All Products
Search

This Product

    PrivateLink:Access a CLB instance in another VPC by using PrivateLink

    Document Center

    PrivateLink:Access a CLB instance in another VPC by using PrivateLink

    Last Updated:Aug 21, 2024

    If you want to allow a Classic Load Balancer (CLB) instance in a virtual private cloud (VPC) to provide services for another VPC within the same Alibaba Cloud account, you can specify the CLB instance as a service resource in the VPC where the CLB instance is deployed and use PrivateLink to establish a network connection between the two VPCs.

    Background information

    VPCs are private networks that are isolated from each other in the cloud. You can use PrivateLink to establish a secure and stable private connection between a VPC and an Alibaba Cloud service. This simplifies the network architecture and prevents security risks over the Internet.

    To establish a PrivateLink connection, you must create an endpoint service and an endpoint.

    • Endpoint service

      An endpoint service can be accessed by using an endpoint in another VPC over a PrivateLink connection. Endpoint services are created and managed by service providers.

    • Endpoint

      An endpoint can be associated with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services. Endpoints are created and managed by service consumers.

    Entity

    Description

    Service provider

    Creates and manages endpoint services.

    Service consumer

    Creates and manages endpoints.

    CLB distributes inbound network traffic across multiple Elastic Compute Service (ECS) instances that act as backend servers based on forwarding rules. You can specify CLB instances as the service resources of endpoint services to improve the performance and availability of your applications. For more information, see What is CLB?

    Scenarios

    The following scenario is used as an example. Company A creates two VPCs named VPC 1 and VPC 2 in the Germany (Frankfurt) region with Alibaba Cloud Account A and deploys application services on ECS instances named ECS 2 and ECS 3 in VPC 2. Due to business growth, resources in VPC 1 require access to the services in VPC 2 over a private connection.

    You can create a CLB instance that supports PrivateLink in VPC 2, and specify ECS 2 and ECS 3 as the backend servers of the CLB instance. This allows the CLB instance to receive the traffic from clients and distribute the traffic to the backend servers based on the forwarding rules of a listener. Create an endpoint service and specify the CLB instance as the service resource of the endpoint service. Then, create an endpoint in VPC 1. After the endpoint is created and connected to the endpoint service as expected, ECS 1 in VPC 1 can access the services in VPC 2 over the private network.

    image

    Limits

    • To support PrivateLink, the CLB instance that serves as a service resource in VPC 2 must be a pay-as-you-go internal-facing CLB instance.

    • When you create an endpoint service, you must select a region that supports PrivateLink and CLB instances. For more information about the regions that support PrivateLink and CLB instances, see Regions and zones that support PrivateLink and Regions that support CLB.

    • The endpoint and endpoint service must be deployed in the same zone where the CLB instance is deployed.

    Preparations

    • VPC 1 and VPC 2 are created in the Germany (Frankfurt) region, and a vSwitch is created for each VPC. For more information, see the Step 1: Create a VPC and vSwitches section of the Create a VPC with an IPv4 CIDR block topic.

    • ECS 1 is created in VPC 1, ECS 2 and ECS 3 are created in VPC 2, and different NGINX services are deployed on ECS 2 and ECS 3.

      • For more information about how to create an ECS instance, see Create an instance on the Custom Launch tab.

      • The following code blocks show how to deploy applications on ECS 2 and ECS 3:

        Commands to deploy the application on ECS 2

        yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is ECS2." > index.html

        Commands to deploy the application on ECS 3

        yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is ECS3." > index.html

    • A security group is created in VPC 1. You can configure security group rules based on your requirements for business and security.

      We recommend that you configure the following security group rules:

      • An inbound rule that allows traffic on SSH port 22 and Remote Desktop Protocol (RDP) port 3389 to access the ECS instance.

      • An inbound rule that allows traffic on HTTP port 80 and HTTPS port 443. This rule allows the VPC of the endpoint to access the VPC of the endpoint service over HTTP or HTTPS.

      For more information, see Create a security group.

      Note

      ECS 2 and ECS 3 in VPC 2 belong to the default security group, which is created by the system when the ECS instances are created.

    The following table describes how networks of the VPCs are planned in this example. Your services are not adversely affected if the CIDR blocks of your VPCs overlap with each other.

    Item

    VPC 1

    VPC 2

    Region

    Germany (Frankfurt)

    Germany (Frankfurt)

    CIDR block

    • VPC: 10.10.0.0/16

    • vSwitch: 10.10.2.0/24

    • VPC: 192.168.0.0/16

    • vSwitch: 192.168.24.0/24

    vSwitch zone

    Zone B

    Zone B

    ECS instance IP address

    ECS 1: 10.10.2.1

    • ECS 2: 192.168.24.200

    • ECS 3: 192.168.24.12

    Procedure

    image

    Step 1: Create a CLB instance that supports PrivateLink

    1. Log on to the CLB console.

    2. On the Instances page, click Create CLB.

    3. On the CLB (Pay-As-You-Go) International Site buy page, set the parameters of the CLB instance described in the following table, and click Buy Now to complete the payment.

