This topic describes endpoints and how to configure and use endpoints in Identity as a Service (IDaaS).
Overview
Endpoints are used by IDaaS Employee Identity and Access Management (EIAM) instances to access networks. Endpoints in IDaaS are divided into dedicated endpoints and shared endpoints. You can use a shared endpoint free of charge. If you want to use a dedicated endpoint, you must purchase one. For more information, see Billing of dedicated endpoints.
Dedicated endpoint
A dedicated endpoint is an exclusive endpoint for an EIAM instance. The dedicated endpoint of an EIAM instance is an elastic network interface (ENI) of a virtual private cloud (VPC). You can configure security group rules or network settings for the ENI. This way, the EIAM instance can access a private network or access the Internet by using the dedicated endpoint.
Dedicated access to a private network
After an EIAM instance connects to your Alibaba Cloud VPC over a private network, you can synchronize the data of Active Directory (AD) domains, Lightweight Directory Access Protocol (LDAP) servers, and applications, and enable the AD authentication and LDAP authentication features, without the need to enable Internet-facing ports.
The following sections describe network access in different scenarios. In the following examples, an AD domain server is used.
The AD domain server and ENI belong to the same Alibaba Cloud VPC
If your AD domain server and the ENI of your EIAM instance belong to the same Alibaba Cloud VPC, you must implement access control by using the following method:
Configure the security group to which the AD domain server belongs to allow access from the IP address of the ENI.
The AD domain server and ENI belong to different Alibaba Cloud VPCs
If your AD domain server and the ENI of your EIAM instance belong to different Alibaba Cloud VPCs, you must implement access control by using the following methods:
Connect the two Alibaba Cloud VPCs by using a Cloud Enterprise Network (CEN) instance.
Configure the security group to which the AD domain server belongs to allow access from the IP address of the ENI.
The AD domain server belongs to a data center or a third-party cloud service provider
If the AD domain server belongs to a data center or a third-party cloud service platform, you must implement access control by using the following methods:
Connect the Alibaba Cloud VPC to the data center or cloud service platform to which the AD domain server belongs by using a leased line, such as a VPN gateway.
Configure the firewall of the AD domain server to allow access from the IP address of the ENI.
Dedicated access to the Internet
After an EIAM instance connects to your Alibaba Cloud VPC over a private network, you can associate an Elastic IP Address (EIP) with the ENI of the EIAM instance or associate an Internet NAT gateway with your Alibaba Cloud VPC. This way, the EIAM instance can use a public IP address to access the Internet. You can specify the public IP address as the trusted IP address in WeCom to meet your requirements for WeCom access.
Shared endpoint
A shared endpoint is the default endpoint that an EIAM instance uses to access the Internet. All EIAM instances can use the shared endpoint. You can use a shared endpoint to access only the Internet.
Comparison of the two endpoint types
The following table describes the two endpoint types.
Item | Dedicated endpoint | Shared endpoint |
Access to a private network over a dedicated IP address | Supported | Not supported |
Access to the Internet over a dedicated IP address | Supported | Not supported |
Access to the Internet over a shared IP address | Not supported | Supported |
Owner of the endpoint resources, such as ENIs and security groups | Your Alibaba Cloud account | The IDaaS team |
Available by default | No | Yes |
Free of charge | No | Yes |
Supported modules of endpoints
The following table describes the supported modules of endpoints. By default, each module uses a shared endpoint. You can switch to a dedicated endpoint based on your business requirements.
Module | Dedicated endpoint for access to a private network | Dedicated endpoint for access to the Internet | Shared endpoint for access to the Internet |
DingTalk inbound identity provider (IdP) | Not supported | Not supported | Supported |
DingTalk outbound IdP | Not supported | Not supported | Supported |
AD inbound IdP | Supported | Supported | Supported |
LDAP inbound IdP | Supported | Supported | Supported |
WeCom inbound IdP | Not supported | Supported | Not supported |
Marketplace application | Not supported | Not supported | Supported |
Security Assertion Markup Language (SAML) application | Not supported | Not supported | Supported |
OpenID Connect (OIDC) application | Not supported | Not supported | Supported |
Self-developed application | Not supported | Not supported | Supported |
Create a dedicated endpoint
In the left-side navigation pane of the EIAM page for an IDaaS EIAM instance, click Branding. On the Branding page, click the Network Access Endpoint tab.
