Authorization in the Actions column.

  6. In the Note message, review the information and click OK.

Revoke permission on an IPsec-VPN connection

  1. Log on to the VPN Gateway console with Account A.

  2. In the top navigation bar, select the region in which the IPsec-VPN connection is created.

  3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  4. On the IPsec Connections page, click the ID the IPsec-VPN connection that you want to manage.

  5. On the Authorize Cross Account Attach CEN tab, find the authorization record and click Revoke Permissions in the Actions column.

  6. In the Revoke Permissions message, confirm the information and click OK.

Revoke permissions on an ECR

  1. Log on to the Express Connect console with Account A.

  2. In the left-side navigation pane, click Express Connect Router (ECR).

  3. On the Express Connect Router (ECR) page, click the ID of the ECR that you want to manage.

  4. Click the CEN Authorization tab. On this tab, find the authorization record that you want to manage and click Delete in the Actions column.

  5. In the Revoke Authorization message, review the information and click OK.