Attach a VBR to a CEN instance across accounts - Express Connect

To attach a virtual border router (VBR) to a Cloud Enterprise Network (CEN) instance, you must use the CEN authorization feature of the VBR that belongs to an Alibaba Cloud account to authorize the CEN instance that belongs to a different Alibaba Cloud account to access the VBR.

Scenarios

You can create an intra-region connection or an inter-region connection to attach a VBR to a CEN instance across accounts. The following figures show the scenarios in which an intra-region connection and an inter-region connection are used to attach the VBR. This topic describes how to create an intra-region connection to attach the VBR.

Intra-region connection
Inter-region connection

An enterprise uses Account A to create a VBR in the China (Hangzhou) region. The enterprise uses Account B to create a CEN instance and a transit router in the China (Hangzhou) region. The enterprise wants to use the CEN authorization feature of the VBR to attach the VBR to the CEN instance.

Limits

By default, you cannot connect VBRs to instances that belong to a different account due to security requirements. If you want to connect VBRs to Cloud Enterprise Network (CEN) instances or VPCs that belong to a different account, you must provide a Proof of Affiliation to prove that the two Alibaba Cloud accounts belong to the same enterprise or entity. Send the Proof of Affiliation to your account manager to apply for the permissions.
The following figure shows the format of the Proof of Affiliation:
VBRs that are created on the Alibaba Cloud China site (aliyun.com) can connect only to virtual private clouds (VPCs) that are created on the China site. VBRs that are created on the Alibaba Cloud international site (alibabacloud.com) can connect only to VPCs that are created on the International site.

VBRs that are created on the Alibaba Cloud China site (aliyun.com) can connect only to virtual private clouds (VPCs) that are created on the China site. VBRs that are created on the Alibaba Cloud international site (alibabacloud.com) can connect only to VPCs that are created on the International site.

Prerequisites

A VBR is created in the China (Hangzhou) region by using Account A. For more information, see Create and manage a VBR.
A CEN instance is created by using Account B and a transit router is created in the China (Hangzhou) region. For more information, see the Create a transit router section of the "Transit routers" topic.
The UID of Account B to which the CEN instance belongs and the UID of Account A to which the VBR belongs are obtained.

Procedures

Apply for the privilege to attach VBRs to CEN instances or VPCs across accounts
Grant permissions to the CEN instance across accounts
Create a connection to connect the VBR and CEN instance
(Optional) Revoke the CEN authorization

Apply for the privilege to attach VBRs to CEN instances or VPCs across accounts

Note

You can apply for the privilege to attach VBRs to CEN instances or VPCs across accounts in the Quota Center or Express Connect console. This topic describes how to apply for the privilege in the Quota Center console. For more information about how to apply for the privilege to attach VBRs to CEN instances or VPCs across accounts in the Express Connect console, see the Adjust quotas section of the "Manage Express Connect quotas" topic.
Before you apply for the privilege, you need to send the Proof of Affiliation to your account manager and submit an application in the Quota Center console. Alibaba Cloud reviews your application based on the Proof of Affiliation that you sent. For more information about the Proof of Affiliation, see the Limits section of this topic.

Log on to the Quota Center console.
In the left-side navigation pane, choose Products > Privileges.
On the Products with Privileges page, click Express Connect in the Networking section.
On the Privileges page, find the privilege whose name is Allow VBR to load CEN or VPC across accounts and ID is vbr_cross_account_conn/allow, and click Apply in the Actions column.

In the Apply for Privileges dialog box, set the following parameters and click OK.

Parameter	Description
Quota ID	The ID of the privilege is automatically displayed.
Description	The description of the privilege is automatically displayed.
Quota Value	The value of the privilege. Valid values: Valid Invalid In this example, Valid is selected.
Time	Specify the validity period of the privilege. Note This parameter is required only when the Quota Value parameter is set to Valid. Set the validity period to one day. The authorization takes effect immediately on the day when the application is approved.
Reason	Enter the reason why you apply for the privilege. Example: User XX: User YY with Alibaba Cloud account ZZ wants to apply for the privilege to attach a VBR to a CEN instance or VPC that belongs to a different account. Note You need to provide the Proof of Affiliation to prove that both Alibaba Cloud accounts belong to the same enterprise or entity.
Notify Result	Specify whether to notify the application result. Yes No

Grant permissions to a CEN instance across accounts

You need to log on to the VBR that belongs to Account A and then grant permissions to the CEN instance that belongs to Account B. After the cross-authorization is complete, the VBR can be attached to the CEN instance.

