All Products
Search
Document Center

PrivateLink:Access services in a VPC that belongs to another account by using PrivateLink

最終更新日:Aug 22, 2024

If you want to allow a Server Load Balancer (SLB) instance in a virtual private cloud (VPC) to provide services for a VPC that belongs to another account, you can use PrivateLink to establish a network connection between the two VPCs. This topic describes how to use PrivateLink to access a Classic Load Balancer (CLB) instance in a VPC that belongs to another account.

Background information

VPCs are private networks that are isolated from each other in the cloud. You can use PrivateLink to establish a secure and stable private connection between a VPC and an Alibaba Cloud service. This simplifies the network architecture and prevents security risks over the Internet.

To establish a PrivateLink connection, you must create an endpoint service and an endpoint.

  • Endpoint service

    An endpoint service can be accessed by using an endpoint in another VPC over a PrivateLink connection. Endpoint services are created and managed by service providers.

  • Endpoint

    An endpoint can be associated with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services. Endpoints are created and managed by service consumers.

Entity

Description

Service provider

Creates and manages endpoint services.

Service consumer

Creates and manages endpoints.

Scenarios

The following scenario is used as an example. Company A creates two VPCs in the Germany (Frankfurt) region with Alibaba Cloud accounts: VPC 1 and VPC 2. VPC 1 is created by using Account A and VPC 2 is created by using Account B. Two Elastic Compute Service (ECS) instances are created in VPC 2: ECS 2 and ECS 3. Application services are deployed on the ECS instances in VPC 2. Due to business growth, VPC 1 needs to access services in VPC 2. To prevent security risks over the Internet, a private connection needs to be established between the two VPCs.

In this scenario, you can create a CLB instance that supports PrivateLink in VPC 2 and specify the ECS instances as the backend servers of the CLB instance. As a result, the CLB instance can receive client traffic and distribute the traffic to the corresponding ECS instances based on the forwarding rules of a listener. Create an endpoint service, specify the CLB instance as the service resource of the endpoint service, and then add the ID of Account A to the whitelist of the endpoint service. Then, create an endpoint in VPC 1. After the endpoint is created and connected to the endpoint service in VPC 2 as expected, VPC 1 can access the services in VPC 2.

image

Limits

  • To support PrivateLink, the CLB instance that serves as a service resource in VPC 2 must be a pay-as-you-go internal-facing CLB instance.

  • When you create an endpoint service, you must select a region that supports PrivateLink and CLB instances. For more information about the regions that support PrivateLink and CLB instances, see Regions and zones that support PrivateLink and Regions that support CLB.

  • The endpoint and endpoint service must be deployed in the same zone where the CLB instance is deployed.

Prerequisites

  • If this is the first time that you use PrivateLink, go to the PrivateLink activation page to activate PrivateLink as instructed.

  • VPC 1 is created by using Account A and VPC 2 is created by using Account B in the Germany (Frankfurt) region. A vSwitch is created for each VPC. For more information, see the Step 1: Create a VPC and vSwitches section of the Create a VPC with an IPv4 CIDR block topic.

  • ECS 1 is created in VPC 1 that belongs to Account A. ECS 2 and ECS 3 are created in VPC 2 that belongs to Account B. Different NGINX services are deployed on ECS 2 and ECS 3.

    • For more information about how to create an ECS instance, see Create an instance on the Custom Launch tab.

    • The following code blocks show how to deploy applications on ECS 2 and ECS 3:

      Commands to deploy the application on ECS 2

      yum install -y nginx
      systemctl start nginx.service
      cd /usr/share/nginx/html/
      echo "Hello World ! This is ECS2." > index.html

      Commands to deploy the application on ECS 3

      yum install -y nginx
      systemctl start nginx.service
      cd /usr/share/nginx/html/
      echo "Hello World ! This is ECS3." > index.html
  • A security group is created in VPC 1. You can configure security group rules based on your requirements for business and security.

    For more information, see Create a security group.

    Note

    ECS 2 and ECS 3 in VPC 2 belong to the default security group, which is created by the system when the ECS instances are created.

The following table describes how networks of the VPCs are planned in this example. Your services are not adversely affected if the CIDR blocks of your VPCs overlap with each other.

Item

VPC 1

VPC 2

Region

Germany (Frankfurt)

Germany (Frankfurt)

CIDR block

  • VPC: 10.10.0.0/16

  • vSwitch: 10.10.2.0/24

  • VPC: 192.168.0.0/16

  • vSwitch: 192.168.24.0/24

vSwitch zone

Zone B

Zone B

ECS instance IP address

ECS 1: 10.10.2.1

  • ECS 2: 192.168.24.200

  • ECS 3: 192.168.24.12

Procedure

image

Step 1: Create a CLB instance that supports PrivateLink

  1. Log on to the CLB console with Account B.

  2. On the Instances page, click Create CLB.

  3. On the CLB (Pay-As-You-Go) International Site buy page, set the parameters of the CLB instance described in the following table, and click Buy Now to complete the payment.

    Parameter

    Description

    Region

    Select a region where you want to create the CLB instance.

