All Products
Search
Document Center

Cloud Enterprise Network:Grant permissions on a network instance that belongs to another account

Last Updated:Aug 30, 2023

To connect a transit router of Account B to a network instance of Account A, you must use Account A to grant permissions to the transit router of Account B. This topic describes how to grant permissions to another Alibaba Cloud account.

Billing rules

After you connect an Enterprise Edition transit router to a virtual private cloud (VPC), a virtual border router (VBR), or an IPsec-VPN connection, you are charged for the network instance connection and data transfer. When you grant permissions on a network instance, you can specify the Alibaba Cloud account (payment account) that pays the bills. You can specify the Alibaba Cloud account to which the network instance belongs or the account to which the transit router belongs. For more information about the billing of Enterprise Edition transit routers, see Billing rules.

Limits

  • A transit router that is created by an Alibaba Cloud account on the China site can connect only to a network instance that is created by an Alibaba Cloud account on the China site. A transit router that is created by an Alibaba Cloud account on the International site can connect only to a network instance that is created by an Alibaba Cloud account on the International site.

  • You cannot change the payment account within 1 hour after you connect an Enterprise Edition transit router to a network instance that belongs to a different Alibaba Cloud account. The interval at which you change the payment account must be at least 1 hour.

    For example, you connect an Enterprise Edition transit router of Account B to a VPC of Account A at 09:00:00 (UTC+8) on December 24, 2021. You specify Account A to pay the connection fee and data transfer fee. You cannot change the payment account to Account B to pay the bills until 10:00:00 (UTC+8) on December 24, 2021.

  • You cannot directly change the payment account after you connect an Enterprises Edition transit router to a network instance that belongs to a different Alibaba Cloud account. You must close the connection before you change the payment account. For more information, see Change the account that pays the bills.

Prerequisites

Before you grant permissions to a network instance, make sure that the following requirements are met:

  • The account to which the network instance belongs and the account to which the transit router belongs are of the same type.

  • The ID of the Alibaba Cloud account to which the transit router belongs is obtained.

  • The ID of the Cloud Enterprise Network (CEN) instance to which the transit router belongs is obtained.

  • You are authorized by your account manager to manage permissions on VBRs.

  • Before you grant permissions to an IPsec-VPN connection, make sure that the IPsec-VPN connection is not associated with a resource.

    • If the IPsec-VPN connection is already associated with a VPN gateway, you cannot associate the IPsec-VPN connection with a transit router of the same or a different Alibaba Cloud account.

    • If the IPsec-VPN connection is already associated with a transit router, you must first disassociate the IPsec-VPN connection from the transit router. For more information, see Delete a network instance connection.

Configuration examples

The example in the following figure shows how to grant permissions on network instances. Alice wants to connect a transit router of Account B to a VPC, a VBR, a CCN instance, and an IPsec-VPN connection of Account A. The following example shows how to grant permissions to the transit router of Account B.

Grant permissions on a network instance that belongs to another account - August 2022

Grant Account B permissions on the VPC

  1. Log on to the VPC console by using Account A.

  2. In the top navigation bar, select the region where the VPC is deployed.

  3. On the VPCs page, click the ID of the VPC that you want to manage.

  4. Click the Authorize Cross Account Attach CEN tab. Then, click Authorize Cross Account Attach CEN.

  5. In the Attach to CEN dialog box, set the following parameters and click OK.

    Parameter

    Description

    Peer Account UID

    Enter the ID of the Alibaba Cloud account to which the transit router belongs.

    Peer Account CEN ID

    Enter the ID of the CEN instance to which the transit router belongs.

    Payer

    Select the account that pays the bills.

    • CEN Instance Owner: The account to which the transit router belongs pays the connection fee and data transfer fee. This is the default value.

    • VPC Owner: The account to which the VPC belongs pays the connection fee and data transfer fee.

    Important

    Proceed with caution. Your services may be interrupted if you change the payment account. For more information, see Change the account that pays the bills.

    After you complete the configuration, click OK to grant the permissions. You can view the authorization information on the Authorize Cross Account Attach CEN tab. Grant Account B permissions on the VPC

  6. Record the VPC ID and the ID of Account A, which are required when you use Account B to create a VPC connection. For more information, see Connect VPCs.

    You can go to the Account Center page to view the account ID. View the account ID

Grant Account B permissions on the VBR

  1. Log on to the Express Connect console by using Account A.

  2. In the top navigation bar, select the region where the VBR is created.

  3. In the left-side navigation pane, click Virtual Border Routers (VBRs).

  4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.

  5. Click the CEN Authorization tab. Then, click Authorize CEN of Another Account to Load Instance.

  6. In the Authorize CEN of Another Account to Load Instance panel, set the following parameters and click OK.

    Parameter

    Description

    Peer Account CEN ID

    Enter the ID of the CEN instance to which the transit router belongs.

    Peer Account UID

    Enter the ID of the Alibaba Cloud account to which the transit router belongs.

    Payer

    Select the account that pays the bills.

    • CEN Owner: The account to which the transit router belongs pays the connection fee and data transfer fee. This is the default value.

    • VBR Owner: The account to which the VBR belongs pays the connection fee and data transfer fee.

    Important

    Proceed with caution. Your services may be interrupted if you change the payment account. For more information, see Change the account that pays the bills.

    After you complete the configuration, click OK to grant the permissions. You can view the authorization information on the CEN Authorization tab. Grant Account B permissions on the VBR

  7. Record the VBR ID and the ID of Account A, which are used when you use Account B to create a VBR connection. For more information, see Connect VBRs.

