All Products
Search

This Product

    Express Connect:Connect a VBR to a cross-account CEN

    Document Center

    Express Connect:Connect a VBR to a cross-account CEN

    Last Updated:May 27, 2026

    Before connecting a virtual border router (VBR) from one Alibaba Cloud account to a Cloud Enterprise Network (CEN) instance in another, the VBR owner must first authorize the CEN instance.

    Use cases

    You can create cross-account intra-region or inter-region connections between a VBR and a CEN instance.

    • Intra-region VBR connection同地域

    • Inter-region VBR connection跨地域

    An enterprise uses Alibaba Cloud Account A to create a VBR in the China (Hangzhou) region. The enterprise uses Alibaba Cloud Account B to create a CEN instance and a transit router in the same China (Hangzhou) region. This topic shows how to use the VBR's cross-account authorization feature to connect the VBR from Account A to the CEN instance in Account B.

    Limitations

    • For security and compliance reasons, the cross-account VBR connection feature is disabled by default. If your VBR needs to connect to a Cloud Enterprise Network (CEN) instance or a VPC that belongs to a different account, you must provide documentation to prove that the Alibaba Cloud accounts belong to the same company or entity. Contact your account manager to request this feature.

      The following shows a sample of the documentation format:

      image

    • VBR instances on the Alibaba Cloud China site (aliyun.com) can connect only to VPC instances on the China site. VBR instances on the Alibaba Cloud International site (alibabacloud.com) can connect only to VPC instances on the International site.

    VBR instances on the Alibaba Cloud China site (aliyun.com) can connect only to VPC instances on the China site. VBR instances on the Alibaba Cloud International site (alibabacloud.com) can connect only to VPC instances on the International site.

    Prerequisites

    • A VBR instance is created in the China (Hangzhou) region under Account A. For more information, see Create and manage a virtual border router.

    • A CEN instance is created under Account B, and a transit router is created for the CEN instance in the China (Hangzhou) region. For more information, see Create a transit router instance.

    • You have the account IDs of both the VBR owner (Account A) and the CEN instance owner (Account B).

    Procedure

    1. Apply for the privilege to connect a VBR to a cross-account CEN or VPC

    2. Grant cross-account authorization to the CEN instance

    3. Create the cross-account VBR connection

    4. (Optional) Revoke the CEN instance authorization

    Apply for the cross-account connection privilege

    Note

    • You can apply for the privilege in Quota Center or the Express Connect console. This topic describes how to apply in Quota Center. For information about how to apply in the Express Connect console, see Increase a quota.

    • Before applying for the privilege, contact your account manager and provide the required documentation. Then, submit an application in Quota Center. Your account manager reviews the application based on the documentation that you provide. For more information about the required documentation, see Limitations.

    1. Log on to the Quota Center console.

    2. In the left-side navigation pane, choose Products > Privileges and Quotas.

    3. On the Products with Privileges page, click Express Connect in the Network area.

    4. On the Privileges page, find the privilege with the name Allow VBR to load CEN or VPC across accounts and the Quota ID vbr_cross_account_conn/allow. In the Actions column, click Request.

    5. In the Apply for Privileges dialog box, set the following parameters and click Confirm.

      Parameter

      Description

      Quota ID

      The system automatically displays the quota ID.

      Description

      The system automatically displays the description of the quota ID.

      Requested Value

      Select the quota value.

      • Effective

      • Invalid

      In this example, select Effective.

      Time

      Set the start time and end time for the quota.

      Note

      • This parameter is required only when Requested Value is set to Effective.

      • The granted privilege is valid for one day and takes effect on the day it is approved.

      Application Reason

      Enter the reason for the application. You can use the following example:

      We are [Company Name] (Alibaba Cloud root account ID: [Account ID]) and require the privilege to connect a VBR to a cross-account CEN or VPC on Alibaba Cloud.

      Note

      The Alibaba Cloud root accounts specified in the application reason must be owned by the same company or entity.