    In this example, Germany (Frankfurt) is selected.

    Note

    Make sure that the CLB instance and the ECS instances that you want to specify as backend servers belong to the same region.

    Zone Type

    Specify whether to deploy the CLB instance in one zone or across multiple zones. By default, Multi-zone is selected.

    Primary Zone

    Select a primary zone for the CLB instance to receive network traffic. In this example, Europe Central 1 Zone B is selected.

    Backup Zone

    Select a secondary zone for the CLB instance. The secondary zone receives network traffic only if the primary zone is unavailable.

    In this example, Europe Central 1 Zone A is selected.

    Instance Name

    Enter a name for the CLB instance.

    Instance Type

    Select a type for the CLB instance. You can create an Internet-facing CLB instance or an internal-facing CLB instance based on your business requirements. The system allocates a public or private IP address to the CLB instance based on the specified instance type.

    In this example, Intranet is selected.

    Instance Billing Method

    Select a billing method for the CLB instance. Valid values:

    • Pay-By-Specification

    • Pay-By-CLCU

    In this example, Pay-By-Specification is selected.

    Specification

    Select a specification for the CLB instance. CLB instances of different specifications deliver different performances. In this example, Small I (slb.s1.small) is selected.

    Network Type

    Select a network type for the CLB instance.

    In this example, VPC is selected.

    IP Version

    Select an IP version for the CLB instance. In this example, IPv4 is selected.

    Feature

    Select a feature type for the CLB instance. By default, Standard is selected.

    VPCId

    Select VPC 2.

    VswitchId

    Select a vSwitch in VPC 2.

    Internet Data Transfer Fee

    Select a metering method for Internet traffic. Internet-facing CLB instances support the following metering methods:

    • By traffic: the pay-by-data-transfer metering method

    • By bandwidth: the pay-by-bandwidth metering method

    By default, By traffic is selected.

    Note

    Internet-facing CLB instances use the pay-by-data-transfer metering method. In this example, the CLB instance that you want to create is internal-facing and does not generate traffic fees.

    Resource Group

    Select a resource group for the CLB instance. In this example, Default Resource Group is selected.

    Quantity

    Specify the number of CLB instances that you want to purchase. In this example, 1 is specified.

Step 2: Configure the CLB instance

After the CLB instance is created, you must add at least one listener and one group of backend servers to the CLB instance. This way, network traffic can be forwarded by the CLB instance.

  1. Log on to the CLB console with Account B.

  2. On the Instances page, find the CLB instance that was created in Step 1 and click Configure Listener in the Actions column.

  3. On the Protocol & Listener wizard page, set the following parameters, use the default values for other parameters, and then click Next:

    • Select Listener Protocol: In this example, TCP is selected.

    • Listener Port: specifies the port that the CLB instance uses to receive requests and forward the requests to the backend servers.

      In this example, 80 is specified.

  4. On the Backend Servers wizard page, select Default Server Group and click Add More to add backend servers.

    1. In the Servers panel, select ECS 2 and ECS 3 that you created, and click Next.

    2. Specify weights for the backend servers and click Add.

      A backend server with a higher weight receives more requests. In this example, the default value 100 is used.

    3. On the Default Server Group tab, specify a backend port and click Next. In this example, 80 is specified.

      You can specify the same port for multiple backend servers of a CLB instance.

  5. On the Health Check wizard page, configure the health check feature and click Next. In this example, the default values of the parameters are used.

  6. On the Confirm wizard page, check the configurations and click Submit.

  7. Click OK to return to the Instances page.

    If the health check status of an ECS instance is Healthy, the ECS instance can process requests that are forwarded by the CLB instance.

Step 3: Create an endpoint service

After you create an endpoint service in a VPC, you can use an endpoint that is deployed in another VPC to access the endpoint service by using PrivateLink.

  1. Log on to the endpoint service console with Account B.

  2. In the top navigation bar, select the region in which you want to create an endpoint service. In this example, Germany (Frankfurt) is selected.

  3. On the Endpoint Service page, click Create Endpoint Service.

  4. On the Create Endpoint Service page, set the parameters described in the following table and click OK.

    The following table describes the parameters that are relevant to this topic. For more information about how to configure other parameters, see the Create an endpoint service section of the Create and manage endpoint services topic.

    Parameter

    Description

    Select Service Resource

    Select a zone that you want to receive network traffic. Then, select the CLB instance that you want to associate with the endpoint service.

    In this example, Frankfurt Zone B and the CLB instance created in Step 1 are selected.

    Automatically Accept Endpoint Connections

    Specify whether the endpoint service automatically accepts connection requests from endpoints. In this example, No is selected.

    • Yes: If you select this option, the endpoint service automatically accepts connection requests from endpoints. As a result, you can use endpoints to access the service resources of the endpoint service.

    • No: If you select this option, the endpoint connection of the endpoint service is in the Disconnected state by default. In this case, connection requests to the endpoint service must be manually accepted or denied by the service provider.

