Updated on 2024-10-17 GMT+08:00

Sharing a Private Zone

Overview

DNS can work with Resource Access Manager (RAM) to allow you to share your private zones to other accounts if you are the owner of these private zones. When a resource owner shares resources with your account and you accept the resource sharing invitation, you can access and use the shared resources as if they were your own resources in your own account. Resource owners can select different permissions based on the principle of least privilege (PoLP) and service requirements, and principals can only access resources within their permissions. This improves resource security. For more information about RAM, see What Is Resource Access Manager?

If your account is managed by Huawei Cloud Organizations, you can enable sharing with Organizations to share resources more easily. If your account is in an organization, you can share resources either with individual accounts or with all accounts in the organization or in an organization unit (OU) without the need to enumerate each account. For details, see Enabling Sharing with Organizations.

Resource and Region Availability

Table 1 lists the resources that can be shared and regions where resource sharing is supported.

Table 1 Resources that can be shared and regions where resource sharing is supported

Cloud Service

Resource Type

Regions

DNS

Private zones

CN South-Guangzhou

CN-Hong Kong

AP-Singapore

AP-Bangkok

AP-Jakarta

TR-Istanbul

AF-Johannesburg

Constraints

  • You cannot share a private zone that is shared with your account. Only resource owners can share the resources in their accounts with other accounts.
  • If you share a private zone with your organization or an OU, you must enable sharing with Organizations. For details, see Enabling Sharing with Organizations.
  • A principal can accept up to 50 private zones from resource owners.

Creating a Share

  1. Go to the Private Zones page.
  2. Go to the Created by Me tab, locate the private zone you want to share, and click Share in the Operation column.
  3. On the Create Resource Share page, specify the resource to be shared, configure permissions, and specify users as prompted.

    For details, see Creating a Resource Share.

    After an owner shares a private zone with a principal, the principal needs to accept the sharing within a specified period. For details, see Responding to a Resource Sharing Invitation.

Viewing Share Details

  1. Go to the Private Zones page.
  2. Go to the Shared with Me tab and view the private zones that are shared with your account.
    • If you are the owner of a shared private zone, you can view the shared private zone, permissions, and principals on the RAM management console. For details, see Viewing a Resource Share.
    • If you are a principal of a shared private zone, you can view the shared private zone, permissions, and resource owner on the RAM management console. For details, see Viewing Resources Shared with You.

Stopping a Share

  • If a share is no longer needed, you can delete it at any time as the owner. Deleting a share does not delete the shared resources. After a share is deleted, the principals will no longer use the shared resources. For details, see Deleting a Resource Share.
  • If you are a principal and you do not need to access the shared resources, you can leave a resource share at any time. After you leave a resource share, you lose access to the shared resources.

    You can leave a resource share only if the resources were shared with you as an individual Huawei Cloud account and not as part of an organization. You cannot leave a resource share if you were added to it by an account inside your organization and sharing with Organizations is enabled. For details, see Leaving a Resource Share.

Operation Permissions on Shared Private Zones

The owner and principals of a shared private zone have different operation permissions on the private zone and associated resources. For details, see Table 2.
Table 2 Operation permissions on shared private zones and associated resources

Resource

Owner

Principal

Private zone

Has all operation permissions on the shared private zones.

Can only view the VPCs that are associated with the shared private zones, but cannot perform any operations on the VPCs.

Billing

N/A