Enable service interconnection

Simple application servers are automatically assigned to virtual private clouds (VPCs) for network isolation. By default, simple application servers are not interconnected with other Alibaba Cloud services that reside in VPCs, such as Elastic Compute Service (ECS) and ApsaraDB. The service interconnection feature allows simple application servers to interconnect with other Alibaba Cloud services over VPCs. This topic describes how to enable the service interconnection feature and then manage VPCs.

Note

The Simple Application Server console supports the service interconnection feature only for services that belong to the same Alibaba Cloud account and reside in the same region. In this case, the service interconnection feature is free of charge. If you want to enable the service interconnection feature for services across Alibaba Cloud accounts or regions, you must perform relevant operations in the Cloud Enterprise Network (CEN) console. In this case, you are charged for the service interconnection feature. For more information, see Billing rules, the "Grant Account B permissions on the VPC" section of the Grant a transit router permissions on a network instance that belongs to another Alibaba Cloud account topic, and Manage inter-region connections.

Scenarios

By default, all simple application servers that belong to the same Alibaba Cloud account and reside in the same region can communicate with each other. The service interconnection feature is mainly used in the following scenarios:

Simple application servers require access to ECS instances over VPCs.
Simple application servers require access to ApsaraDB databases over VPCs.

Note

By default, simple application servers and Object Storage Service (OSS) buckets that reside in the same region can communicate with each other over VPCs. In this case, you do not need to enable service interconnection. For more information, see Implement service interconnection over the internal endpoint of an OSS resource.

The following figure shows a sample scenario. An enterprise purchases two VPCs in the China (Hangzhou) region and deploys simple application servers in VPC 1 and ECS instances in VPC 2. The enterprise wants to build connections between the simple application servers and the ECS instances across the VPCs. dadad

Limits

The following limits apply to simple application servers that belong to the same Alibaba Cloud account:
- All simple application servers in the same region are automatically assigned to the same VPC. The VPC can be added to only one CEN instance.
- Simple application servers in different regions are added to region-specific VPCs. You must separately enable service interconnection for each region in the Simple Application Server console.
Operations performed in the CEN console are not synchronized to the Simple Application Server console. After you enable the service interconnection feature, we recommend that you perform operations, such as managing VPCs, in the Simple Application Server console. For more information, see the Add or remove a VPC section of this topic.

Billing

Warning

The first time you configure the service interconnection feature in a region, the simple application servers in the region stop for approximately 1 minute, which may result in business interruptions. We recommend that you configure service interconnection during off-peak hours.

Log on to the Simple Application Server console.
In the left-side navigation pane, click Service Interconnection.
In the top navigation bar, select the region and resource group to which the simple application server belongs.
In the upper-left corner of the Service Interconnection page, click Service Interconnection.
The first time you configure the service interconnection feature in an Alibaba Cloud account, you are prompted to confirm authorization. After you click OK in the message that appears, the system automatically creates a service-linked role for Simple Application Server. For more information, see the Create or delete the service-linked role section of this topic.

In the Configure Service Interconnection dialog box, configure parameters based on your business requirements.

The following table describes the parameters.

Parameter	Description
Region	The region that you selected in the top navigation bar is displayed. You cannot change the region. Example: China (Hangzhou).
CEN Instance	Select a CEN instance from the drop-down list. If no CEN instance is available in the drop-down list, click Automatic Creation to automatically create a CEN instance. Warning Simple Application Server supports only CEN Basic Edition transit routers. If you select a CEN Enterprise Edition transit router that you created in the CEN console, the service interconnection feature of Simple Application Server is unavailable. For more information about CEN Basic Edition and CEN Enterprise Edition, see the Transit router editions section in the "What is CEN?" topic. You can select only one CEN instance in a region. To change the CEN instance, you must remove all VPCs from the service interconnection list. For more information, see the Add or remove a VPC section of this topic.
VPC	Select the IDs of the VPCs for which you want to enable the service interconnection feature. You can add VPCs to or remove VPCs from the service interconnection list in a region based on your business requirements. For more information, see the Add or remove a VPC section of this topic.

Click Confirm.
On the Service Interconnection page, you can view the VPCs that you added.
Note
If a message appears indicating that a network conflict occurs and may disrupt service interconnection, we recommend that you test the interconnectivity of the VPCs. If the VPCs cannot be interconnected, resolve the issue as described in Question 1: What do I do if the "A network conflict occurs, which may cause discontinuity of service interconnection" message appears after I enable the service interconnection feature for VPCs in a region?
Test interconnectivity.
In this example, a simple application server in VPC 1 and an ECS instance in VPC 2 that belong to the same Alibaba Cloud account and reside in the same region are used. This example assumes that you selected VPC 2 for the VPC parameter in Step 5.
Important
If a simple application server and an ApsaraDB for Redis instance need to communicate with each other over VPCs, you must add the private IP address or CIDR block of the simple application server to the whitelist of the ApsaraDB for Redis instance. For more information, see Step 2: Configure whitelists.
1. Connect to the simple application server.
  For more information, see Connect to a Linux server.
2. Run the ping command to ping the IP address of the ECS instance in VPC 2 and check the connectivity between the simple application server and the ECS instance.
  The following figure shows a sample message, which indicates that the connection between the simple application server and ECS instance is established.

Add or remove a VPC

After you enable the service interconnection feature for VPCs in a region, you can continue to add VPCs to or remove VPCs from the service interconnection list.

