After a PrivateLink endpoint is created, you can access ApsaraMQ for RabbitMQ resources to send and receive messages in the virtual private cloud (VPC) that you specified by using PrivateLink.
Common scenarios
You can use the PrivateLink endpoint to access an ApsaraMQ for RabbitMQ instance in a specific VPC in the following scenarios:
You want to isolate network links when instances access networks.
You want to implement cloud networking and inter-region networking by using Cloud Enterprise Network (CEN).
You are unable to use routing rules to access cloud services when you build a network by using CEN.
After a PrivateLink endpoint is created, you can continue using the original VPC endpoint to access an ApsaraMQ for RabbitMQ instance.
Billing rules
ApsaraMQ for RabbitMQ automatically creates PrivateLink endpoints. If you use PrivateLink endpoints in ApsaraMQ for RabbitMQ, only PrivateLink charges fees. The fees are deducted from the Alibaba Cloud account that you use to activate PrivateLink. After you activate PrivateLink, you are charged on a pay-as-you-go basis. Bills are generated on an hourly basis. You are charged instance fees and data transfer fees. For more information, see Billing.
The lifecycle of a PrivateLink endpoint is the same as the lifecycle of the ApsaraMQ for RabbitMQ instance with which the endpoint is associated. You cannot manually delete the endpoint in the PrivateLink console. After the ApsaraMQ for RabbitMQ instance is released or deleted, the PrivateLink endpoint is automatically deleted by ApsaraMQ for RabbitMQ.
Regions
PrivateLink endpoints are available in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Shenzhen), China (Guangzhou), China (Chengdu), China (Ulanqab), Singapore, Germany (Frankfurt), US (Silicon Valley), Indonesia (Jakarta), Malaysia (Kuala Lumpur), China (Hong Kong), SAU (Riyadh - Partner Region), Philippines (Manila), and Thailand (Bangkok). After a PrivateLink endpoint is added to the IP address whitelist in the preceding regions, you can use the endpoint. If you want to use a PrivateLink endpoint in another region, submit a ticket.
Prerequisites
A ticket is submitted to apply for the addition of a PrivateLink endpoint to the IP address whitelist. When you submit the ticket, you must include the UID of the Alibaba Cloud account used to purchase the instance and the region where the instance resides.
Procedure
Log on to the ApsaraMQ for RabbitMQ console. In the left-side navigation pane, click Instances.
In the top navigation bar of the Instances page, select the region where the instance that you want to manage resides. Then, in the instance list, click the name of the instance that you want to manage.
On the Endpoint Information tab of the Instances page, click Activate in the Endpoint column corresponding to Terminal Endpoint.
NoteThe entry point to the terminal endpoint is displayed only after the PrivateLink endpoint is added to the IP address whitelist.
In the Create PrivateLink Endpoint panel, perform the following operations:
Carefully read the instructions at the top of the panel.
Create a service-linked role. For more information, see Service-linked role.
Activate PrivateLink.
Configure the parameters that are described in the following table. Then, click OK.
ImportantAfter a PrivateLink endpoint is created, you cannot modify its configurations or delete it. Make sure that the parameters are correctly configured.
Parameter
Description
Example
VPC ID
The VPC ID. The VPC must be in the Available state.
vpc-degu45gufksifgiuf****
VSwitch ID
The vSwitch ID. To ensure high availability, select vSwitches from at least two zones.
NoteMake sure that Network Load Balancer (NLB) can be created in the zones that you select. You can call the DescribeZones operation to query the supported zones or view the supported zones in the NLB console.
The vSwitch must be in the Available state and the number of available IP addresses must be greater than 20.
vsw-bewhf9uiagudie****
vsw-feuo8evyidochhe****
Security group
The security group. Make sure that the security group that you select meets the following condition:
The protocol type of the access policy is TCP and the destination port ranges are 5672 and 5671.
Managed security groups are not supported.
sg-uoefguo8fvyeif****
After the PrivateLink endpoint is created, you can view the details of the endpoint on the Endpoint Information tab of the Instance Details page.
Obtain the information about the PrivateLink endpoint and specify the information in the SDK code to send and receive messages by using PrivateLink. For more information, see Step 3: Use SDKs to send and receive messages.
Service-linked role
The first time you use a PrivateLink endpoint, you must create the AliyunServiceRoleForAmqpNetwork service-linked role. Before you create the service-linked role, make sure that your Alibaba Cloud account has the permissions to create service-linked roles. You can attach the AliyunAMQPFullAccess system policy to your Alibaba Cloud account. You can also attach the following custom policy to your Alibaba Cloud account. Replace
${accountid}in the following code with the ID of your Alibaba Cloud account.{ "Statement": [ { "Action": [ "ram:CreateServiceLinkedRole" ], "Resource": "acs:ram:*:${accountid}:role/*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "network.amqp.aliyuncs.com" ] } } } ], "Version": "1" }Policy name: AliyunServiceRolePolicyForAmqpNetwork
Description: ApsaraMQ for RabbitMQ can assume this role to access PrivateLink and implement features related to VPCs.
For more information, see Service-linked roles.
References
For information about PrivateLink, see What is PrivateLink?