Attach a VBR to a CEN instance that belongs to a different account - Express Connect

When you attach a virtual border router (VBR) to a Cloud Enterprise Network (CEN) instance that belongs to a different account, you need to use the CEN authorization feature of the VBR to authorize the CEN instance.

Scenarios

You can create an intra-region connection or an inter-region connection to attach a VBR to a CEN instance that belongs to a different account. The following figures show the scenarios in which an intra-region connection and an inter-region connection are used to attach the VBR. This topic describes how to create an intra-region connection to attach the VBR.

Intra-region connection
Inter-region connection

An enterprise uses Account A to create a VBR in the China (Hangzhou) region. The enterprise uses Account B to create a CEN instance and a transit router in the China (Hangzhou) region. The enterprise wants to use the CEN authorization feature of the VBR to attach the VBR to the CEN instance.

Limits

VBRs that are created on the China site can connect only to virtual private clouds (VPCs) that are created on the China site. VBRs that are created on the International site can connect only to VPCs that are created on the International site.

Prerequisites

A VBR is created in the China (Hangzhou) region by using Account A. For more information, see Create and manage a VBR.
A CEN instance is created by using Account B and a transit router is created in the China (Hangzhou) region. For more information, see Create a transit router.
The UID of Account B to which the CEN instance belongs and the UID of Account A to which the VBR belongs are obtained.

Procedure

Apply for the privilege to attach VBRs to CEN instances or VPCs that belong to a different account
Cross-account CEN authorization
Create a connection to connect the VBR and CEN instance
(Optional) Revoke the CEN authorization

Apply for the privilege to attach VBRs to CEN instances or VPCs that belong to a different account

Note

You can apply for the privilege to attach VBRs to CEN instances or VPCs that belong to a different account in the Quota Center or Express Connect console. This topic describes how to apply for the privilege in the Quota Center console. For more information about how to apply for the privilege to attach VBRs to CEN instances or VPCs that belong to a different account in the Express Connect console, see Adjust quotas.
Before you apply for the privilege, you need to send the Proof of Affiliation to your account manager and submit an application in the Quota Center console. Alibaba Cloud reviews your application based on the Proof of Affiliation that you sent. For more information about the Proof of Affiliation, see Limits.

Log on to the Quota Center console.
In the left-side navigation pane, choose Products > Privileges.
On the Products with Privileges page, click Express Connect in the Networking section.
On the Privileges page, find the privilege whose name is Allow VBR to load CEN or VPC across accounts and ID is vbr_cross_account_conn/allow, and click Apply in the Actions column.

In the Apply for Privileges dialog box, set the following parameters and click OK.

Parameter	Description
Quota ID	The ID of the privilege is automatically displayed.
Description	The description of the privilege is automatically displayed.
Quota Value	The value of the privilege. Valid values: Valid Invalid In this example, Valid is selected.
Time	Specify the validity period of the privilege. Note This parameter is required only when the Quota Value parameter is set to Valid. Set the validity period to one day. The authorization takes effect immediately on the day when the application is approved.
Reason	Enter the reason why you apply for the privilege. Example: User XX: User YY with Alibaba Cloud account ZZ wants to apply for the privilege to attach a VBR to a CEN instance or VPC that belongs to a different account. Note You need to provide the Proof of Affiliation to prove that both Alibaba Cloud accounts belong to the same enterprise or entity.
Notify Result	Specify whether to notify the application result. Yes No

Cross-account CEN authorization

You need to log on to the VBR that belongs to Account A and then authorize the CEN instance that belongs to Account B. After the authorization is complete, the VBR can be attached to the CEN instance.

Note

If your VBR is connected to a data center through Border Gateway Protocol (BGP) and the console prompts that loop risks may exist, read the prompt and notify the administrator of the CEN instance.

Use Account A to log on to the Express Connect console .
In the top navigation bar, select the region where the VBR is created. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click its ID.
On the VBR details page, click the CEN Authorization tab.

Click Authorize CEN of Another Account to Load Instance. In the Authorize CEN of Another Account to Load Instance dialog box, set the following parameters and click OK.

Parameter	Description
Peer CEN Instance ID	Enter the ID of the CEN instance that belongs to Account B.
Peer Account UID	Enter the UID of Account B.
Payer	Select the account that pays the bills. Valid values: CEN Instance Owner: The account to which the transit router belongs pays the connection fee and data transfer fee. This is the default value. VBR Owner: The account to which the VBR belongs pays the connection fee and data transfer fee. Important Proceed with caution. Your services may be interrupted if you change the payment account. For more information, see Change the account that pays the bills.

After the configuration is complete, the permissions are granted to the CEN instance. You can view the information about the authorization on the CEN Authorization tab.

Note

You can record the UID of Account B and the ID of the CEN instance, which are required in subsequent steps.

Create a connection to connect the VBR and CEN instance

You can connect the VBR to the transit router in the same region. Then, the transit router can exchange data between the VBR and CEN instance over private connections.

Log on to the CEN console with Account B.
On the Instances page, find the CEN instance that you want to manage and click its ID.
On the instance details page, click the Transit Router tab, find the transit router that you want to manage, and then click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, set the following parameters to create a VBR connection and click OK.

Parameter	Description
Network Type	Select the type of network instance that you want to attach to the CEN instance. In this example, Virtual Border Router (VBR) is selected.
Region	Select the region where the network instance is deployed. In this example, China (Hangzhou) is selected.
Transit Router	The system automatically displays the transit router in the selected region.
Resource Owner ID	Select the Alibaba Cloud account to which the network instance belongs. In this example, Different Account is selected. After you select Different Account, enter the UID of Account A.
Connection Name	Enter a name for the VBR connection.
Networks	Select the ID of the VBR that you want to connect. In this example, the ID of the VBR that belongs to Account A is entered.
Advanced Settings	By default, the following advanced features are enabled: Includes automatic route table association and route propagation configurations. In this example, the default settings are used.

After the connection is created, you can view the information about the transit router and VBR connection on the Intra-region Connections tab. For more information, see View network instance connections.

(Optional) Revoke the CEN authorization

You can revoke the CEN authorization based on your business requirement. Revoking the CEN authorization does not disconnect the VBR that corresponds to the CEN instance.

Use Account A to log on to the Express Connect console .
In the top navigation bar, select the region where the VBR is created. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click its ID.
On the VBR details page, click the CEN Authorization tab, find the CEN instance that you want to manage, and then click Delete in the Actions column.
In the Revoke Authorization message, confirm the UID and CEN instance ID and click OK.

References

CEN

CreateTransitRouterVbrAttachment: creates a VBR connection on an Enterprise Edition transit router.
View network instance connections

Express Connect

GrantInstanceToCen: grants permissions to a CEN instance.
RevokeInstanceFromCen: revokes the permissions on a network instance that is attached to a CEN instance.
DescribeVirtualBorderRouters: queries VBRs.