All Products
Search
Document Center

Express Connect:Custom policies for Express Connect

Last Updated:Apr 01, 2026

When system policies don't provide the level of control your team needs, create custom RAM policies to enforce least-privilege access on Express Connect resources.

When to use custom policies

Resource Access Management (RAM) offers two types of policies:

  • System policies — predefined policies managed by Alibaba Cloud. Start here for common access patterns.

  • Custom policies — policies you write and maintain. Use these when system policies are too broad or don't map to your team's access boundaries.

Custom policies let you restrict access by resource type, region, or account ID — for example, allowing a RAM user to manage Virtual Border Routers (VBRs) in one region only, or granting read-only access to Express Connect circuits across all regions.

Policy structure

Each custom policy contains one or more statements. Every statement has three fields:

FieldPurposeExample
EffectAllow or deny the action"Allow"
ActionThe API operations to permit, using wildcards to match groups"vpc:*PhysicalConnection*"
ResourceThe ARN of the resources to target"acs:vpc:*:132193271328****:physicalconnection/*"

Resource ARN format

Express Connect resource ARNs follow this structure:

acs:vpc:<region-id>:<account-id>:<resource-type>/<resource-id>
Resource typeARN patternNotes
Express Connect circuitsacs:vpc:<region-id>:<account-id>:physicalconnection/<connection-id>Use * for region or connection ID to match all
Virtual Border Routersacs:vpc:<region-id>:<account-id>:virtualborderrouter/<vbr-id>Scope to a region by specifying the region ID
Router interfacesacs:vpc:<region-id>:<account-id>:routerinterface/<interface-id>Use a specific interface ID to restrict to one resource

Use * in place of any field to match all values. For example, acs:vpc:*:132193271328****:physicalconnection/* matches all Express Connect circuits in all regions under account 132193271328****.

Read/write separation

The vpc:*Describe* action is required for listing and viewing resources. In all three sample policies below, the Describe statement uses "Resource": "*". Include a Describe statement in any policy intended for console use so that resource lists and detail pages render correctly.

Sample custom policies

The following examples cover common access control scenarios. Copy and adapt the JSON to fit your requirements.

Example 1: Manage all Express Connect circuits in an account

This policy grants full management access to all Express Connect circuits (physical connections) belonging to account 132193271328****. Replace the account ID with your own.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*PhysicalConnection*"
            ],
            "Resource": [
                "acs:vpc:*:132193271328****:physicalconnection/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*Describe*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Example 2: Manage VBRs in a specific region

This policy grants permission to create, manage, and delete Virtual Border Routers (VBRs) in the China (Qingdao) region only.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*Vbr*"
            ],
            "Resource": [
                "acs:vpc:cn-qingdao:*:virtualborderrouter/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*Describe*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Example 3: Manage router interfaces in a specific region

This policy grants permission to create, manage, and delete router interfaces in the China (Qingdao) region. Replace ri-xxxx with the specific interface ID to restrict access to a single resource.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*RouterInterface*"
            ],
            "Resource": [
                "acs:vpc:cn-qingdao:*:routerinterface/ri-xxxx"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*Describe*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Managing custom policies

After creating a policy, attach it to a RAM user, user group, or RAM role for the permissions to take effect. You can delete a policy that is not attached to any principal. If the policy is attached, detach it from all principals before deleting.

Custom policies support version control. Use RAM's version management to track changes and roll back if needed.

For the full list of Express Connect API actions and authorization information for private connections, see RAM authorization.

What's next