If an endpoint service is connected to multiple endpoints, PrivateLink allows you to replace the service resources of the endpoint service to distribute traffic. This prevents business interruption caused by overload on the service resources.
Limits
By default, the features of replacing service resources and automatically allocating service resources are disabled. To use the features, log on to the Quota Center console, search for the quota ID privatelink_whitelist/svc_res_mgt_uat, and then submit an application.
You can replace service resources in the same zone only if Classic Load Balancer (CLB) instances and Application Load Balancer (ALB) instances serve as the service resources of endpoint services.
Endpoints, endpoint services, and service resources must be deployed in the same zone of the same region. If CLB instances serve as service resources, PrivateLink can be used to establish connections only within the primary zone of the CLB instances. If you want to implement cross-zone disaster recovery, you can specify ALB instances or Network Load Balancer (NLB) instances as service resources.
Example
The scenario in the following figure is used as an example in this topic. Company A creates VPC 1, VPC 2, and VPC 3 in Zone H of the China (Hangzhou) region. VPC 1 and VPC 2 can access the service resource CLB 1 in VPC 3 by using PrivateLink. Due to business growth, Company A needs to distribute some traffic from CLB 1 to CLB 2 to allow VPC 1 to access CLB 1 by using PrivateLink and VPC 2 to access CLB 2 by using PrivateLink. This prevents business interruption due to overload on CLB 1.
Prerequisites
VPC 1, VPC 2, and VPC 3 are created in the China (Hangzhou) region, and a vSwitch is created in each virtual private cloud (VPC). For more information, see the Step 1: Create a VPC and vSwitches section of the Create a VPC with an IPv4 CIDR block topic.
ECS 01 is created in VPC 1 and ECS 02 is created in VPC 2, which are used to send requests. ECS 03, ECS 04, ECS 05, and ECS 06 are created in VPC 3, which are used to receive and process requests. Different NGINX services are deployed on the Elastic Compute Service (ECS) instances in VPC 3. For more information, see Build an LNMP stack on an ECS instance that runs Alibaba Cloud Linux 2 or 3.
CLB 1 and CLB 2, which serve as service resources, are created in VPC 3. For more information about how to create a CLB instance that supports PrivateLink, see the Step 1: Create a CLB instance that supports PrivateLink section of the Access a CLB instance in another VPC by using PrivateLink topic.
Listeners and ECS instances are created for CLB 1 and CLB 2. For more information, see the Step 2: Configure the CLB instance section of the Access a CLB instance in another VPC by using PrivateLink topic.
An endpoint is created in VPC 1 and an endpoint is created in VPC 2. An endpoint service is created in VPC 3, and uses CLB 1 in Zone H as the service resource. For more information about how to create an endpoint and an endpoint service, see the Step 3: Create an endpoint service section and the Step 4: Create an endpoint section of the Access a CLB instance in another VPC by using PrivateLink topic.
The following table describes the network planning for VPC 1, VPC 2, and VPC 3.
Parameter | VPC1 | VPC2 | VPC3 |
Network instance region | China (Hangzhou) | China (Hangzhou) | China (Hangzhou) |
CIDR block |
|
|
|
vSwitch zone | Zone H | Zone H | Zone H |
ECS instance IP address | ECS 01: 10.10.0.190 | ECS 02: 172.16.233.103 |
|
Procedure
Step 1: Allocate a service resource in a zone and connect to the service resource
Before you allocate a service resource in a zone and connect to the service resource, make sure that the following requirements are met:
The endpoint connection is in the Disconnected state.
The zone of the endpoint is in the Pending to Be Connected or Disconnected state.
The service resource is available in Zone H.
On the Endpoint Connections tab, find the endpoint that you want to manage and click Allow in the Actions column.
In the Allow Connection dialog box, perform the following steps based on your business requirements:
If you want the system to automatically allocate service resources:
Select Allow connections and automatically allocate service resources. and click OK.
Click the icon before the endpoint to show the zone details. Then, select the zone that you want to manage. In this example, Hangzhou Zone H is selected.
If you want to manually allocate service resources, clear the check box for Allow connections and automatically allocate service resources.:
Click the icon before the endpoint to show the zone details. Then, select the zone that you want to manage. In this example, Hangzhou Zone H is selected.
Click Allocate Service Resource in the Actions column of the zone.
In the Allocate Service Resource dialog box, select Manual Allocation, select CLB 1 in the drop-down list, and then click OK.
NoteIf a service resource exists in the zone of the endpoint and you select Automatic Allocation, the existing service resource is cleared. The service resource can be automatically allocated if you select Allow connections and automatically allocate service resources for an endpoint connection.
Click Allow in the Actions column of the endpoint that you want to manage.
Remotely log on to ECS 01 and ECS 02 and run the curl command to test whether ECS 01 and ECS 02 can access the services deployed on ECS 03 in VPC 3. For more information about how to log on to an ECS instance, see Connection method overview.
curl <Domain name or IP address of the zone of the endpoint>
If the information shown in the following figure is displayed, ECS 01 and ECS 02 can access the services deployed on ECS 03.
