After you create a Cloud Enterprise Network (CEN) instance, you can connect the CEN instance to virtual private clouds (VPCs), virtual border routers (VBRs), and Cloud Connect Network (CCN) instances to enable network communication. After you attach network instances to a CEN instance, the CEN instance automatically learns routes of the attached network instances. Then, the network instances can communicate with each other.

Background information

  • You can use CEN to connect network instances that belong to the same Alibaba Cloud account or different Alibaba Cloud accounts.

    As shown in the following figure, Account B created a CEN instance. You can attach VPC 1 that belongs to Account A and VPC 2 that belongs to Account B to the same CEN instance to enable network communication between VPC 1 and VPC 2.

    Network instance connections in the previous console version
  • You can use one of the following methods to attach a network instance to a CEN instance:
  • If the CEN instance and the network instance that you want to attach to the CEN instance belong to different Alibaba Cloud accounts, you must log on to the network instance and grant the required permissions to the CEN instance. For more information, see Grant permissions on a network instance that belongs to another account.
    Notice After the CEN instance acquires the required permissions, Account B can attach the network instance that belongs to Account A to the CEN instance. Then, the network instance that belongs to Account B and the network instance that belongs to Account A can communicate with each other.

Prerequisites

  • A CEN instance is created. For more information, see Create a CEN instance.
  • The network instance is not attached to other CEN instances.

Attach a network instance

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click Manage in the Actions column.
  3. Click the Networks tab and then click Attach Network.
  4. In the Attach Network panel, click the Your Account or Different Account tab, set the following parameters, and then click OK.
    • Attach a network instance that is created by the current account
      • Network Type: Select the type of network instance.
      • Region: Select the region where the network instance is created.
      • Networks: Select the network instance that you want to attach.
    • Attach a network instance that is created by a different account
      • Owner Account: Enter the ID of the account to which the network instance belongs.
      • Network Type: Select the type of network instance.
      • Region: Select the region where the network instance is created.
      • Networks: Select the network instance that you want to attach.

Attach a network instance to a CEN instance

  1. Log on to the VPC console.
  2. In the top navigation bar, select the region where the VPC is deployed.
  3. On the VPCs page, find the VPC that you want to attach and click the ID of the VPC.
  4. On the details page of the VPC, click Attach to CEN.
  5. In the Attach to CEN panel, select the CEN instance to which you want to attach the VPC and click OK.
  1. Log on to the Express Connect console.
  2. In the top navigation bar, select the region where the VBR is created.
  3. In the left-side navigation pane, click Virtual Border Routers (VBRs).
  4. On the details page of the VBR, click the Basic Information tab, and then click Join CEN.
  5. In the Join CEN panel, select the CEN instance to which you want to attach the VBR and click OK.
  1. Log on to the SAG console.
  2. In the top navigation bar, select the region where the CCN instance is deployed.
  3. In the left-side navigation pane, click CCN.
  4. On the CCN page, find the CCN instance that you want to attach and click Bind CEN Instance in the Actions column.
  5. In the Bind CEN Instance panel, select the CEN instance you want to attach and click OK.

    You can use one of the following methods to specify a CEN instance:

    • Existing CEN: If you have created CEN instances, you can select an existing CEN instance from the drop-down list.
    • Create CEN: If you have not created a CEN instance, enter an instance name. The system then creates a CEN instance and automatically associates it with the CCN instance.

      The name must be 2 to 128 characters in length, and can contain letters, digits, hyphens (-), and underscores (_). It must start with a letter.

Grant permissions on a network instance that belongs to another account

If the CEN instance and the network instance that you want to attach to the CEN instance belong to different Alibaba Cloud accounts, you must log on to the network instance and grant the required permissions to the CEN instance. Before you grant permissions to the CEN instance, obtain the Alibaba Cloud account ID to which the network instance belongs and the Alibaba Cloud account ID to which the CEN instance belongs.

Grant permissions on a VPC

The following steps show how to attach a VPC that belongs to Account A to a CEN instance that belongs to Account B. The CEN instance must first acquire the required permissions from the VPC.

