All Products
Search
Document Center

PrivateLink:Access an ALB instance in another VPC by using PrivateLink

最終更新日:Aug 21, 2024

If you want to allow an Application Load Balancer (ALB) instance in a virtual private cloud (VPC) to provide services for another VPC within the same Alibaba Cloud account, you can specify the ALB instance as a service resource in the VPC where the ALB instance is deployed and use PrivateLink to establish a network connection between the two VPCs.

Background information

VPCs are private networks that are isolated from each other in the cloud. You can use PrivateLink to establish a secure and stable private connection between a VPC and an Alibaba Cloud service. This simplifies the network architecture and prevents security risks over the Internet.

To establish a PrivateLink connection, you must create an endpoint service and an endpoint.

  • Endpoint service

    An endpoint service can be accessed by using an endpoint in another VPC over a PrivateLink connection. Endpoint services are created and managed by service providers.

  • Endpoint

    An endpoint can be associated with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services. Endpoints are created and managed by service consumers.

Entity

Description

Service provider

Creates and manages endpoint services.

Service consumer

Creates and manages endpoints.

An ALB instance can serve as a service resource across multiple zones. ALB is a highly scalable service that can process large amounts of traffic at the application layer. In addition, ALB supports the advanced content-based routing feature. After you specify an ALB instance as a service resource of an endpoint service, the ALB instance can provide services across multiple zones. You do not need to configure an ALB instance for each zone. For more information, see What is ALB?

Scenarios

The following scenario is used as an example. Company A uses Alibaba Cloud Account A to create two VPCs in the China (Hangzhou) region. The VPCs are referred to as VPC 1 and VPC 2. In addition, the company creates two Elastic Compute Service (ECS) instances in each VPC. The ECS instances in VPC 1 are referred to as ECS 01 and ECS 02. The ECS instances in VPC 2 are referred to as ECS 03 and ECS 04. Different NGINX services are deployed on the ECS instances in VPC 2. Due to business growth, the ECS instances in VPC 1 require access to the services that are deployed on the ECS instances in VPC 2 over a private network.

In this scenario, you need to create an ALB instance that supports PrivateLink in VPC 2. Make sure that the instance is deployed across Hangzhou Zone H and Hangzhou Zone I. Then, create a backend server group (RS 1) for the instance and add ECS 03 and ECS 04 to the backend server group of the ALB instance. Create an endpoint service and specify the ALB instance as a service resource of the endpoint service. Create an endpoint in VPC 1 and connect the endpoint to the endpoint service. If the status of the connection is normal, the ECS instances in VPC 1 can access the services that are deployed on the ECS instances in VPC 2.

image

Limits

  • When you create an ALB instance that supports PrivateLink, you must set the network type of the ALB instance to internal-facing and set the IP address type to static.

  • When you create an endpoint service, select a region that supports both PrivateLink and ALB instances. For more information about the regions that support PrivateLink and the regions that support ALB instances, see Regions and zones that support PrivateLink and Regions and zones in which ALB is available.

  • The endpoint and the endpoint service must be deployed in the same zone. In addition, the zone must be one of the zones where the ALB instance is deployed.

Prerequisites

  • VPC 1 and VPC 2 are created in the China (Hangzhou) region. Two vSwitches are created in VPC 1: one in Zone H and the other in Zone I. Another two vSwitches are created in VPC 2: one in Zone H and the other in Zone I. For more information, see the Step 1: Create a VPC and vSwitches section of the Create a VPC with an IPv4 CIDR block topic.

  • Two ECS instances (ECS 01 and ECS 02) are created in VPC 1 to send connection requests. ECS 01 is deployed in Zone H and ECS 02 is deployed in Zone I. Two ECS instances (ECS 03 and ECS 04) are created in VPC 2 to receive and process requests. ECS 03 is deployed in Zone H and ECS 04 is deployed in Zone I. Different NGINX services are deployed on ECS 03 and ECS 04.

    • For more information about how to create an ECS instance, see Create an instance on the Custom Launch tab.

    • The following example shows how to deploy and test services on ECS 03 and ECS 04:

      Service deployment on ECS 03

      yum install -y nginx
      systemctl start nginx.service
      cd /usr/share/nginx/html/
      echo "Hello World ! This is ECS03." > index.html

      Service deployment on ECS 04

      yum install -y nginx
      systemctl start nginx.service
      cd /usr/share/nginx/html/
      echo "Hello World ! This is ECS04." > index.html
  • A security group is created in VPC 1. You can configure security group rules based on your requirements for business and security.

    For more information, see Create a security group.

    Note

    ECS 03 and ECS 04 in VPC 2 use the default security group, which is created by the system when the ECS instances are created.

