All Products
Search

This Product

    Smart Access Gateway:Grant cross-account permissions on an SAG instance

    Document Center

    Smart Access Gateway:Grant cross-account permissions on an SAG instance

    Last Updated:Nov 28, 2025

    You can grant permissions on a Smart Access Gateway (SAG) instance to another Alibaba Cloud account. This allows the account to attach your SAG instance to its Cloud Connect Network (CCN) instance or virtual border router (VBR) instance for network communication.

    Prerequisites

    You have the UID of the peer account and the ID of the peer CCN or VBR instance.

    Procedure

    1. Log on to the Smart Access Gateway console.

    2. In the top navigation bar, select the region.

    3. On the Smart Access Gateway page, locate the target SAG instance.

    4. Go to the Network Configuration page of the target SAG instance in one of the following ways:

      • Click the ID of the target SAG instance. On the instance details page, click Network Configuration.

      • Find the target SAG instance and click Network Configuration in the Actions column.

    5. Click the Network Instance Details tab.

    6. In the Authorized Cross-account Instances section, click Authorize CCN Instance.

    7. In the Authorize CCN Instance dialog box, configure the authorization details and click OK.

      Parameter

      Description

      Authorized Account UID

      The UID of the peer Alibaba Cloud account. Example: 168840159596****.

      Network Type

      The type of network to which you want to grant permissions. SAG supports the following network types:

      • Cloud Connect Network: If you select this network type, you must enter the ID of the peer CCN instance.

      • Virtual Border Router: If you select this network type, you must enter the ID of the peer VBR instance.

      Target CCN Instance ID

      Enter the ID of the peer CCN instance. Example: ccn-6dhj3m2fz7p6og****.

      Note

      This parameter is required when Network Type is set to Cloud Connect Network.

      Region

      If you attach a VBR, you must select the region where the VBR is deployed.

      Note

      This parameter is required when Network Type is set to Virtual Border Router.

      Peer VBR ID

      Enter the ID of the peer VBR instance. Example: vbr-o6w14e21pzziti4tp****.

      Note

      This parameter is required when Network Type is set to Virtual Border Router.

      Secure Draining

      Specifies whether to enable Secure Draining. This feature is disabled by default.

    References

    • GrantSagInstanceToVbr: Grants permissions on an SAG instance to a VBR instance that belongs to another Alibaba Cloud account.

    • GrantSagInstanceToCcn: Grants permissions on an SAG instance to a CCN instance that belongs to another Alibaba Cloud account.