Step 1: Create a service-linked role
Before you go to the Network Access Endpoint tab or create a dedicated endpoint, make sure that a service-linked role for IDaaS is created. For more information, see Service-linked role for IDaaS EIAM instances. Only Resource Access Management (RAM) users to which the AliyunIDaaSEiamFullAccess policy is attached or Alibaba Cloud accounts can create the service-linked role.
Step 2: Upgrade or scale up the EIAM instance
You can create a dedicated endpoint only if the remaining dedicated endpoint quota of the instance is sufficient. If the remaining dedicated endpoint quota is insufficient, you must purchase a quota to create a dedicated endpoint.
If your EIAM instance is a Free Edition or Trial Edition instance, upgrade the instance and increase the number of dedicated endpoints on the buy page.
If your EIAM instance is an Enterprise Edition instance, scale up the instance and increase the number of dedicated endpoints on the buy page. For more information, see Change the specification of an instance.
Each EIAM instance supports only one dedicated endpoint.
Step 3: Select resources
On the Network Access Endpoint tab, click Add Dedicated Endpoint.
In the Add Dedicated Endpoint dialog box, configure the following parameters.
After you create a dedicated endpoint, you cannot modify the settings of the dedicated endpoint, such as the region, VPC, and vSwitch. Proceed with caution.
Display Name: the display name of the dedicated endpoint. The name is displayed only in the IDaaS console.
Select Region: the region of the VPC to which you want to connect.
Select VPC: the VPC in the selected region. If you want to access a service, such as an AD domain, an LDAP server, or an application, over a private network, select a VPC in which the service resides or a VPC over which you can access the service.
Select vSwitch: the vSwitches that you want to use in the VPC. The number of available IP addresses for each selected vSwitch must be greater than two. You cannot use the 33 CIDR block. You can select up to two vSwitches.
We recommend that you select two vSwitches in different zones to improve the disaster recovery capability.
After you configure the parameters, click OK and wait until the dedicated endpoint is created.
You must configure one of the following features based on your business requirements before you can use the dedicated endpoint:
Dedicated access to a private network. For more information, see the Grant the private network access permissions section of this topic.
Dedicated access to the Internet. For more information, see the Configure a dedicated public outbound IP address section of this topic.
Grant the private network access permissions
On the page, click the Network Access Endpoint tab. On the Network Access Endpoint tab, find the dedicated endpoint to which you want to grant the private network access permissions. Then, click Authorize Private Network Access.
Step 1: Obtain the access rules
In the Authorize Private Network Access dialog box, copy the value of the Authorization Object parameter. The value aggregates all dedicated private outbound IP addresses of the dedicated endpoint.
Step 2: Configure security group rules
Click Add to go to the Security Groups page of the console. On the Security Groups page, find and click the security group to which your server belongs to go to the details page of the security group.
In this example, an AD domain server is used. You must select the security group to which the AD domain server belongs instead of the security group that is created by EIAM. For more information about the supported configuration methods, see the Access a dedicated private network section of this topic.
On the details page of the security group, click the Inbound tab on the tab and click Add Rule.
Configure the following parameters and save the configurations.
Action: Allow.
Priority: 1.
Protocol Type: Custom TCP.
Port Range: the range of the ports that you want to use. If you want to connect to an AD domain or LDAP server, we recommend that you enter 389 or 636.
Authorization Object: the private IP addresses that you copied in the previous step.
Step 3: Switch to the created dedicated endpoint
In this example, an AD domain server is used. Go to the IdPs page. Find your AD domain server and click Modify to modify the basic configurations.
In the Basic Configurations dialog box, select Dedicated Network Access Endpoint for the Network Access Endpoint parameter in the Network Configurations section. Then, select the dedicated endpoint for which you configured security group rules from the drop-down list.
Click OK. The system verifies the IDaaS EIAM instance. The system connects to the AD domain server by using the dedicated private outbound IP addresses of the dedicated endpoint, which correspond to the primary private IP address of the ENI. A maximum of two ENIs are allowed. If both ENIs can access the AD domain server, the verification is successful, and the configured dedicated endpoint is used. If one of the ENIs fails to access the AD domain server, the verification fails, and an error message appears.
