To connect a transit router of Account B to a network instance of Account A, you must use Account A to grant permissions to the transit router of Account B. This topic describes how to grant permissions to another Alibaba Cloud account.

Billing

After you connect an Enterprise Edition transit router to a VPC or a VBR, you are charged for the network instance connection and data transfer. When you grant permissions on a network instance, you can specify the Alibaba Cloud account that pays the bills. You can specify the Alibaba Cloud account to which the network instance belongs or the account to which the transit router belongs. For more information about the billing of Enterprise Edition transit routers, see Billing rules.

Limits

  • A transit router that is created by using an Alibaba Cloud account on the China site can connect only to a network instance that is created by using an Alibaba Cloud account on the China site. A transit router that is created by using an Alibaba Cloud account on the International site can connect only to a network instance that is created by using an Alibaba Cloud account on the International site.
  • You cannot change the Alibaba Cloud account that pays the bills within 1 hour after you connect an Enterprise Edition transit router to a network instance that belongs to a different Alibaba Cloud account. The interval at which you change the account that pays the bills must be at least 1 hour.

    For example, you connect an Enterprise Edition transit router of Account B to a VPC of Account A at 09:00:00 (UTC+8) on December 24, 2021. You specify Account A to pay the connection fee and data transfer fee. You cannot specify Account B to pay the bills until 10:00:00 (UTC+8) on December 24, 2021.

  • You cannot directly change the Alibaba Cloud account that pays the bills after you connect an Enterprises Edition transit router to a network instance that belongs to a different Alibaba Cloud account. You must close the connection before you change the account that pays the bills. For more information, see Change the account that pays the bills.

Prerequisites

Before you grant permissions to an account on a network instance, make sure that the following requirements are met:
  • The account to which the network instance belongs and the account to which the transit router belongs are of the same type.
  • The ID of the Alibaba Cloud account to which the transit router belongs is obtained.
  • The ID of the Cloud Enterprise Network (CEN) instance to which the transit router belongs is obtained.
  • If you want to grant permissions on a VBR, Submit a ticket to enable the feature used to grant permissions on VBRs.

Scenarios

The example in the following figure shows how to grant permissions on network instances. In this example, you want to connect a transit router of Account B to a VPC, a VBR, and a CCN instance of Account A. The following sections describe how to use Account A to grant the permissions on the instances to Account B.

Grant permissions on the network instances of another account

Grant permissions on a VPC

  1. Log on to the VPC console by using Account A.
  2. In the top navigation bar, select the region where the VPC is deployed.
  3. On the VPCs page, find the VPC that you want to manage, and click the ID of the VPC.
  4. Click the Authorize Cross Account Attach CEN tab. On the tab, click Authorize Cross Account Attach CEN.
  5. In the Attach to CEN dialog box, configure the following parameters and click OK.
    Parameter Description
    Peer Account UID Enter the ID of the Alibaba Cloud account to which the transit router belongs.
    Peer Account CEN ID Enter the ID of the CEN instance to which the transit router belongs.
    Payer Select the account that pays the bills.
    • CEN Instance Owner: The account to which the transit router belongs pays the connection fee and data transfer fee. This is the default value.
    • VPC Owner: The account to which the VPC belongs pays the connection fee and data transfer fee.
    Notice Proceed with caution. Your services may be interrupted if you change the account that pays the bills. For more information, see Change the account that pays the bills.
    After you complete the configuration, click OK to grant the permissions. You can view the information about the authorization on the Authorize Cross Account Attach CEN tab. Grant permissions on the VPC
  6. Record the VPC ID and the ID of Account A, which are used when you use Account B to create a VPC connection. For more information, see Create a VPC connection.
    You can go to the Account Center page to view the account ID.