      Parameter

      Description

      Region

      Select a region where you want to create the CLB instance.

      In this example, Germany (Frankfurt) is selected.

      Note

      Make sure that the CLB instance and the ECS instances that you want to specify as backend servers belong to the same region.

      Zone Type

      Specify whether to deploy the CLB instance in one zone or across multiple zones. By default, Multi-zone is selected.

      Primary Zone

      Select a primary zone for the CLB instance to receive network traffic. In this example, Europe Central 1 Zone B is selected.

      Backup Zone

      Select a secondary zone for the CLB instance. The secondary zone receives network traffic only if the primary zone is unavailable.

      In this example, Europe Central 1 Zone A is selected.

      Instance Name

      Enter a name for the CLB instance.

      Instance Type

      Select a type for the CLB instance. You can create an Internet-facing CLB instance or an internal-facing CLB instance based on your business requirements. The system allocates a public or private IP address to the CLB instance based on the specified instance type.

      In this example, Intranet is selected.

      Instance Billing Method

      Select a billing method for the CLB instance. Valid values:

      • Pay-By-Specification

      • Pay-By-CLCU

      In this example, Pay-By-Specification is selected.

      Specification

      Select a specification for the CLB instance. CLB instances of different specifications deliver different performances. In this example, Small I (slb.s1.small) is selected.

      Network Type

      Select a network type for the CLB instance.

      In this example, VPC is selected.

      IP Version

      Select an IP version for the CLB instance. In this example, IPv4 is selected.

      Feature

      Select a feature type for the CLB instance. By default, Standard is selected.

      VPCId

      Select VPC 2.

      VswitchId

      Select a vSwitch in VPC 2.

      Internet Data Transfer Fee

      Select a metering method. Internet-facing CLB instances support the following metering methods:

      • By traffic: the pay-by-data-transfer metering method

      • By bandwidth: the pay-by-bandwidth metering method

      By default, By traffic is selected.

      Note

      Internet-facing CLB instances use the pay-by-data-transfer metering method. In this example, the CLB instance that you want to create is internal-facing and does not generate traffic fees.

      Resource Group

      Select a resource group for the CLB instance. In this example, Default Resource Group is selected.

      Quantity

      Specify the number of CLB instances that you want to purchase. In this example, 1 is specified.

    Step 2: Configure the CLB instance

    After the CLB instance is created, you must add at least one listener and one group of backend servers to the CLB instance. This way, network traffic can be forwarded by the CLB instance.

    1. On the Instances page, find the CLB instance that was created in Step 1 and click Configure Listener in the Actions column.

    2. On the Protocol & Listener wizard page, set the following parameters, use the default values for other parameters, and then click Next:

      • Select Listener Protocol: In this example, TCP is selected.

      • Listener Port: specifies the port that the CLB instance uses to receive requests and forward the requests to the backend servers.

        In this example, 80 is specified.

    3. On the Backend Servers wizard page, select Default Server Group and click Add More to add backend servers.

      1. In the Servers panel, select ECS 2 and ECS 3 that you created, and click Next.

      2. Specify weights for the backend servers and click Add.

        A backend server with a higher weight receives more requests. In this example, the default value 100 is used.

      3. On the Default Server Group tab, specify a backend port and click Next. In this example, 80 is specified.

        You can specify the same port for multiple backend servers of a CLB instance.

    4. On the Health Check wizard page, configure the health check feature and click Next. In this example, the default values of the parameters are used.

    5. On the Confirm wizard page, check the configurations and click Submit.

    6. Click OK to return to the Instances page.

      If the health check status of an ECS instance is Healthy, the ECS instance can process requests that are forwarded by the CLB instance.

    Step 3: Create an endpoint service

    1. Log on to the endpoint service console.

    2. In the top navigation bar, select the region in which you want to create an endpoint service. In this example, Germany (Frankfurt) is selected.

    3. On the Endpoint Service page, click Create Endpoint Service.

    4. On the Create Endpoint Service page, set the parameters described in the following table and click OK.

      The following table describes the parameters that are relevant to this topic. For more information about how to configure other parameters, see the Create an endpoint service section of the Create and manage endpoint services topic.

      Parameter

      Description

      Service Resource Type

      Select the type of the service resource that you want to add to the endpoint service. In this example, CLB is selected.