After the instance passes the verification, you can use the dedicated endpoint to access other servers. We recommend that you verify the instance in a test environment. After a paid instance is released upon expiration or unsubscription, the dedicated endpoint immediately becomes unavailable and is deleted the next day. If you want to use the shared endpoint or another dedicated endpoint, you must switch to the required endpoint. Before the dedicated endpoint is deleted, we recommend that you modify the network access whitelist of your service.
Configure a dedicated public outbound IP address
You can configure an Internet NAT gateway for an EIAM instance. This way, the EIAM instance can access the Internet by using a specific IP address.You can specify the IP address as the trusted IP address in WeCom to complete the verification for WeCom.
Step 1: View the VPC region of the dedicated endpoint
On the page, click the Network Access Endpoint tab. On the Network Access Endpoint tab, find the dedicated endpoint that you want to use to access the Internet and view the VPC region.
Step 2: Associate the NAT gateway with an EIP
Log on to the VPC console. On the Internet NAT Gateway page, select an Internet NAT gateway that resides in the same region as the dedicated endpoint. Click Associate Now to associate the Internet NAT gateway with an EIP. If no Internet NAT gateway is available, create one.
You can select an existing EIP or purchase an EIP and then associate the NAT gateway with the EIP.
After the association is successful, configure SNAT entries for the NAT gateway. Then, the dedicated endpoint can access the Internet. For more information, see Create and manage SNAT entries.
On the Network Access Endpoint tab of the Branding page, click View next to Dedicated Outbound Public IP Address to view the dedicated public IP address.
Switch to the created dedicated endpoint
In this example, an AD domain server is used. Go to the IdPs page. Find your AD domain server and click Modify to modify the basic configurations.
In the Basic Configurations dialog box, select Dedicated Network Endpoint for the Network Access Endpoint parameter in the Network Configurations section. Then, select the dedicated endpoint for which you configured a dedicated public outbound IP address from the drop-down list.
Click OK. The system verifies the IDaaS EIAM instance. The system connects to the AD domain server by using the dedicated public outbound IP addresses of the dedicated endpoint, which correspond to the public IP addresses of the ENI and Internet NAT gateway. A maximum of two ENIs are allowed. If both ENIs can access the AD domain server, the verification is successful, and the configured dedicated endpoint is used. If one of the ENIs fails to access the AD domain server, the verification fails, and an error message appears.
You can click View next to Dedicated Public Outbound IP Address to view the gateway IP address of the dedicated endpoint.
After the instance passes the verification, you can use the dedicated endpoint to access other servers. We recommend that you verify the instance in a test environment. After a paid instance is released upon expiration or unsubscription, the dedicated endpoint immediately becomes unavailable and is deleted the next day. If you want to use the shared endpoint or another dedicated endpoint, you must switch to the required endpoint. Before the dedicated endpoint is deleted, we recommend that you modify the network access whitelist of your service.
Modify a dedicated endpoint
You can modify only the display name of a dedicated endpoint. If you want to modify other settings, you must delete the dedicated endpoint and create a dedicated endpoint based on your business requirements.
Delete a dedicated endpoint
A dedicated endpoint can be deleted in one of the following ways:
If no modules such as IdPs and applications in an instance use the dedicated endpoint, an administrator can manually delete the dedicated endpoint.
If a paid instance is released upon expiration or unsubscription, IDaaS automatically deletes the dedicated endpoint.
After a dedicated endpoint is deleted, IDaaS releases the following resources created by IDaaS within your account:
ENIs
Managed security groups
After a dedicated endpoint is deleted, the resources and data of the dedicated endpoint cannot be restored. The dedicated endpoint becomes unavailable after it is deleted. If you want to delete the AliyunServiceRoleForEiam service-linked role, you must delete all IDaaS EIAM instances.
If you want to use a shared endpoint or another dedicated endpoint after you delete a dedicated endpoint, you must switch to the required endpoint on the IdPs or Applications page. Before the dedicated endpoint is deleted, we recommend that you modify the network access whitelist of your service.