IBM Cloud Docs
Approving and rejecting cross-account redundant GRE requests

Approving and rejecting cross-account redundant GRE requests

As the network owner, you can approve or reject a cross-account connection request. However, keep in mind that for redundant GRE requests, approval or rejection is done at the redundant GRE level. You cannot approve or reject individual redundant GRE tunnels. Supply the redundant GRE ID as the connection ID.

Approving cross-account redundant GRE requests in the UI

When a connection request to a network in another account is created, the network owner's account then receives a notification of the request.

To approve a cross-account redundant GRE request from another account in the UI, follow these steps:

  1. From your browser, open the IBM Cloud console and log in to your account.
  2. Select the Navigation Menu icon Navigation Menu icon from the upper left, then click Interconnectivity > Transit Gateway.
  3. Click the name of the transit gateway in the table.
  4. In the Connections section, see Active required to view the incoming network connection request.
  5. Click Approve to approve the request.
  6. Click Approve to confirm. The status of the network connection indicates Attaching.

When you change back to the original account, the status of the connection changes to Attached, indicating that the network request was approved.

Rejecting cross-account redundant GRE requests in the UI

To reject a redundant GRE request from another account in the UI, follow these steps:

  1. From your browser, open the IBM Cloud console and log in to your account.
  2. Select the Navigation Menu icon Navigation Menu icon from the upper left, then click Interconnectivity > Transit Gateway.
  3. Click the name of the transit gateway in the table.
  4. In the Connections section, see Active required to view the incoming network connection request.
  5. Click Reject to reject the request.
  6. Click Reject to confirm.

The status of the network connection indicates Rejected. The gateway owner's account (or the network owner's account) can now delete the connection. If the network owner deletes the connection, the gateway owner sees the connection status as Detached. If the cross-account connection is not explicitly approved, it expires after 72 hours.

Approving cross-account redundant GRE requests from the CLI

As the network owner, to approve a redundant GRE request from another account, run the following command:

ibmcloud tg connection-approve|ca GATEWAY_ID CONNECTION_ID [-h, --help]

Where:

GATEWAY_ID
ID of the gateway the connection is on.
CONNECTION_ID
ID of the connection you are approving.
--help | -h
Optional: Get help on this command.

Rejecting cross-account redundant GRE requests from the CLI

As the network owner, to reject a redundant GRE request from another account, run the following command:

ibmcloud tg connection-reject|cr GATEWAY_ID CONNECTION_ID [-h, --help]

Where:

GATEWAY_ID
ID of the gateway the connection is on.
CONNECTION_ID
ID of the connection you are rejecting.
--help | -h
Optional: Get help on this command.

Approving cross-account redundant GRE requests with the API

A network owner can approve a redundant GRE request across accounts.

Example Request

curl -X POST https://$TS_ENDPOINT/v1/transit_gateways/$GATEWAY_ID/connections/$CONNECTION_ID/tunnels/$TUNNEL_ID --header "Authorization: Bearer {iam_token}"   --header "Content-Type: application/json"   --data '{ "action": "approve" }'

For more information, see Performs actions on a connection for a Transit Gateway.

Rejecting cross-account redundant GRE requests with the API

A network owner can reject a redundant GRE request across accounts.

Example Request

curl -X POST https://$TS_ENDPOINT/v1/transit_gateways/$GATEWAY_ID/connections/$CONNECTION_ID/tunnels/$TUNNEL_ID?version=2020-03-31 --location --header "Authorization: Bearer {iam_token}" --header "Content-Type: application/json" --data '{ "action": "reject" }'

For more information, see Performs actions on a connection for a Transit Gateway.

Approving cross-account redundant GRE requests using Terraform

To use Terraform, download the Terraform CLI and configure the IBM Cloud Provider plug-in. For more information, see Getting started with Terraform.

The following example illustrates approving a redundant GRE across accounts:

resource "ibm_tg_connection_action" "test_tg_cross_connection_approval" {
    provider = ibm.account2
    gateway = ibm_tg_gateway.new_tg_gw.id
    connection_id = ibm_tg_connection.test_ibm_tg_connection.connection_id
    action = "approve"
}

For more information, see the Terraform registry.

Tunnel-level approval is not allowed.

Rejecting cross-account redundant GRE requests using Terraform

The following example illustrates rejecting a redundant GRE across accounts:

resource "ibm_tg_connection_action" "test_tg_cross_connection_approval" {
    provider = ibm.account2
    gateway = ibm_tg_gateway.new_tg_gw.id
    connection_id = ibm_tg_connection.test_ibm_tg_connection.connection_id
    action = "reject"
}

For more information, see the Terraform registry.

Tunnel-level rejection is not allowed.