Step 2: Create an alert rule
Log on to the CloudMonitor console.
In the left-side navigation pane, choose
.On the Cloud Service Monitoring page, click All cloud products. Select .
On the PrivateLink-Endpoint services page, click Create Alert Rule.
In the Create Alert Rule panel, specify the parameters that are described in the following section and click Confirm:
The following section describes the key parameters that are related to an endpoint service. For more information about other parameters, see Create an alert rule.
Product: In this example, PrivateLink-Endpoint services is selected.
Resource Range: Specify the application scope of the alert rule. In this example, Instances is selected.
Associated Resources: In this example, the endpoint service that is created in VPC 2 is selected.
Rule Description: Specify the content of the alert rule. An alert is triggered if the specified metric meets the specified conditions.
Click Add Rule. In the Configure Rule Description panel, configure the following parameters and click OK.
Parameter
Description
Alert Rule
Enter a name for the rule.
Metric Type
Select the type of the metric that is used to trigger an alert. In this example, Single Metric is selected.
Metric
Select a metric from the drop-down list. In this example, Service Resource Inbound Bandwidth is selected.
Select Dimension
Select the zone ID and the service resource ID.
In this example, cn-hangzhou-h is selected for the zoneId parameter and the ID of CLB 1 in VPC 2 is selected for the resourceId parameter.
Threshold and Alert Level
Specify the alert threshold and the alert level of the alert rule.
In this example, Warning is selected as the alert level, and 1 Consecutive Cycles (1 Cycle = 1 Minutes) Average >= 20 Mibit/s is specified as the alert condition. This indicates that the inbound bandwidth of the service resource is checked once every minute. If the inbound bandwidth is greater than or equal to 20 Mbit/s, an alert is triggered.
Chart Preview
Display the monitoring chart of the metric within a specified period of time.
Mute For: Specify the interval after which an alert is resent if the alert is not cleared. In this example, 30 Minutes is selected.
Effective Period: Specify the time period during which the alert rule remains effective. CloudMonitor checks monitoring data and determines whether to generate alerts only during the specified period. In this example, 00:00 - 23:59 is specified.
Alert Contact Group: Specify the contact group to which alerts are sent. For more information about how to create a contact and a contact group, see Create an alert contact or alert contact group.
Step 3: Use wrk to perform a stress test
You can use wrk to perform a stress test on CLB 1 in VPC 3. If the inbound bandwidth of CLB 1 reaches the specified alert threshold, an alert is triggered in CloudMonitor.
In this example, ECS instances run the Alibaba Cloud Linux operating system. For more information about how to install and use wrk in other operating systems, see the user guide of the operating system that you use.
Remotely log on to ECS 01 in VPC 1.
Run the following commands on ECS 01 in VPC 1 in sequence to install wrk:
sudo yum -y install luajit sudo yum -y install wrk
If the information shown in the following figure is displayed, wrk is installed.
After wrk is installed, run the following command to perform a stress test on CLB 1 by using wrk:
wrk -c 100 -d 600 -t 1 http://<Domain name or IP address of the zone of the endpoint>
If the following echo reply packet is returned, the stress test is complete.
Return to the Alert Rules page. After a few minutes, Alert is displayed in orange in the Status column. This indicates that the inbound bandwidth of CLB 1 reaches the alert threshold. In this case, you must distribute some traffic on CLB 1 to CLB 2.
Step 4: Add a service resource in the zone
Log on to the endpoint service console.
In the top navigation bar, select the region where the endpoint service in VPC 3 is deployed. In this example, China (Hangzhou) is selected.
On the Endpoint Service page, find the endpoint service that you want to manage and click its ID.
In the Service Resource section, click Add Service Resource.
In the Add Service Resource dialog box, select a zone to receive traffic, and select the CLB instance that you want to associate with the endpoint service.
In this example, Hangzhou Zone H and the ID of CLB 2 are selected.
Click OK.
Step 5: Replace the service resource in the zone
If you replace the service resource, the current connection will be closed for around 3 seconds. We recommend that you evaluate the risks before you replace the service resource.
Before you replace the service resource, make sure that the following requirements are met:
The endpoint connection is in the Connected state.
The zone of the endpoint is in the Connected or Disconnected state.
In addition to CLB 1, at least one service resource is available in Zone H.
Automatic allocation is disabled for CLB 2. For more information, see the Enable and disable automatic allocation for a service resource section of this topic.
Log on to the endpoint service console.
In the top navigation bar, select the region where the endpoint service is deployed. In this example, China (Hangzhou) is selected.
On the Endpoints Service page, find the endpoint service that you want to manage and click its ID.
On the endpoint service details page, click the Endpoint Connections tab, find the endpoint in VPC 2, and then click the icon before the endpoint to show the zone details.
Select the zone that you want to manage and click Replace Service Resource in the Actions column.
