Attach a VBR to a VPC that belongs to a different account - Express Connect

When you attach a virtual border router (VBR) that belongs to Account A to a virtual private cloud (VPC) that belongs to Account B through a peering connection, you need to use the VBR cross-account authorization feature of the VPC to grant the VBR permissions on the VPC.

Scenarios

You can attach a VBR to a VPC in the same region or in a different region. This topic describes how to attach a VBR to a VPC in the same region.

An enterprise creates a VBR by using Alibaba Cloud Account A and a VPC by using Alibaba Cloud Account B in the China (Hangzhou) region. The enterprise wants to use the VBR cross-account authorization feature of the VPC to attach the VBR to the VPC through a private connection.

Limits

By default, you cannot connect VBRs to instances that belong to a different account due to security requirements. If you want to connect VBRs to Cloud Enterprise Network (CEN) instances or VPCs that belong to a different account, you must provide a Proof of Affiliation to prove that the two Alibaba Cloud accounts belong to the same enterprise or entity. Send the Proof of Affiliation to your account manager to apply for the permissions.
The following figure shows the format of the Proof of Affiliation:
VBRs that are created on the China site can connect only to VPCs that are created on the China site. VBRs that are created on the International site can connect only to VPCs that are created on the International site.

Prerequisites

A VBR is created in the China (Hangzhou) region by using Alibaba Cloud account A. For more information, see Create and manage a VBR.
A VPC is created in the China (Hangzhou) region by using Alibaba Cloud account B. For more information, see Create and manage a VPC.
The UID of Account B to which the VPC belongs and the UID of Account A to which the VBR belongs are obtained.

Procedures

Apply for the privilege to attach a VBR to a CEN instance or VPC that belongs to a different account
Grant permissions to the VBR
Create a VBR-to-VPC connection across accounts
(Optional) Cancel the VBR cross-account authorization

Apply for the privilege to attach a VBR to a CEN instance or VPC that belongs to a different account

Note

You can log on to the Quota Center or Express Connect console and apply for the privilege to attach a VBR to a CEN instance or VPC that belongs to a different account. This topic describes how to apply for the privilege in the Quota Center console. For more information about how to apply for the privilege to attach a VBR to a CEN instance or VPC that belongs to a different account in the Express Connect console, see Adjust quotas.
Before you apply for the required privilege, you need to send the Proof of Affiliation to your account manager and submit an application in the Quota Center console. Alibaba Cloud will review your application based on the Proof of Affiliation that you sent to your account manager. For more information about the Proof of Affiliation, see Limits.

Log on to the Quota Center console.
In the left-side navigation pane, choose Products > Privileges.
On the Products with Privileges page, click Express Connect in the Networking section.
On the Privileges page, find the privilege whose name is Allow VBR to load CEN or VPC across accounts and ID is vbr_cross_account_conn/allow, and click Apply in the Actions column.

In the Apply for Privileges dialog box, set the following parameters and click OK.

Parameter	Description
Quota ID	The ID of the privilege is automatically displayed.
Description	The description of the privilege is automatically displayed.
Quota Value	The value of the privilege. Valid values: Valid Invalid In this example, Valid is selected.
Time	Specify the validity period of the privilege. Note This parameter is required only when the Quota Value parameter is set to Valid. Set the validity period to one day. The authorization takes effect immediately on the day when the application is approved.
Reason	Enter the reason why you apply for the privilege. Example: User XX: User YY with Alibaba Cloud account ZZ wants to apply for the privilege to attach a VBR to a CEN instance or VPC that belongs to a different account. Note You need to provide the Proof of Affiliation to prove that both Alibaba Cloud accounts belong to the same enterprise or entity.
Notify Result	Specify whether to notify the application result. Yes No

Grant permissions to the VBR

You must grant the VBR permissions on the VPC by using the cross-account VBR authorization feature. The VBR belongs to Alibaba Cloud account A and the VPC belongs to Alibaba Cloud account B. After the cross-account authorization is complete, a peering connection between the VPC and the VBR can be created.