    You can go to the Account Center page to view the account ID. View the account ID

Grant Account B permissions on the CCN instance

  1. Log on to the Smart Access Gateway (SAG) console by using Account A.

  2. In the top navigation bar, select the region where the CCN instance is deployed.

  3. In the left-side navigation pane, click CCN.

  4. On the CCN page, click the ID of the CCN instance that you want to manage.

  5. On the details page of the CCN instance, click the CEN Cross Account Authorization Information tab. Then, click CEN Cross Account Authorization.

  6. In the Attach to CEN dialog box, enter the ID of Account B and the ID of the CEN instance of Account B, and click OK.

    After you complete the configuration, click OK to grant the permissions. You can view the authorization information on the CEN Cross Account Authorization Information tab. Grant Account B permissions on the CCN instance

  7. Record the CCN ID and the ID of Account A, which are used when you use Account B to create a CCN connection. For more information, see Associate a CCN instance with a transit router.

    You can go to the Account Center page to view the account ID. View the account ID

Grant Account B permissions on the IPsec-VPN connection

  1. Log on to the VPN Gateway console.
  2. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.
  3. In the top navigation bar, select the region of the IPsec-VPN connection.
  4. On the IPsec Connections page, click the ID of the IPsec-VPN connection that you want to manage.

  5. On the details page of the IPsec-VPN connection, click the Authorize Cross Account Attach CEN tab. Then, click Authorize Cross Account Attach CEN.

  6. In the Attach to CEN dialog box, set the following parameters and click OK.

    Parameter

    Description

    Peer Account UID

    Enter the ID of the Alibaba Cloud account to which the transit router belongs.

    Peer Account CEN ID

    Enter the ID of the CEN instance to which the transit router belongs.

    Payer

    Select the account that pays the bills.

    • CEN Instance Owner (default): After the IPsec-VPN connection is associated with a transit router, the owner of the transit router pays the connection fee and data transfer fee of the transit router.

    • VPN Owner: After the IPsec-VPN connection is associated with a transit router, the owner of the IPsec-VPN connection pays the connection fee and data transfer fee of the transit router.

    Important
    • Proceed with caution. Your services may be interrupted if you change the payment account. For more information, see Change the account that pays the bills.

    • After the IPsec-VPN connection is associated with a transit router, the owner of the IPsec-VPN connection pays the instance fee and data transfer fee of the IPsec-VPN connection.

    After you complete the configuration, click OK to grant the permissions. You can view the authorization information on the Authorize Cross Account Attach CEN tab. Grant Account B permission on the IPsec-VPN connection

  7. We recommend that you record the ID of the IPsec-VPN connection and the ID of the Alibaba Cloud account to which the IPsec-VPN connection belongs, which are used when you use Account B to connect the IPsec-VPN connection to the transit router. For more information, see Attach an IPsec-VPN connection to a transit router.

    You can go to the Account Center page to view the account ID. View the account ID

Change the account that pays the bills

  • If you want to change the account that pays the bills before you connect an Enterprise Edition transit router to a network instance of another account, you must revoke permissions on the network instance and regrant permissions on the network instance.

  • If you want to change the payment account after you connect an Enterprise Edition transit router to a network instance of another account, perform the following steps:

  1. Close the network instance connections on the Enterprise Edition transit router. For more information, see Delete a network instance connection.

    Warning

    Before you close a network instance connection on an Enterprise Edition transit router, switch service traffic to prevent network interruptions.

  2. Revoke permissions on the network instance from the Enterprise Edition transit router. For more information, see Revoke permissions on network instances.

  3. Grant permissions on the network instance to the Enterprise Edition transit router. For more information, see Grant Account B permissions on the VPC, Grant Account B permissions on the VBR, and Grant Account B permissions on the IPsec-VPN connection.

    Change the account that pays the bills when you grant the permissions.

  4. Connect the Enterprise Edition transit router to the network instance. For more information, see Use an Enterprise Edition transit router to connect VPCs, Connect a VBR to an Enterprise Edition transit router, and Attach an IPsec-VPN connection to a transit router.

Revoke permissions on network instances

Before you revoke permissions on a network instance, close the connections between the network instance and the transit router. For more information, see Delete a network instance connection.

Revoke permission on a VPC

  1. Log on to the VPC console by using Account A.

  2. In the top navigation bar, select the region where the VPC is deployed.

  3. On the VPCs page, click the ID of the VPC that you want to manage.

  4. Click the Authorize Cross Account Attach CEN tab. Find the authorization record and click Unauthorize in the Actions column.

  5. In the Unauthorize message, confirm the information and click OK.

Revoke permissions on a VBR

  1. Log on to the Express Connect console by using Account A.

  2. In the top navigation bar, select the region where the VBR is created.

  3. In the left-side navigation pane, click Virtual Border Routers (VBRs).

  4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.

  5. Click the CEN Authorization tab. Find the authorization record and click Delete in the Actions column.

  6. In the Revoke Authorization message, confirm the information and click OK.

Revoke permissions on a CCN instance

  1. Log on to the SAG console by using account A.

  2. In the top navigation bar, select the region where the CCN instance is deployed.

  3. In the left-side navigation pane, click CCN.

  4. On the CCN page, click the ID of the CCN instance that you want to manage.

  5. Click the CEN Cross Account Authorization Information tab. Find the authorization record and click Revoke Authorization in the Actions column.

  6. In the Note message, confirm the information and click OK.

Revoke permission on an IPsec-VPN connection

  1. Log on to the VPN Gateway console by using account A.

  2. In the top navigation bar, select the region where the IPsec-VPN connection is created.

  3. In the left-side navigation pane, choose Interconnections > VPN > IPsec Connections.

  4. On the IPsec Connections page, click the ID of the IPsec-VPN connection that you want to manage.

  5. Click the Authorize Cross Account Attach CEN tab, find the authorization record, and then click Unauthorize in the Actions column.

  6. In the Unauthorize message, confirm the information and click OK.