      • If the service provider accepts a connection request from an endpoint, the service resources of this endpoint service can be accessed by using the endpoint.

      • If the service provider denies a connection request from an endpoint, the service resources of this endpoint service cannot be accessed by using the endpoint.

    Enable Zone Affinity

    In this example, Yes is selected. This indicates that the domain name of the nearest endpoint is first resolved among all the endpoints that are associated with the endpoint service.

After the endpoint service is created, you can view the instance ID and name of the endpoint service.

Step 4: Add a whitelist for the endpoint service

You can add a whitelist for an endpoint service. If the ID of your account is in the whitelist, you can use your account to create an endpoint and connect the endpoint to the endpoint service.

To add the ID of Account A to the whitelist for the endpoint service that you created by using Account B, perform the following steps:

  1. Log on to the endpoint service console with Account B.

  2. In the left-side navigation pane, click Endpoint Service.

  3. On the Endpoint Service page, find the endpoint service that you created in Step 3, and click its ID.

  4. Click the Service Whitelist tab and click Add to Whitelist.

  5. In the Add to Whitelist dialog box, enter the account ID that you want to add to the whitelist, and click OK.

    In this example, the ID of Account A is entered. The following figure shows an example.

    创建终端节点服务-创建服务

Step 5: Create an endpoint

An endpoint can be associated with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services.

  1. Log on to the endpoint console with Account A.

  2. In the top navigation bar, select the region in which you want to create an endpoint. In this example, Germany (Frankfurt) is selected.

  3. On the Endpoints page, click Create Endpoint.

  4. On the Create Endpoint page, set the parameters described in the following table and click OK.

    The following table describes the parameters that are relevant to this topic. For more information about how to configure other parameters, see the Create an endpoint section of the Create and manage endpoints topic.

    Parameter

    Description

    Endpoint Name

    Enter a name for the endpoint.

    Endpoint Type

    Select a type for the endpoint. In this example, Interface Endpoint is selected.

    Endpoint Service

    Select the endpoint service that you want to associate.

    In this example, Select Service is clicked, and the endpoint service created in Step 3 is selected.

    VPC

    Select the VPC where you want to create the endpoint. In this example, VPC 1 is selected.

    Security Groups

    Select the security group that you want to associate with the endpoint elastic network interface (ENI). The security group is used to control data transfer from the VPC to the endpoint ENI.

    Note

    Make sure that the rules in the security group allow clients to access the endpoint ENI.

    By default, you can add an endpoint to up to five security groups.

    Zone and vSwitch

    Select the zone of the endpoint service and select a vSwitch in the zone. The system automatically creates an endpoint ENI and attaches it to the vSwitch.

    In this example, Frankfurt Zone B and a vSwitch created in VPC 1 are selected.

After you create the endpoint, you can view the domain name of the endpoint and the domain name and IP address of the selected zone on the details page of the endpoint.

Step 6: Accept connection requests from the endpoint

After you create an endpoint in VPC 1, you must configure the endpoint service to accept connection requests from the endpoint. This way, resources in VPC 1 can access the endpoint service in VPC 2 by using the endpoint.

Note

Skip this step if you set the Automatically Accept Endpoint Connections parameter to Yes in Step 3.

To allow the endpoint service within Account B to accept connection requests from the endpoint within Account A, perform the following steps:

  1. Log on to the endpoint service console with Account B.

  2. In the top navigation bar, select the region where the endpoint service is deployed. In this example, Germany (Frankfurt) is selected.

  3. On the Endpoint Service page, find the endpoint service that you created in Step 3, and click its ID.

  4. On the details page of the endpoint service, click the Endpoint Connections tab, find the endpoint that you want to manage, and then click Allow in the Actions column.

  5. In the Allow Connection dialog box, click OK.

After you allow the endpoint service to accept connection requests from the endpoint, the state of the endpoint connection changes from Disconnected to Connected. Then, the endpoint service can process requests from the endpoint.

Step 7: Access services by using the endpoint

To test whether ECS 1 in VPC 1 can access the services that are deployed on ECS 2 and ECS 3 in VPC 2 by using the endpoint, perform the following steps:

Note

In this example, ECS instances run the Alibaba Cloud Linux operating system. For more information about how to test the network connectivity between VPC 1 and VPC 2 in other operating systems, see the user guide of the operating system that you use.

  1. Log on to ECS 1 in VPC 1 with Account A. For more information, see Connection method overview.

  2. Open a browser on ECS 1 by using Account A.

  3. After you log on to ECS 1 in VPC 1, you can use one of the following methods to test the connectivity between VPCs:

    • Access the services deployed in VPC 2 by using the domain name displayed in the Domain Name of Endpoint Service section.

      1. On the endpoint details page, view the generated domain name of the endpoint service.

        image

      2. Run the curl command to test the network connectivity.

        image

    • Access the services deployed in VPC 2 by using the domain name or IP address of the zone where the endpoint is deployed.

      1. On the details page of the endpoint, click the Zone and ENI tab to view the generated domain name and IP address of the zone.

      2. Run the curl command to test the network connectivity.

        image.pngimage.png