  1. Log on to the VPC console with Account A.
  2. In the top navigation bar, select the region where the VPC is deployed.
  3. On the VPCs page, find the VPC that you want to attach and click the ID of the VPC.
  4. On the Authorize Cross Account Attach CEN tab, click Authorize Cross Account Attach CEN.
  5. In the Attach to CEN dialog box, set the following parameters and click OK.
    Parameter Description
    Peer Account UID Enter the ID of the Alibaba Cloud account to which the CEN instance belongs. In this example, the ID of Account B is used.
    Peer Account CEN ID Enter the ID of the CEN instance.
    Payer Select the account that pays the fees.
    • CEN Instance Owner: The account to which the CEN instance belongs pays the connection fee and data transfer fee. This is the default value.
    • VPC Owner: The account to which the VPC belongs pays the connection fee and data transfer fee.
    Note This parameter takes effect only if you use an Enterprise Edition transit router to connect the VPC to the CEN instance in the latest console version.
    After you complete the configuration, click OK to grant the permissions. You can view the permission information on the Authorize Cross Account Attach CEN tab.
  6. Record the ID of Account A and the ID of the network instance for further operations.
    You canview the account ID on the Account Center page. View the account ID

Grant permissions on a VBR

The following steps show how to attach a VBR that belongs to Account A to a CEN instance that belongs to Account B. The CEN instance must first acquire the required permissions from the VBR.
Notice By default, VBRs cannot grant permissions to CEN instances that belong to another Alibaba Cloud account. You must submit a ticket.
  1. Log on to the Express Connect console with Account A.
  2. In the top navigation bar, select the region where the VBR is created.
  3. In the left-side navigation pane, click Virtual Border Routers (VBRs).
  4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to attach.
  5. Click the CEN Authorization tab, and then click Authorize CEN of Another Account to Load Instance.
  6. In the Authorize CEN of Another Account to Load Instance panel, set the following parameters and click OK.
    Parameter Description
    Peer Account UID Enter the ID of the Alibaba Cloud account to which the CEN instance belongs. In this example, the ID of Account B is used.
    Peer Account CEN ID Enter the ID of the CEN instance.
    Payer Select the account that pays the fees.
    • CEN Instance Owner: The account to which the CEN instance belongs pays the connection fee and data transfer fee. This is the default value.
    • VBR Owner: The account to which the VBR belongs pays the connection fee and data transfer fee.
    Note This parameter takes effect only if you use an Enterprise Edition transit router to connect the VBR to the CEN instance in the latest console version.
    After you complete the configuration, click OK to grant the permissions. You can view the permission information on the CEN Authorization tab.
  7. Record the ID of Account A and the ID of the network instance for further operations.
    You canview the account ID on the Account Center page. View the account ID

Grant permissions on a CCN instance

The following steps show how to attach a CCN instance that belongs to Account A to a CEN instance that belongs to Account B. The CEN instance must first acquire the required permissions from the CCN instance.

  1. Log on to the SAG console with Account A.
  2. In the top navigation bar, select the region where the CCN instance is deployed.
  3. In the left-side navigation pane, click CCN.
  4. On the CCN page, click the ID of the CCN instance that you want to attach.
  5. On the details page of the CCN instance, click the CEN Cross Account Authorization Information tab. On the tab, click CEN Cross Account Authorization.
  6. In the Attach to CEN dialog box, enter the ID of Account B and the ID of the CEN instance and click OK.
    After you complete the configuration, click OK to grant the permissions. You can view the permission information on the CEN Cross Account Authorization Information tab.
  7. Record the ID of Account A and the ID of the network instance for further operations.
    You canview the account ID on the Account Center page. View the account ID

Detach a network instance

You can detach a network instance from a CEN instance. After the network instance is detached, it cannot communicate with other network instances that are attached to the CEN instance.

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click Manage in the Actions column.
  3. On the Networks tab, find the network instance that you want to detach and click Detach in the Actions column.
  4. In the Detach Network message, click OK.

References

  • For more information about how to attach a network instance to a CEN instance, see AttachCenChildInstance.
  • For more information about how to query network instances that are attached to a CEN instance, see DescribeCenAttachedChildInstances.
  • For more information about how to query regions that allow you to attach network instances to CEN instances, see DescribeChildInstanceRegions.
  • For more information about how to query network instances of other Alibaba Cloud accounts that have granted permissions to a CEN instance, see DescribeGrantRulesToCen.
  • For more information about how to grant a CEN instance permissions on a VPC, see GrantInstanceToCen.
  • For more information about how to grant a CEN instance permissions on a VPC that belongs to another Alibaba Cloud account, see GrantInstanceToCbn.
  • For more information about how to detaches a network instance from a CEN instance, see DetachCenChildInstance.