After you attach a Cloud Connect Network (CCN) instance to a Cloud Enterprise Network (CEN) instance, if the on-premises network associated with the CCN instance needs to access Alibaba Cloud DNS PrivateZone (PrivateZone), you must first grant permissions to CCN.

Scenario 1: All instances belong to the same Alibaba Cloud account

The following table shows a scenario where the following instances belong to the same Alibaba Cloud: the CCN instance, the virtual private cloud (VPC) where PrivateZone is deployed, and the CEN instance. In this scenario, you can grant permissions to CCN in the CEN console.
Resource Owner account ID
CEN instance 111100000000****
VPC 111100000000****
CCN instance 111100000000****
  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click Manage in the Actions column.
  3. On the details page of the CEN instance, click the Private Zone tab and click Authorization.
  4. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.
    Note You must grant permissions to Smart Access Gateway (SAG) only if this is the first time that you configure access to PrivateZone. After you grant permissions to SAG, the CCN instance (a component of SAG) that is attached to the CEN instance can access PrivateZone.
    After you grant the permissions, the system automatically creates the AliyunSmartAGAccessingPVTZRole Resource Access Management (RAM) role for the current Alibaba Cloud account. You can view this role on the Roles page of the RAM console.

Scenario 2: The CCN instance belongs to another Alibaba Cloud account

The following table shows a scenario where the CEN instance and the VPC where PrivateZone is deployed belong to the same Alibaba Cloud account, and the CCN instance belongs to another Alibaba Cloud account. In this scenario, you must modify the permission policy of the Alibaba Cloud account to which the VPC belongs.
Resource Owner account ID
CEN instance 111100000000****
VPC 111100000000****
CCN instance 333300000000****
  1. Log on to the CEN console with the Alibaba Cloud account to which the VPC belongs.
  2. On the Instances page, find the CEN instance that you want to manage and click Manage in the Actions column.
  3. On the details page of the CEN instance, click the Private Zone tab and click Authorization.
  4. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.
    Note You must grant permissions to SAG only if this is the first time that you configure access to PrivateZone. After you grant permissions to SAG, the CCN instance (a component of SAG) that is attached to the CEN instance can access PrivateZone.
  5. Log on to the RAM console with the Alibaba Cloud account to which the VPC belongs.
  6. In the left-side navigation pane, choose Identities > Roles.
  7. In the search bar of the Roles page, enter AliyunSmartAGAccessingPVTZRole to search for the role, and then click the role name.
  8. On the details page, click the Trust Policy Management tab, and then click Edit Trust Policy.
  9. In the Edit Trust Policy panel, add the following record to the Service parameter: "CCN instance account ID@smartag.aliyuncs.com", and then click OK.
    Scenario 2

Scenario 3: The CEN instance belongs to another Alibaba Cloud account

The following table shows a scenario where the CCN instance and the VPC where PrivateZone is deployed belong to the same Alibaba Cloud account, and the CEN instance belongs to another Alibaba Cloud account. In this scenario, you must create a permission policy for the Alibaba Cloud account to which the VPC belongs.
Resource Owner account ID
CEN instance 333300000000****
VPC 111100000000****
CCN instance 111100000000****
  1. Log on to the RAM console with the Alibaba Cloud account to which the VPC belongs.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, click Create Role.
  4. In the Create Role panel, set the following parameters.
    1. In the Select Role Type step, select Alibaba Cloud Service and click Next.
    2. In the Configure Role step, set the following parameters and click OK.
      Scenario 3
      • Role Type: Select Normal Service Role.
      • RAM Role Name: Enter AliyunSmartAGAccessingPVTZRole.
      • Select Trusted Service: Select Smart Access Gateway.
    3. In the Create Role panel, click Close to return to the Roles page.
  5. In the search bar of the Roles page, enter AliyunSmartAGAccessingPVTZRole to search for the role and click the role name.
  6. On the Permissions tab, click Add Permissions to go to the Add Permissions panel.
  7. In the search bar below System Policy, enter AliyunPvtzReadOnlyAccess to search for the permission policy and click the policy name. Then, add the read-only permissions on PrivateZone and click OK.
  8. In the Add Permissions panel, click OK to return to the role details page.
  9. On the details page, click the Trust Policy Management tab to view authorization information.

Scenario 4: All instances belong to different Alibaba Cloud accounts

The following table shows a scenario where the CCN instance, the CEN instance, and the VPC where PrivateZone is deployed belong to different Alibaba Cloud accounts. In this scenario, you must perform two authorization operations.
Resource Owner account ID
CEN instance 111100000000****
VPC 222200000000****
CCN instance 333300000000****
  1. Refer to Scenario 3 and create a role for the Alibaba Cloud account to which the VPC belongs, and then attach the permission policy to the role.
  2. Refer to Scenario 2 and grant permissions to the CCN instance with the Alibaba Cloud account to which the VPC belongs.
To allow multiple CCN instances that belong to different Alibaba Cloud accounts to access PrivateZone, add the CCN instances to the permission policy as described in the following figure.
Resource Owner account ID
CEN instance 111100000000****
VPC 222200000000****
CCN instance 1 333300000000****
CCN instance 2 444400000000****
CCN instance 3 555500000000****
Scenario 4

What to do next

Access PrivateZone