Sharing Overview

What Is Sharing?

Integration with Resource Access Manager (RAM) allows you to share enterprise routers in your accounts with other accounts so that these accounts can attach their network instances to your enterprise router for network connectivity. This allows you to configure and maintain resources of multiple accounts in a unified manner, improving resource management and control efficiency and reducing O&M costs.

You are the owner of the enterprise router.
Other accounts are the principals of the enterprise router.

After you share your enterprise router with other accounts, these principals can attach their network instances to your enterprise router, so that their network instances can access your enterprise router.

After the owner shares the enterprise router in region A with the principals, they can only use the enterprise router in region A.

This allows VPCs in the same region but different accounts to be attached to the same enterprise router.

This example uses account A, account B, and account C to describe how you can build a network using one enterprise router. Table 1 describes the resources of each account.

If account A shares enterprise router (ER-A) with account B and account C, the VPCs of accounts B and C can be attached to ER-A. Figure 1 shows the networking.

**Table 1** Accounts and their resources
Account	Enterprise Router	VPC
A	ER-A	VPC-A-01 VPC-A-02
B	ER-B	VPC-B-01
C	ER-C	VPC-C-01

Figure 1 Attaching VPCs in different accounts to the same enterprise router

Allowed Operations by the Owner and Principals

The owner can perform all operations but the principals can perform only some of the operations. Table 2 lists the operations that other users can perform.

**Table 2** Allowed operations by principals
Role	Allowed Operation	Description
Principals	Viewing an Enterprise Router	Principals can view: The name of the shared enterprise router followed by Shared with me.
	Adding attachments to an enterprise router Creating a VPC Attachment	Principals: Can only create VPC attachments. Can create attachments to the shared enterprise router only after the owner account accepts the attachment requests. If Auto Accept Shared Attachments is enabled, a request from a principal for creating an attachment will be automatically accepted. Cannot add tags to their created attachments to the shared enterprise router. For details about the process for creating an attachment for an enterprise router in another account, see Creating Attachments to a Shared Enterprise Router.
	Viewing an Attachment	Principals: Cannot view the tags added of their attachments.
	Changing the Name of an Attachment	Principals can change the names of their attachments created for the shared enterprise router.
	Deleting a VPC Attachment	Principals can delete their attachments created for the shared enterprise router without the approval of the owner account.

Principals cannot view the Route tables, Sharing, Flow logs, and Tags tabs of the enterprise router.

Sharing an Enterprise Router with Principals

As the owner, you can share your enterprise router with other accounts. These other accounts are the principals and can use your enterprise after they accept the sharing request. Enterprise Router works with RAM to allow you to share your enterprise router with other accounts and provides two methods for you to share an enterprise router:

Method 1: Create a resource share, add the enterprise router to be shared, set the permissions of the principals who will use the shared enterprise router, and specify the users.
Method 2: If you already have an available resource share, add the enterprise router to the share and set the permission of the users who will use the shared enterprise router. You can reuse the users in the resource share or add other users as required.

Figure 2 shows the process of sharing an enterprise router.

Figure 2 Sharing an enterprise router with principals

You can share an enterprise router on the RAM or Enterprise Router console. Table 3 details the two methods of sharing an enterprise on the RAM console.

**Table 3** Sharing an enterprise router with principals
Method	Description	Reference
Method 1	Creating a resource share: The owner selects the enterprise router to be shared. On the Sharing tab, the owner can switch to the RAM console to create a resource share and share the enterprise router with the principals. Select the enterprise router that you want to share with the principals. Set the permissions of the principals on the enterprise router to be shared. Specify the users who can use the shared enterprise router. On the RAM console, the principals accept or reject the resource share. If the principals accept the sharing invitation, they can use the enterprise router. If the principals do not want to use the shared enterprise router, they can leave the resource share. If the principals reject the sharing invitation, the enterprise router will not be shared.	Owner: Creating a Sharing Principals: Responding to a Resource Sharing Invitation Principals: Leaving a Resource Share
Method 2	Adding an enterprise router to a resource share: The owner searches for the resource share on the RAM console. The owner adds the enterprise router to the resource share, for example, the resource share created in 1. Select the enterprise router that you want to share with the principals. Set the permissions of the principals on the enterprise router to be shared. Reuse the principals in the resource share or add new principals. On the RAM console, the principals accept or reject the resource share. If the principals accept the sharing invitation, they can use the enterprise router. If the principals do not want to use the shared enterprise router, they can leave the resource share. If the principals reject the sharing invitation, the enterprise router will not be shared.	Owner: Viewing a Resource Share Owner: Updating a Resource Share Principals: Responding to a Resource Sharing Invitation Principals: Leaving a Resource Share

Creating Attachments to a Shared Enterprise Router

As the owner, you can share your enterprise router with the principals. These principals can create attachments for your enterprise router.

If Auto Accept Shared Attachments is not enabled on your enterprise router, you must accept the attachment creation requests from the principals.

Figure 3 Accepting or rejecting attachment creation requests

**Table 4** Process description
No.	Step	Role	Description
1	Creating a Sharing	Owner	The owner creates a sharing to share an enterprise router with another user. This user can easily identify the shared enterprise router because its name is followed by Shared with me.
2	Creating a VPC Attachment	Principal	Auto Accept Shared Attachments is disabled on the enterprise router. After the principal creates an attachment to the shared enterprise router, the attachment will be in the Pending acceptance status and wait to be accepted by the owner.
3	Accepting an Attachment Request Rejecting an Attachment Request	Owner	The owner accepts the attachment request. The attachment status changes from Pending acceptance to Creating. When the attachment status changes to Normal, the attachment is successfully created. When the attachment status changes to Failed, the attachment fails to be created. Contact customer service. After an attachment is created, you can perform Follow-up Procedure. The owner can also reject the attachment request. If the owner rejects the request, the attachment status changes from Pending acceptance to Rejected, and the attachment fails to be created. If this happens, contact the owner.

If Auto Accept Shared Attachments is enabled on an enterprise router, the principals' requests to create attachments to this enterprise router will be automatically accepted without the approval from the owner.

Figure 4 Attachment requests automatically accepted

**Table 5** Process description
No.	Step	Role	Description
1	Creating a Sharing	Owner	The owner creates a sharing to share an enterprise router with another user. This user can easily identify the shared enterprise router because its name is followed by Shared with me.
2	Creating a VPC Attachment	Principal	Auto Accept Shared Attachments is enabled on the enterprise router. The principal creates an attachment to the shared enterprise router. The attachment will be in the Creating state. When the attachment status changes to Normal, the attachment is successfully created. When the attachment status changes to Failed, the attachment fails to be created. Contact customer service.