Grant permissions on a VBR

  1. Log on to the Express Connect console by using Account A.
  2. In the top navigation bar, select the region where the VBR is created.
  3. In the left-side navigation pane, click Virtual Border Routers (VBRs).
  4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
  5. Click the CEN Authorization tab. On the CEN Authorization tab, click Authorize CEN of Another Account to Load Instance.
  6. In the Authorize CEN of Another Account to Load Instance panel, set the following parameters and click OK.
    Parameter Description
    CEN Instance ID Enter the ID of the CEN instance to which the transit router belongs.
    CEN Account Enter the ID of the Alibaba Cloud account to which the transit router belongs.
    Payer Select the account that pays the bills.
    • CEN Owner: The account to which the transit router belongs pays the connection fee and data transfer fee. This is the default value.
    • VBR Owner: The account to which the VBR belongs pays the connection fee and data transfer fee.
    Notice Proceed with caution. Your services may be interrupted if you change the account that pays the bills. For more information, see Change the account that pays the bills.
    After you complete the configuration, click OK to grant the permissions. You can view the information about the authorization on the CEN Authorization tab. VBR authorization
  7. Record the VBR ID and the ID of Account A, which are used when you use Account B to create a VBR connection. For more information, see Create a VBR connection.
    You can go to the Account Center page to view the account ID.

Grant permissions on a CCN instance

  1. Log on to the Smart Access Gateway (SAG) console by using Account A.
  2. In the top navigation bar, select the region where the CCN instance is deployed.
  3. In the left-side navigation pane, click CCN.
  4. On the CCN page, click the ID of the CCN instance that you want to manage.
  5. On the details page of the CCN instance, click the CEN Cross Account Authorization Information tab. On the tab, click CEN Cross Account Authorization.
  6. In the Attach to CEN dialog box, enter the ID of Account B and the ID of the CEN instance of Account B, and click OK.
    After you complete the configuration, click OK to grant the permissions. You can view the information about the authorization on the CEN Cross Account Authorization Information tab. Grant permissions on the CCN instance
  7. Record the CCN ID and the ID of Account A, which are used when you use Account B to create a CCN connection. For more information, see Associate a CCN instance with a transit router.
    You can go to the Account Center page to view the account ID.

Change the account that pays the bills

  • If you want to change the account that pays the bills before you connect an Enterprise Edition transit router to a network instance of another account, you must revoke permissions on the network instance and then grant permissions on the network instance.
  • If you want to change the account that pays the bills after you connect an Enterprise Edition transit router to a network instance of another account, perform the following operations:
    Notice Before you close a network instance connection on an Enterprise Edition transit router, switch service traffic to prevent network interruptions.
  1. Close the network instance connection on the Enterprise Edition transit router. For more information, see Delete a network instance connection.
  2. Revoke permissions on the network instance from the Enterprise Edition transit router. For more information, see Revoke permissions on network instances.
  3. Grant permissions on the network instance to the Enterprise Edition transit router. For more information, see Grant permissions on a VPC and Grant permissions on a VBR.
    Change the account that pays the bills when you grant the permissions.
  4. Re-connect the Enterprise Edition transit router to the network instance. For more information, see Use an Enterprise Edition transit router to create VPC connections and Connect a VBR to an Enterprise Edition transit router.

Revoke permissions on network instances

Before you revoke permissions on a network instance, close the connection between the network instance and the transit router. For more information, see Delete a network instance connection.

  1. Log on to the VPC console by using Account A.
  2. In the top navigation bar, select the region where the VPC is deployed.
  3. On the VPCs page, find the VPC that you want to manage, and click the ID of the VPC.
  4. Click the Authorize Cross Account Attach CEN tab. On the tab, find the CEN instance that you want to manage and click Unauthorize in the Actions column.
  5. In the Unauthorize message, confirm the information and click OK.
  1. Log on to the Express Connect console by using Account A.
  2. In the top navigation bar, select the region where the VBR is created.
  3. In the left-side navigation pane, click Virtual Border Routers (VBRs).
  4. On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
  5. Click the CEN Authorization tab. On the CEN Authorization tab, find the CEN instance that you want to manage and click Delete in the Actions column.
  6. In the Revoke Authorization message, confirm the information and click OK.
  1. Log on to the SAG console by using account A.
  2. In the top navigation bar, select the region where the CCN instance is deployed.
  3. In the left-side navigation pane, click CCN.
  4. On the CCN page, click the ID of the CCN instance that you want to manage.
  5. Click the CEN Cross Account Authorization Information tab. On the tab, find the CEN instance that you want to manage and click Revoke Authorization in the Actions column.
  6. In the Note message, confirm the information and click OK.