      Notify Result

      Select whether to be notified of the result.

      • Yes

      • No

    Grant cross-account authorization

    You must use the VBR in Account A to grant cross-account authorization to the CEN instance in Account B. After you grant the authorization, a connection can be established between the VBR in Account A and the CEN instance in Account B.

    Note

    If your VBR uses Border Gateway Protocol (BGP) to communicate with your data center and the console warns you of a potential route loop, you must read the warning and inform the administrator of the CEN instance in Account B about the risk.

    1. Use Alibaba Cloud account A to log in to the Express Connect console.

    2. In the top navigation bar, select the region where the target VBR instance is deployed. This example uses China (Hangzhou).

    3. In the left-side navigation pane, click Virtual Border Routers (VBRs).

    4. On the Virtual Border Routers (VBRs) page, find the target VBR instance and click its ID.

    5. On the details page of the VBR instance, click the CEN Authorization tab.

    6. Click Authorize CEN of Another Account to Load Instance. In the Authorize CEN of Another Account to Load Instance panel, configure the parameters and click OK.

      Parameter

      Description

      Peer CEN Instance ID

      Enter the ID of the target CEN instance in Account B.

      Peer Account UID

      Enter the account ID of Account B.

      Payer

      Select the party that pays the fees.

      • CEN Owner (default): The transit router owner's account pays the connection and data transfer fees for the VBR instance.

      • VBR Owner: The VBR owner's account pays the connection and data transfer fees for the VBR instance.

      Important

      Choose the payer carefully. Changing the payer may affect your services. For more information, see Change the payer for a network instance.

      After you configure the settings, the system creates the authorization. You can view information about the authorization on the CEN Authorization tab.

      Note

      Take note of the account ID of Account B and the CEN instance ID for the following steps.

    Create the cross-account VBR connection

    You can connect the VBR instance to a transit router in the same region. After you establish the connection, the transit router enables private communication between your networks.

    1. Log on to the Cloud Enterprise Network console by using Account B.

    2. On the CEN Instance page, find the target CEN instance and click its ID.

    3. On the instance details page, click the Transit Router tab. Find the target transit router and click Create Connection in the Actions column.

    4. On the Connection with Peer Network Instance page, set the following parameters to create the VBR connection and click OK.

      Parameter

      Description

      Network Type

      Select the type of network instance to connect.

      In this example, Virtual Border Router (VBR) is selected.

      Region

      Select the region where the network instance is deployed.

      This example uses China (Hangzhou).

      Transit Router

      The system automatically displays the transit router that is deployed in the current region.

      Account

      Select the account type of the network instance owner.

      In this example, Different Account is selected. After you select this option, enter the account ID of Account A.

      Connection Name

      Enter a name for the VBR connection.

      Networks

      Select the ID of the VBR instance to connect.

      In this example, the ID of the VBR instance in Account A is selected.

      Advanced Settings

      By default, the system enables several advanced features, Configure automatic route table association and route propagation..

      In this example, the default settings are used.

      After the network instance connection is created, you can view information about the transit router and the VBR connection on the Intra-Region Connections tab. For more information, see View network instance connections.

    (Optional) Revoke the CEN instance authorization

    If you no longer need the cross-account VBR connection, you can revoke the authorization that you granted to the CEN instance. Revoking the authorization does not interrupt established network services.

    1. Use Alibaba Cloud Account A to log on to the Express Connect Management Console.

    2. In the top navigation bar, select the region where the target VBR instance is deployed. This example uses China (Hangzhou).

    3. In the left-side navigation pane, click Virtual Border Routers (VBRs).

    4. On the Virtual Border Routers (VBRs) page, find the target VBR instance and click its ID.

    5. On the details page of the VBR instance, click the CEN Authorization tab. Find the target CEN instance and click Delete in the Actions column.

    6. In the Revoke Authorization dialog box, confirm the account ID and CEN instance ID, and then click OK.

    Related topics

    CEN

    Express Connect