If an on-premises network connected via a Cloud Connect Network (CCN) instance needs to access PrivateZone through a Cloud Enterprise Network (CEN) instance, you must grant authorization. The CCN instance must be attached to the CEN instance.
Scenario 1: Same-account authorization
As shown in the following table, if the CCN instance, the VPC that uses PrivateZone, and the CEN instance belong to the same account, you can go to the Access Private Zone tab, click Authorization, and then follow the on-screen instructions to complete the authorization.
You only need to authorize Smart Access Gateway (SAG) when you first configure access to PrivateZone.
|
Resource |
Account (UID) |
|
Cloud Enterprise Network (CEN) |
111111 |
|
Virtual Private Cloud (VPC) |
111111 |
|
Cloud Connect Network (CCN) |
111111 |
After authorization, the system automatically creates a RAM role named AliyunSmartAGAccessingPVTZRole. You can view this role on the Role page in the RAM console.
Scenario 2: Cross-account CCN instance
As shown in the following table, if the CEN instance and the VPC that uses PrivateZone belong to the same account, but the CCN instance belongs to a different account, you must modify the trust policy.
|
Resource |
Account (UID) |
|
Cloud Enterprise Network (CEN) |
111111 |
|
Virtual Private Cloud (VPC) |
111111 |
|
Cloud Connect Network (CCN) |
333333 |
The account that owns the VPC must perform the following steps.
-
Log on to the CEN console.
-
Click the ID of the target CEN instance.
-
On the tab, find the transit router in the target region and click its instance ID.
-
Click the Access Private Zone tab and then click Authorization. Follow the on-screen instructions to complete the authorization.
NoteYou only need to authorize SAG when you first configure access to PrivateZone.
-
Log on to the RAM console.
-
In the left-side navigation pane, choose Role.
-
In the search box, enter AliyunSmartAGAccessingPVTZRole to find the role, and then click the role name.
-
Click the Trust Policy tab and then click Edit Trust Policy.
The trust policy sets the
Actionparameter tosts:AssumeRole, theEffectparameter toAllow, and thePrincipal.Serviceparameter tosmartag.aliyuncs.com. -
In the Service field, add a
"CCN owner account ID@smartag.aliyuncs.com"record, and then click Save trust policy document.
Scenario 3: Cross-account CEN instance
As shown in the following table, if the CCN instance and the VPC that uses PrivateZone belong to the same account, but the CEN instance belongs to a different account, you must use the account that owns the VPC to create a RAM role and grant permissions.
|
Resource |
Account (UID) |
|
Cloud Enterprise Network (CEN) |
333333 |
|
Virtual Private Cloud (VPC) |
111111 |
|
Cloud Connect Network (CCN) |
111111 |
-
Use the account that owns the VPC to log on to the RAM console.
-
In the left-side navigation pane, choose Role.
-
Create a RAM role with the following settings, and then click OK. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
-
Select Trusted Entity: Select Alibaba Cloud Service.
-
Role Type: Select Normal Service Role.
-
RAM Role Name: Enter AliyunSmartAGAccessingPVTZRole.
-
Select Trusted Service: Select Smart Access Gateway.
-
-
After the role is created, click Roles in the left-side navigation pane, and then click the name of the RAM role in the Role Name column.
-
On the Permissions tab, click Grant Permission.
-
In the System Policy section, enter pvtz in the search box, select the AliyunPvtzReadOnlyAccess policy to grant read-only access to PrivateZone, and then click OK. For more information, see Grant permissions to a RAM role.
-
After the permissions are granted, click the Trust Policy tab to view the authorization information.
The trust policy sets the
Actionparameter tosts:AssumeRole, theEffectparameter toAllow, thePrincipal.Serviceparameter tosmartag.aliyuncs.com, and theVersionparameter to1.
Scenario 4: All resources are in different accounts
As shown in the following table, if the CCN instance, the VPC that uses PrivateZone, and the CEN instance all belong to different accounts, you must complete the following two authorization tasks:
|
Resource |
Account (UID) |
|
Cloud Enterprise Network (CEN) |
111111 |
|
Virtual Private Cloud (VPC) |
222222 |
|
Cloud Connect Network (CCN) |
333333 |
-
Refer to the procedure in Scenario 3. Use the account that owns the VPC to create a RAM role and grant the required permissions.
For more information, see Scenario 3: Cross-account CEN instance. Create the AliyunSmartAGAccessingPVTZRole RAM role and configure its Trust Policy. The policy sets
Actiontosts:AssumeRole,EffecttoAllow,Principal.Servicetosmartag.aliyuncs.com, andVersionto1. This policy allows the SAG service to assume this role to access PrivateZone. -
Follow the procedure in Scenario 2 to add the CCN service to the trust policy by using the account that owns the VPC. The entry must be in the format
"<CCN_account_UID>@smartag.aliyuncs.com".For more information, see Scenario 2: Cross-account CCN instance.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "smartag.aliyuncs.com", "333333@smartag.aliyuncs.com" ] } } ], "Version": "1" }
If multiple CCN instances from different accounts require access to PrivateZone, you must add all their services to the trust policy, as shown in the following example.
|
Resource |
Account (UID) |
|
Cloud Enterprise Network (CEN) |
111111 |
|
Virtual Private Cloud (VPC) |
222222 |
|
Cloud Connect Network (CCN) |
333333 |
|
Cloud Connect Network (CCN) |
444444 |
|
Cloud Connect Network (CCN) |
555555 |
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"smartag.aliyuncs.com",
"333333@smartag.aliyuncs.com",
"444444@smartag.aliyuncs.com",
"555555@smartag.aliyuncs.com"
]
}
}
],
"Version": "1"
}