In the Replace Service Resource dialog box, select Smooth Migration or Forcible Migration, select CLB 2 from the drop-down list, and then click OK.
NoteSmooth migration works in the following way:
The system automatically creates an endpoint elastic network interface (ENI). Then, the system connects the new endpoint ENI to CLB 2, records the IP address of the endpoint ENI, and then performs Domain Name System (DNS) resolution on the IP address.
The system automatically removes the IP address of the original endpoint ENI from the DNS resolution list.
After you verify that all existing services are deleted, perform Step 7 and Step 8 to disconnect CLB 1 from the original endpoint ENI. After CLB 1 is disconnected from the original endpoint ENI, the original endpoint ENI is deleted.
Click Disconnect from Previous Service Resource in the Actions column of the zone.
In the Are you sure that you want to disconnect from the previous service resources? message, click Yes.
After CLB 1 is replaced, remotely log on to ECS 02 and run the curl command to test whether ECS 02 in VPC 2 can access the services deployed on ECS 05 in VPC 3.
curl <Domain name or IP address of the zone of the endpoint>
If the information shown in the following figure is displayed, ECS 02 can access the services deployed on ECS 05.
What to do next
Enable and disable automatic allocation for a service resource
Before you disable automatic allocation for a service resource, make sure that at least one service resource that can be automatically allocated is available in a zone.
Log on to the endpoint service console.
In the top navigation bar, select the region where the endpoint service is deployed.
On the Endpoint Service page, find the endpoint service that you want to manage and click its ID.
On the endpoint service details page, find the service resource that you want to manage in the Service Resource section and turn on or turn off the switch in the Automatic Allocation column based on your business requirements.
Turn on Disabled. In the Do you want to enable automatic allocation? message, click Allow.
Turn off Enabled. In the Are you sure that you want to disable automatic allocation? message, click Disable.
Disconnect from a service resource in a zone
Before you disconnect from a service resource in a zone, make sure that the following requirements are met:
The endpoint connection is in the Connected state.
The zone of the endpoint is in the Connected state.
The service resource is allocated to the zone of the endpoint.
Log on to the endpoint service console.
In the top navigation bar, select the region where the endpoint service is deployed.
On the Endpoint Service page, find the endpoint service that you want to manage and click its ID.
On the endpoint service details page, click the Endpoint Connections tab, find the endpoint that you want to manage, and then click the icon before the endpoint to show the zone details.
Select the zone that you want to manage and click Disconnect from Service Resource in the Actions column based on the following scenarios:
In a smooth migration scenario, click Disconnect from Previous Service Resource. In the message that appears, click Yes. Then, click Disconnect from Service Resource.
In a scenario in which a forcible migration is performed or no migration is performed, click Disconnect from Service Resource.
NoteIn a smooth migration scenario, the new endpoint ENI and the original endpoint ENI are displayed in the zone details.
In the Are you sure that you want to disconnect from the previous service resources? message, click Yes.
Delete a service resource
After you remove a service resource from the endpoint service, other VPCs will be unable to access the service resource of the endpoint service over PrivateLink connections. Exercise caution when you perform this operation.
Log on to the endpoint service console.
In the top navigation bar, select the region where the endpoint service is deployed.
On the Endpoint Service page, find the endpoint service that you want to manage and click its ID.
On the endpoint service details page, find the service resource that you want to manage in the Service Resource section and perform operations based on the following scenarios:
If the service resource is not allocated to a zone of an endpoint:
Click Delete in the Actions column of the service resource.
In the Remove Resource message, click OK.
If the service resource is allocated to a zone of an endpoint:
Click Replace Resource in the Actions column of the service resource.
In the Replace Service Resource dialog box, specify the parameters that are described in the following table and click OK.
Parameter
Description
Migration Type
Select Smooth Migration or Forcible Migration based on your business requirements.
If you select Smooth Migration, click Release Previous Endpoint Connections in the Actions column after the migration is complete. After the previous connections are released, delete the service resource.
If you select Forcible Migration, you can directly delete the service resource after the migration is complete.
Select Destination Service Resource
Select the service resource that is used to replace the current service resource.
Select Source Endpoint Connection
Select the endpoint connection that is associated with the current service resource.
Click Delete in the Actions column of the service resource.
In the Remove Resource message, click OK.
NoteIf the service resource that you want to delete is allocated to a zone of an endpoint, you must turn off Enabled in the Automatic Allocation column of the service resource in the Service Resource section.
References
UpdateVpcEndpointZoneConnectionResourceAttribute: modifies the service resources in a zone to which an endpoint connection belongs.
EnableVpcEndpointZoneConnection: accepts connection requests from an endpoint in the associated zone.
DisableVpcEndpointZoneConnection: rejects connection requests from an endpoint in the associated zone.
UpdateVpcEndpointServiceResourceAttribute: modifies the attributes of a service resource that is added to an endpoint service.
DetachResourceFromVpcEndpointService: removes a service resource from an endpoint service.