Add a VPC: After you add a VPC, the simple application servers in the region are interconnected with the cloud services in the VPC.
Remove a VPC: After you remove a VPC, the simple application servers in the region are disconnected from the cloud services in the VPC.

Log on to the Simple Application Server console.
In the left-side navigation pane, click Service Interconnection.
Add a VPC to or remove a VPC from the service interconnection list.
- Add a VPC
  On the Service Interconnection page, click Service Interconnection.
  In the Configure Service Interconnection dialog box, select the VPC that you want to add to the service interconnection list. For information about how to configure the VPC parameter, see the table in Step 5 of the "Enable service interconnection" section in this topic.
  Click Confirm.
- Remove a VPC
  On the Service Interconnection page, find the VPC that you want to remove and click Remove in the Actions column.
  Note
  After you remove a VPC, the simple application servers in the region are disconnected from the cloud services in the VPC.
  If you deleted the AliyunServiceRoleForSwas service-linked role for Simple Application Server, a message appears after you click Remove in the Actions column that corresponds to a VPC. The message prompts you to re-authorize Simple Application Server to obtain the IDs of your VPCs and CEN instances. In the message, click OK. Then, you can remove the VPC.
  Click Confirm.

Create or delete the service-linked role

Service-linked role

AliyunServiceRoleForSwas is a service-linked role that is provided by Resource Access Management (RAM). The service-linked role allows Simple Application Server to access other Alibaba Cloud resources. Simple Application Server can obtain access to resources in CEN and VPC by using the AliyunServiceRoleForSwas role to enable service interconnection. For more information, see Service-linked roles.

Permissions

The following section describes the permissions of the service-linked role of Simple Application Server:

Role name: AliyunServiceRoleForSwas.
Policy: AliyunServiceRolePolicyForSwas.

Description: The first time you configure the service interconnection feature for a region, you must grant Simple Application Server the permissions to access resources of other Alibaba Cloud services such as CEN and VPC.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cen:CreateCen",
                "cen:DescribeCens",
                "cen:DescribeCenAttachedChildInstanceAttribute",
                "cen:DescribeChildInstanceRegions",
                "cen:DescribeGrantRulesToCen",
                "cen:ModifyCenAttribute",
                "cen:AttachCenChildInstance",
                "cen:DetachCenChildInstance",
                "cen:DeleteCen"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "swas.aliyuncs.com"
                }
            }
        }
    ]
}

Create the service-linked role

The first time you configure the service interconnection feature for a region, the system checks whether the AliyunServiceRoleForSwas service-linked role is created in your Alibaba Cloud account. If the service-linked role does not exist, you must grant Simple Application Server the permissions to access resources of other Alibaba Cloud services. Then, the system creates the service-linked role.

The AliyunServiceRolePolicyForSwas system policy is attached to the AliyunServiceRoleForSwas service-linked role. The policies that are attached to service-linked roles are defined and used by the linked Alibaba Cloud services. You cannot add, modify, or remove permissions for service-linked roles.

Delete the service-linked role

Before you delete the AliyunServiceRoleForSwas service-linked role, make sure that no simple application servers in your Alibaba Cloud account are assuming the role. For more information, see Delete a RAM role.

Note

If you want to continue to use the service interconnection feature after you delete the AliyunServiceRoleForSwas service-linked role, you can click Service Interconnection on the Service Interconnection page. After you follow the on-screen instructions to grant Simple Application Server the permissions to access resources of other Alibaba Cloud services, the system re-creates the AliyunServiceRoleForSwas service-linked role.

FAQ

Question 1: What do I do if the "A network conflict occurs, which may cause discontinuity of service interconnection" message appears after I enable the service interconnection feature for VPCs in a region?

Answer: If the CIDR blocks of simple application servers conflict with the CIDR blocks of other Alibaba Cloud services in the region, service interconnection may be disrupted. We recommend that you test the interconnectivity of the CIDR blocks. If the CIDR blocks cannot be interconnected, resolve the issue as described in What do I do if the CIDR blocks of vSwitches overlap with each other? or Change the VPC of an ECS instance.

Question 2: Why does the service interconnection feature fail to take effect after the feature is enabled for the VPCs in which simple application servers and ApsaraDB for Redis instances reside?

Answer: To ensure the security and stability of ApsaraDB for Redis instances, the system prohibits all IP addresses from accessing an ApsaraDB for Redis instance. After you enable the service interconnection feature for the VPCs, you must add the private IP addresses or CIDR blocks of the simple application servers to the whitelist of the ApsaraDB for Redis instances. For more information, see Step 2: Configure whitelists.

For information about how to log on to an ApsaraDB for Redis instance, see Logon methods.

Question 3: Can I enable service interconnection only for a specific simple application server and a specific ECS instance to allow them to communicate with each other over VPCs?

No, you cannot enable service interconnection only for a specific simple application server and a specific ECS instance. If you enable the service interconnection feature for the VPCs in which a simple application server and an ECS instance reside, the feature takes effect on all simple application servers and ECS instances that reside in the VPCs. By default, all simple application servers that belong to the same Alibaba Cloud account and reside in the same region are added to the same VPC. This way, all simple application servers that belong to the same Alibaba Cloud account and reside in the same region can communicate with all ECS instances in a VPC for which you enable the service interconnection feature.