If you associate a virtual private cloud (VPC) or virtual border router (VBR) with an Express Connect Router (ECR) across Alibaba Cloud accounts, you must use the VPC or VBR within one Alibaba Cloud account to grant permissions to the ECR within another Alibaba Cloud account.
Example scenario
An enterprise uses Alibaba Cloud account B to create a VPC or VBR and uses Alibaba Cloud account A to create an ECR in the China (Hangzhou) region. The enterprise wants to associate the VPC or VBR within Alibaba Cloud account B with the ECR within Alibaba Cloud account A.
Limits
The ECR feature is in public preview. To use this feature, contact your account manager to apply for a public preview qualification.
For the sake of security and compliance, the cross-account connection feature is disabled by default. If you want to associate a VBR to an ECR across Alibaba Cloud accounts, you must provide a certificate to prove that the Alibaba Cloud accounts belong to the same enterprise or entity. You can contact your customer manager and provide the certificate to enable the cross-account connection feature.
The following figure shows an example of the certificate.
Grant permissions to the ECR by using the VPC
You must grant permissions to the ECR within Alibaba Cloud account A by using the VPC within Alibaba Cloud account B. After the ECR is granted permissions, the VPC within Alibaba Cloud account B can be associated with the ECR within Alibaba Cloud account A.
Log on to the VPC console by using Alibaba Cloud account B.
In the top navigation bar, select the region in which the VPC is deployed.
In the left-side navigation pane, click VPC. On the VPC page, find the VPC that you want to manage and click its ID.
On the details page of the VPC, click the Cross-account authorization tab, and click the ECR tab.
On the ECR tab, click Cross-account Authorization on ECR.
In the ECR Account Authorization dialog box, configure the parameters that are described in the following table and click OK.
Parameter
Description
Authorized Account UID
The ID of Alibaba Cloud account A to which the ECR belongs.
Associated ECR ID
The ID of the ECR that belongs to Alibaba Cloud account A.
After the ECR is granted permissions, you can view the account UID, ECR ID, and authorization time of the ECR on the ECR tab. If you want to revoke permissions from a ECR, perform the following operations:
Find the ID of the Alibaba Cloud account within which you want to revoke permissions from the ECR, and click Revoke Permission in the Actions column.
In the message that appears, click OK.
Grant permissions to the ECR by using the VBR
You must grant permissions to the ECR within Alibaba Cloud account A by using the VBR within Alibaba Cloud account B. After the ECR is granted permissions, the VBR within Alibaba Cloud account B can be associated with the ECR within Alibaba Cloud account A.
Log on to the Express Connect console by using Alibaba Cloud account B.
In the top navigation bar, select the region in which the VBR is deployed. In the left-side navigation pane, click Virtual Border Routers (VBRs).
On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click its ID.
On the details page of the VBR, click the ECR Authorization tab. On the ECR Authorization tab, click ECR Account Authorization.
In the ECR Account Authorization dialog box, configure the parameters that are described in the following table and click OK.
Parameter
Description
Authorized Account UID
The ID of Alibaba Cloud account A to which the ECR belongs.
Associated ECR ID
The ID of the ECR that belongs to Alibaba Cloud account A.
After the ECR is granted permissions, you can view the account UID, ECR ID, and authorinization time of the ECR on the ECR Authorization tab. If you want to revoke permissions from a ECR, perform the following operations:
Find the ID of the Alibaba Cloud account within which you want to revoke permissions from the ECR, and click Delete in the Actions column.
In the message that appears, click OK.