Alibaba Cloud DNS PrivateZone (PrivateZone) is an Alibaba Cloud private domain name resolution and management service based on Virtual Private Cloud (VPC). Smart Access Gateway (SAG) can access PrivateZone through Cloud Enterprise Network (CEN). This topic describes how to enable access to PrivateZone in the CEN console.

Background information

PrivateZone is a VPC-based resolution and management service for private domain names. You can use PrivateZone to map private domain names to IP addresses in one or more VPCs.

PrivateZone allows you to use private domain names to record and manage Elastic Compute Service (ECS) hostnames, Server Load Balancer instances, Object Storage Service (OSS) buckets, and other Alibaba Cloud services. Private domain names are accessible only within their VPCs. You can connect your on-premise network to a VPC through SAG and CEN and configure PrivateZone in the CEN console to allow the on-premises network and VPC to access each other through private domain names.

Access to PrivateZone - 1.1.0


  • PrivateZone is activated. For more information, see Quick start.
  • A CEN instance is created. For more information, see Create a CEN instance.
  • The VPC associated with PrivateZone and the Cloud Connect Network (CCN) instance associated with the on-premises network are connected to transit routers. For more information, see Create a VPC connection and Associate a CCN instance with a transit router.
  • An inter-region connection is established between the transit router connected to the VPC and the transit router connected to the CCN instance. For more information, see Manage inter-region connections.
    Note If both the CCN instance and the VPC are deployed in the Chinese mainland, the system automatically creates an inter-region connection between the transit routers after you connect the VPC and the CCN instance to the transit routers. By default, associated forwarding and route learning are enabled between inter-region connections and the default route table of the transit router where the inter-region connections are created.

Enable access to PrivateZone

  1. Log on to the CEN console.
  2. On the Instances page, find the CEN instance that you want to manage and click the instance ID.
  3. On the Basic Settings > Transit Router tab, click the ID of the transit router in the region where the VPC that is associated with PrivateZone is deployed.
  4. If this is the first time that you configure PrivateZone, click the Private Zone tab on the transit router details page, and then click Authorization. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.

    After you grant permissions to the Smart Access Gateway (SAG) service associated with the on-premises network, the CCN instance that belongs to the SAG service can access the PrivateZone service.

  5. Return to the Private Zone tab and click Configure PrivateZone. In the Configure PrivateZone dialog box, set the following parameters and click OK.
    • Host Region: Select the region where PrivateZone is deployed.
    • Host VPC: Select the VPC associated with PrivateZone.
    • Access Region: Select the region where the CCN instance that needs to access PrivateZone is deployed.