All Products
Search

This Product

    Cloud Enterprise Network:Grant a CCN instance permissions on PrivateZone

    Document Center

    Cloud Enterprise Network:Grant a CCN instance permissions on PrivateZone

    Last Updated:Feb 07, 2024

    After a Cloud Connect Network (CCN) instance is connected to a transit router, you can enable the on-premises networks that are attached to the CCN instance to access the PrivateZone service through the transit router by granting the CCN instance the required permissions on PrivateZone. This topic describes how to grant permissions to a CCN instance in different scenarios.

    Scenario 1: All instances belong to the same Alibaba Cloud account

    云连接网-场景一-架构图

    The preceding figure shows a scenario in which the following instances belong to the same Alibaba Cloud account: the CCN instance, the virtual private cloud (VPC) where PrivateZone is deployed, and the transit router. In this scenario, you can grant permissions to CCN in the CEN console. The following table lists the accounts to which the instances belong.

    Resource

    Owner account ID

    Transit router

    253460731706911258

    VPC

    253460731706911258

    CCN instance

    253460731706911258

    1. Log on to the CEN console.

    2. On the Instances page, click the ID of the CEN instance that you want to manage.

    3. On the Basic Settings > Transit Router tab, click the ID of the transit router in the region of the VPC that is associated with PrivateZone.

    4. On the details page of the transit router, click the PrivateZone tab and click Authorize Now. On the Cloud Resource Access Authorization page, click Conform Authorization Policy.

      云连接网授权

      Note

      You must grant permissions to Smart Access Gateway (SAG) only if this is the first time that you configure access to PrivateZone. After you grant permissions to SAG, the CCN instance (a component of SAG) that is attached to the CEN instance can access PrivateZone.

      After you grant the permissions, the system automatically creates the AliyunSmartAGAccessingPVTZRole Resource Access Management (RAM) role for the current Alibaba Cloud account. To search and view the details about RAM roles, you can log on to the RAM console and go to the Identities > Roles page.查看AliyunSmartAGAccessingPVTZRole角色

    Scenario 2: The CCN instance belongs to another Alibaba Cloud account

    云连接网授权-场景二-架构图

    The preceding figure shows a scenario in which the transit router and the VPC where PrivateZone is deployed belong to the same Alibaba Cloud account, but the CCN instance belongs to another Alibaba Cloud account. In this scenario, you must modify the policy that is attached to the Alibaba Cloud account to which the VPC belongs. The following table lists the accounts to which the instances belong.

    Resource

    Owner account ID

    Transit router

    253460731706911258

    VPC

    253460731706911258

    CCN instance

    271598332402530847

    1. Use the Alibaba Cloud account of the VPC to authorize the CCN instance to access PrivateZone.

      1. Log on to the CEN console CEN console with the Alibaba Cloud account to which the VPC belongs.

      2. On the Instances page, click the ID of the CEN instance that you want to manage.

      3. On the Basic Settings > Transit Router tab, click the ID of the transit router in the region of the VPC in which the PrivateZone service is deployed.

      4. On the details page of the transit router, click the PrivateZone tab and click Authorize Now. On the Cloud Resource Access Authorization page, click Conform Authorization Policy.

        Note

        You must grant permissions to Smart Access Gateway (SAG) only if this is the first time that you configure access to PrivateZone. After you grant permissions to SAG, the CCN instance (a component of SAG) that is attached to the CEN instance can access PrivateZone.

    2. Modify the trust policy AliyunSmartAGAccessingPVTZRole to allow the CCN instance which belongs to another Alibaba Cloud account to access PrivateZone.

      1. Log on to the RAM console with the Alibaba Cloud account to which the VPC belongs.

      2. In the left-side navigation pane, choose Identities > Roles.

      3. On the Roles page, enter AliyunSmartAGAccessingPVTZRole in the search box to search the RAM role and click the role name.

      4. On the details page of the RAM role, click the Trust Policy tab, and click Edit Trust Policy.

      5. Add the following record to the Service parameter: "The ID of the Alibaba Cloud account to which the CCN instance belongs@smartag.aliyuncs.com", and click Save trust policy document.

        云连接网授权-场景二

    Scenario 3: The transit router belongs to another Alibaba Cloud account

    云连接网授权-场景三-架构图

    The preceding figure shows a scenario in which the CCN instance and the VPC where PrivateZone is deployed belong to the same Alibaba Cloud account, but the transit router belongs to another Alibaba Cloud account. In this scenario, you must create a policy for the Alibaba Cloud account to which the VPC belongs. The following table lists the accounts to which the instances belong.

    Resource

    Owner account ID

    Transit router

    271598332402530847

    VPC

    253460731706911258

    CCN instance

    253460731706911258

    1. Log on to the RAM console with the Alibaba Cloud account to which the VPC belongs.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. In the Create Role panel, set the following parameters.

      1. In the Select Role Type step, select Alibaba Cloud Service and click Next.

      2. In the Configure Role step, set the following parameters and click OK.

        PVZ授权场景三图片

        • Role Type: Select Normal Service Role.

        • RAM Role Name: Enter AliyunSmartAGAccessingPVTZRole.

        • Select Trusted Service: Select Smart Access Gateway.

        For more information, see Create a RAM role for a trusted Alibaba Cloud service.

      3. In the Create Role panel, click Close to return to the Roles page.

    5. On the Roles page, enter AliyunSmartAGAccessingPVTZRole in the search box to search for the role, and click the role name.

    6. On the Permissions tab, click Grant Permission. The Grant Permission panel appears.

    7. Enter the keyword pvtz in the search box below System Policy to search for the policy AliyunPvtzReadOnlyAccess. Then, click the policy name, add the read-only permission on PrivateZone, and then click OK.

      添加只读访问PrivateZone服务的权限

    8. In the Grant Permission panel, click OK to return to the details page of the RAM role.

    9. On the details page, click the Trust Policy tab to view authorization information.

      场景三:查看信任策略

    Scenario 4: All instances belong to different Alibaba Cloud accounts

    云连接网授权-场景四-架构图

    The preceding figure shows a scenario in which the CCN instance, the transit router, and the VPC where PrivateZone is deployed belong to different Alibaba Cloud accounts. In this scenario, you must perform two authorization operations. The following table lists the accounts to which the instances belong.

    Resource

    Owner account ID

    Transit router

    253460731706911258

    VPC

    283117732402483989

    CCN instance

    271598332402530847

    1. Refer to Scenario 3 and create a role for the Alibaba Cloud account to which the VPC belongs, and then attach the policy to the role.

    2. Refer to Scenario 2 to grant the CCN instance permissions on PrivateZone.

    To allow multiple CCN instances that belong to different Alibaba Cloud accounts to access PrivateZone, add the CCN instances to the policy, as shown in the following figure.

    Resource

    Owner account ID

    Transit router

    253460731706911258

    VPC

    283117732402483989

    CCN Instance 1

    271598332402530847

    CCN Instance 2

    244831332402557259

    CCN Instance 3

    287683832402436789

    云连接网授权-场景四

    What to do next

    Manage access to PrivateZone