Note

If your VBR is connected to a data center based on Border Gateway Protocol (BGP) and the console prompts that loop risks may exist, read the prompt and notify the administrator of the CEN instance.

log on to the Express Connect console with Account A.
In the top navigation bar, select the region in which the VBR is created. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click its ID.
On the VBR details page, click the CEN Authorization tab.

Click Authorize CEN of Another Account to Load Instance. In the Authorize CEN of Another Account to Load Instance panel, configure the parameters that are described in the following table and click OK.

Parameter	Description
Peer CEN Instance ID	The ID of the CEN instance that belongs to Account B.
Peer Account UID	The UID of Account B.
Payer	The account that pays the bills. CEN Instance Owner: The account to which the transit router belongs pays the connection fee and data transfer fee. This is the default value. VBR Owner: The account to which the VBR belongs pays the connection fee and data transfer fee. Important Your services may be interrupted if you change the payment account. Proceed with caution. For more information, see Change the payment account.

After the configuration is complete, the permissions are granted to the CEN instance. You can view the information about the authorization on the CEN Authorization tab.

Note

You can record the UID of Account B and the ID of the CEN instance, which are required in subsequent steps.

Create a connection to connect the VBR and CEN instance

You can connect the VBR to the transit router in the same region. Then, the transit router can exchange data between the VBR and CEN instance over private connections.

Log on to the CEN console with Account B.
On the Instances page, find the CEN instance that you want to manage and click its ID.
On the instance details page, click the Transit Router tab. On the Transit Router tab, find the transit router that you want to manage and click Create Connection in the Actions column.

On the Connection with Peer Network Instance page, configure the parameters that are described in the following table to create a VBR connection and click OK.

Parameter	Description
Network Type	The type of network instance that you want to attach to the CEN instance. In this example, Virtual Border Router (VBR) is selected.
Region	The region in which the VBR is deployed. In this example, China (Hangzhou) is selected.
Transit Router	The system automatically displays the transit router in the selected region.
Resource Owner ID	The Alibaba Cloud account to which the CEN instance belongs. In this example, Different Account is selected. After you select Different Account, enter the UID of Account A.
Connection Name	The name for the VBR connection.
Networks	The ID of the VBR that you want to connect. In this example, the ID of the VBR that belongs to Account A is used.
Advanced Settings	By default, the following advanced features are enabled: Includes automatic route table association and route propagation configurations. In this example, the default settings are used.

After the connection is created, you can view the information about the transit router and VBR connection on the Intra-region Connections tab. For more information, see View network instance connections.

(Optional) Revoke the CEN authorization

You can revoke the CEN authorization based on your business requirements. Revoking the CEN authorization does not disconnect the VBR that corresponds to the CEN instance.

Log on to the Express Connect console with Account A.
In the top navigation bar, select the region in which the VBR is created. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, click Virtual Border Routers (VBRs).
On the Virtual Border Routers (VBRs) page, find the VBR that you want to manage and click its ID.
On the VBR details page, click the CEN Authorization tab. On the CEN Authorization tab, find the CEN instance that you want to manage and click Delete in the Actions column.
In the Revoke Authorization message, confirm the UID and CEN instance ID and click OK.

References

CEN

CreateTransitRouterVbrAttachment: creates a VBR connection on an Enterprise Edition transit router.
View network instance connections

Express Connect

GrantInstanceToCen: grants permissions to a CEN instance.
RevokeInstanceFromCen: revokes the permissions on a network instance that is attached to a CEN instance.
DescribeVirtualBorderRouters: queries VBRs.