To associate a virtual private cloud (VPC) or virtual border router (VBR) with an Express Connect Router (ECR) that belongs to a different Alibaba Cloud account, the account that owns the VPC or VBR must grant the ECR permission to accept the association.
This topic uses the following scenario: account B owns a VPC or VBR in the China (Hangzhou) region, and account A owns an ECR. Account B grants account A's ECR the permission to associate, so that account B's VPC or VBR can be linked to account A's ECR.
Two roles are involved:
| Role | Description |
|---|---|
| ECR owner account (account A) | Creates and owns the ECR. Provides its account UID and ECR ID to account B before authorization begins. |
| Authorizing account (account B) | Owns the VPC or VBR. Performs all authorization steps in this topic. |
Limitations
Cross-account connection between a VBR and an ECR is disabled by default. To enable it, provide a certificate proving that both Alibaba Cloud accounts belong to the same enterprise or entity, then contact your customer manager to submit the certificate.
The following figure shows an example of the certificate.

Prerequisites
Before you begin, make sure that you have:
An ECR created under account A (the ECR owner account)
The account UID of account A
The ECR ID of the ECR under account A
The VPC or VBR under account B that you want to associate with the ECR
Grant permissions using a VPC
Perform the following steps using account B (the authorizing account).
Log on to the VPC console.
In the top navigation bar, select the region where the VPC is deployed.
In the left-side navigation pane, click VPC. On the VPC page, find the VPC and click its ID.
On the VPC details page, click the Cross-account authorization tab, then click the ECR tab.
On the ECR tab, click Cross-account Authorization on ECR.
In the ECR Account Authorization dialog box, configure the following parameters and click OK.
Parameter Description Authorized Account UID The account UID of account A, which owns the ECR. Associated ECR ID The ID of the ECR under account A.
After authorization succeeds, the ECR tab displays the authorized account UID, ECR ID, and authorization time. Account B's VPC can now be associated with account A's ECR.
Revoke permissions
On the ECR tab, find the account whose permissions you want to revoke and click Revoke Permission in the Actions column.
In the confirmation dialog box, click OK.
Grant permissions using a VBR
Perform the following steps using account B (the authorizing account).
Before starting, confirm that the cross-account connection feature for VBR and ECR has been enabled for your account. If not, contact your customer manager with the required certificate.
Log on to the Express Connect console.
In the top navigation bar, select the region where the VBR is deployed. In the left-side navigation pane, click Virtual Border Routers (VBRs).
On the Virtual Border Routers (VBRs) page, find the VBR and click its ID.
On the VBR details page, click the ECR Authorization tab, then click ECR Account Authorization.
In the ECR Account Authorization dialog box, configure the following parameters and click OK.
Parameter Description Authorized Account UID The account UID of account A, which owns the ECR. Associated ECR ID The ID of the ECR under account A.
After authorization succeeds, the ECR Authorization tab displays the authorized account UID, ECR ID, and authorization time. Account B's VBR can now be associated with account A's ECR.
Revoke permissions
On the ECR Authorization tab, find the account whose permissions you want to revoke and click Delete in the Actions column.
In the confirmation dialog box, click OK.
What's next
After authorization is complete, associate the VPC or VBR with the ECR. For instructions on managing ECRs, see Create and manage ECRs.