Log on to the VPC console by using Alibaba Cloud account B.
In the top navigation bar, select the region where the VPC is deployed. China (Hangzhou) is selected in this example.
On the VPCs page, find the VPC on which you want to grant permissions, and click the ID of the VPC.
On the VPC details page, click the Cross-Account VBR Authorization tab, and then click Cross-Account VBR Authorization.

In the Cross-Account VBR Authorization dialog box, set the following parameters and click OK.

Parameter	Description
Peer Account UID	Enter the ID of Alibaba Cloud account A to which the VBR belongs.
Region	Select the region where the VBR is deployed. China (Hangzhou) is selected in this example.
VBR ID	Specify the IDs of VBRs to which you want to grant permissions. The VBRs belong to Alibaba Cloud account A. Grant Permissions to Specified VBRs: You grant specified VBRs permissions on the VPC. The VBRs are deployed in the destination region of Alibaba Cloud account A. If you select Grant Permissions to Specified VBRs, enter the ID of the specified VBR. If you want to grant multiple VBRs permissions on the VPC, you can click + Add to enter the IDs of multiple VBRs. Note If the IDs of multiple VBRs are added, the IDs must be different. Grant Permissions to All VBRs: You grant all VBRs permissions on the VPC. The VBRs are deployed in the destination region of Alibaba Cloud account A.

After the settings are complete, the permissions are granted to VBRs. You can view the information about the authorization on the Cross-Account VBR Authorization tab.

Note

You can record the ID of Alibaba Cloud account B and the ID of the VPC for later creation of VBR-to-VPC connections.

Create a VBR-to-VPC connection across accounts

After you create a VBR-to-VPC connection, the VBR can communicate with the VPC that belongs to a different account through the private connection.

Log on to the Express Connect console. by using Alibaba Cloud account A.
In the left-side navigation pane, choose VPC Peering Connections > VBR-to-VPC.
On the VBR-to-VPC page, click Create Peering Connection.

On the Establish VBR-VPC Interconnection page, configure the parameters described in the following table.

Parameter	Description
Initiator Region	Select the region where the VBR is deployed. In this example, China (Hangzhou) is selected.
Initiator VBR	Select the VBR from the drop-down list as the initiator.
Acceptor Region Type	Specify whether the initiator and acceptor belong to the same region. In this example, Intra-Region is selected.
Acceptor Account Type	Specify whether the initiator and acceptor belong to the same Alibaba Cloud account. In this example, Another Account is selected.
Acceptor Account ID	When Acceptor Account Type is set to Another Account, you need to specify the UID of the account to which the acceptor belongs. Select the UID of the account to which the acceptor belongs from the drop-down list. In this example, the UID of Account B is selected.
Acceptor VPC	Select the ID of the VPC on which the VBR is granted permissions.
Fee Details	The bandwidth fee is automatically displayed in the Bandwidth Fee field.

Read and select the Terms of Service and click OK.
Note
If the initiator or acceptor is deployed outside the Chinese mainland and the acceptor is deployed in the Chinese mainland or vice versa, the VBR-to-VPC connection is a cross-border connection. In this case, you must select the agreement for cross-border connections before you can create the VBR-to-VPC connection.
After the VBR-to-VPC connection is established, the status of the initiator and the acceptor changes to Activated.

(Optional) Cancel the VBR cross-account authorization

If you no longer use the cross-account VBR-to-VPC connection service, you can revoke permissions on the VPC. This operation does not interrupt established cross-account VBR-to-VPC connections.

Log on to the VPC console by using Alibaba Cloud account B.
In the top navigation bar, select the region where the VPC is deployed. China (Hangzhou) is selected in this example.
On the VPCs page, find the VPC on which you want to grant permissions, and click the ID of the VPC.
On the VPC details page, click the Cross-Account VBR Authorization tab, and then click Revoke Permission in the Actions column.
In the message that appears, click OK.

References

GrantInstanceToVbr: grants a VBR permissions to connect to a VPC that belongs to a different account.
RevokeInstanceFromVbr: revokes the permissions that a VBR has on a VPC.
DescribeEcGrantRelation: queries whether permissions on a VPC are granted to a VBR.