      Select Service Resource

      Select a zone that you want to receive network traffic. Then, select the CLB instance that you want to associate with the endpoint service.

      In this example, Frankfurt Zone B and the CLB instance created in Step 1 are selected.

      Automatically Accept Endpoint Connections

      Specify whether the endpoint service automatically accepts connection requests from endpoints. In this example, No is selected.

      • Yes: If you select this option, the endpoint service automatically accepts connection requests from endpoints. As a result, you can use endpoints to access the service resources of the endpoint service.

      • No: If you select this option, the endpoint connection of the endpoint service is in the Disconnected state by default. In this case, connection requests to the endpoint service must be manually accepted or denied by the service provider.

        • If the service provider accepts a connection request from an endpoint, the service resources of this endpoint service can be accessed by using the endpoint.

        • If the service provider denies a connection request from an endpoint, the service resources of this endpoint service cannot be accessed by using the endpoint.

      Resource Group

      Select the resource group to which the endpoint service belongs.

    After the endpoint service is created, the account ID of the service provider is automatically added to the service whitelist.

    You can view the instance ID and instance name on the details page of the endpoint service.

    Step 4: Create an endpoint

    1. Log on to the endpoint console.

    2. In the top navigation bar, select the region in which you want to create an endpoint. In this example, Germany (Frankfurt) is selected.

    3. On the Endpoints page, click Create Endpoint.

    4. On the Create Endpoint page, set the parameters described in the following table and click OK.

      The following table describes the parameters that are relevant to this topic. For more information about how to configure other parameters, see the Create an endpoint section of the Create and manage endpoints topic.

      Parameter

      Description

      Endpoint Name

      Enter a name for the endpoint.

      Endpoint Type

      Select a type for the endpoint. In this example, Interface Endpoint is selected.

      Endpoint Service

      In this example, the endpoint service that was created in Step 3 is selected.

      VPC

      Select the VPC where you want to create the endpoint. In this example, VPC 1 is selected.

      Security Groups

      Select the security group that you want to associate with the endpoint elastic network interface (ENI). The security group is used to control data transfer from the VPC to the endpoint ENI.

      Note

      Make sure that the rules in the security group allow access to the endpoint ENI from clients.

      Zone and vSwitch

      Select the zone of the endpoint service and select a vSwitch in the zone. The system automatically creates an endpoint ENI and attaches it to the vSwitch.

      In this example, Frankfurt Zone B and a vSwitch created in VPC 1 are selected.

      Resource Group

      Select the resource group to which the endpoint belongs.

    After you create the endpoint, you can view the domain name of the endpoint and the domain name and IP address of the selected zone on the details page of the endpoint.

    Step 5: Accept connection requests from the endpoint

    After you create an endpoint in VPC 1, you must configure the endpoint service to accept connection requests from the endpoint. This way, resources in VPC 1 can access the endpoint service in VPC 2 by using the endpoint.

    Note

    Skip this step if you set the Automatically Accept Endpoint Connections parameter to Yes in Step 3.

    1. In the left-side navigation pane, click Endpoint Service.

    2. In the top navigation bar, select the region where the endpoint service is deployed. In this example, Germany (Frankfurt) is selected.

    3. On the Endpoint Service page, find the endpoint service created in Step 3 and click its ID.

    4. On the details page of the endpoint service, click the Endpoint Connections tab, find the endpoint that you want to manage, and then click Allow in the Actions column.

    5. In the Allow Connection dialog box, click OK.

    After you allow the endpoint service to accept connection requests from the endpoint, the state of the endpoint connection changes from Disconnected to Connected. Then, the endpoint service can process requests from the endpoint.

    Step 6: Access services by using the endpoint

    Note

    In this example, ECS instances run the Alibaba Cloud Linux operating system. For more information about how to test the network connectivity between VPC 1 and VPC 2 in other operating systems, see the user guide of the operating system that you use.

    The following section describes how to test whether ECS 1 in VPC 1 can access the services that are deployed on ECS 2 and ECS 3 in VPC 2 by using the endpoint.

    1. Log on to ECS 1 in VPC 1. For more information, see Connection method overview.

    2. After you log on to ECS 1 in VPC 1, you can use one of the following methods to test the connectivity between VPCs:

      • Access the services deployed in VPC 2 by using the domain name displayed in the Domain Name of Endpoint Service section.

        1. On the endpoint details page, view the generated domain name of the endpoint service.

          image

        2. Run the curl command to test the network connectivity.

          image

      • Access the services deployed in VPC 2 by using the domain name or IP address of the zone where the endpoint is deployed.

        1. On the details page of the endpoint, click the Zone and ENI tab to view the generated domain name and IP address of the zone.

        2. Run the curl command to test the network connectivity.

          image.pngimage.png