The following table describes how networks of the VPCs are planned in this example. Your services are not adversely affected if the CIDR blocks of your VPCs overlap with each other.

Item

VPC 1

VPC 2

Region

China (Hangzhou)

China (Hangzhou)

CIDR block

  • VPC: 10.0.0.0/8

  • vSwitch 1: 10.0.10.0/24

  • vSwitch 2: 10.10.0.0/24

  • VPC: 192.168.0.0/16

  • vSwitch 1: 192.168.3.0/24

  • vSwitch 2: 192.168.5.0/24

vSwitch zone

  • vSwitch 1: Zone H

  • vSwitch 2: Zone I

  • vSwitch 1: Zone H

  • vSwitch 2: Zone I

ECS instance IP address

  • ECS 01 in Zone H: 10.0.10.3

  • ECS 02 in Zone I: 10.10.0.27

  • ECS 03 in Zone H: 192.168.3.190

  • ECS 04 in Zone I: 192.168.5.20

Procedure

image

Step 1: Create an ALB instance that supports PrivateLink

  1. Log on to the ALB console.

  2. On the Instances page, click Create ALB.

  3. On the Application Load Balancer buy page, set the parameters described in the following table for the ALB instance and click Buy Now.

    Parameter

    Description

    Region

    Select the region where you want to create an ALB instance. In this example, China (Hangzhou) is selected.

    Network Type

    Select a network type for the ALB instance. In this example, Intranet is selected.

    VPC

    Select a VPC where you want to deploy the ALB instance. In this example, VPC 2 is selected.

    Zone

    Select the zones where you want to deploy the ALB instance. You must select at least two zones. In this example, Hangzhou Zone H, Hangzhou Zone I, and a vSwitch in each zone are selected.

    IP Mode

    Select the type of the IP address that is used by the ALB instance. In this example, Static IP is selected.

    IP Version

    Select an IP version for the ALB instance. In this example, IPv4 is selected.

    • IPv4: If you select this option, the ALB instance can be accessed only by IPv4 clients.

    • Dual-stack: If you select this option, the ALB instance can be accessed by both IPv4 and IPv6 clients.

    Edition

    Select an edition for the ALB instance. In this example, Basic is selected.

    Instance Name

    Enter a name for the ALB instance.

    Resource Group

    Select the resource group to which the ALB instance belongs. In this example, Default Resource Group is selected.

Step 2: Create a backend server group for the ALB instance

  1. In the left-side navigation pane, choose ALB > Server Groups.

  2. On the Server Groups page, click Create Server Group.

  3. In the Create Server Group dialog box, set the parameters described in the following table and click Create.

    The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see Create and manage server groups.

    Parameter

    Description

    Server Group Type

    Select the type of the server group that you want to create. In this example, Server is selected.

    Server Group Name

    Enter a name for the server group. In this example, RS 1 is entered.

    VPC

    Select the VPC to which the backend server group belongs. In this example, VPC 2 is selected.

    Backend Server Protocol

    Select a backend protocol. In this example, HTTP is selected.

    Scheduling Algorithm

    Select a scheduling algorithm. In this example, Weighted Round-robin is selected.

    Resource Group

    Select the resource group to which the ALB instance belongs.

  4. After you create the server group, find RS 1 on the Server Groups page and click its ID.

  5. Click the Backend Servers tab and click Add Backend Server.

  6. In the Add Backend Server panel, select ECS 03 and ECS 04 and click Next.

  7. Set the ports and weights of ECS 03 and ECS 04. In this example, port 80 and the default weight 100 are set for the instances. Then, click OK.

Step 3: Configure a listener

  1. In the left-side navigation pane, choose ALB > Instance. On the page that appears, find the ALB instance that you want to manage and click its ID.

  2. Click the Listener tab and then click Create Listener.

  3. On the Configure Listener wizard page, set the parameters described in the following table and click Next.

    The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see Add an HTTP listener.

    Parameter

    Description

    Listener Protocol

    Select a listening protocol. In this example, HTTP is selected.

    Listener Port

    Specify the listening port that is used to receive and process requests. In this example, 80 is entered.

    Listener Name

    Enter a name for the listener.

    Advanced Settings

    You can click Modify to modify the advanced settings. In this example, the default advanced settings are used.

  4. On the Select Server Group wizard page, select RS 1 that you created in Step 2 and click Next.

  5. On the Configuration Review wizard page, confirm the configurations and click Submit.

  6. In the ALB Configuration Wizard message, click OK to return to the Instances page.

    If the health check status of the listener is Healthy, ECS 03 and ECS 04 can process the requests forwarded by the ALB instance.ALB

Step 4: Create an endpoint service

  1. Log on to the endpoint service console.

  2. In the top navigation bar, select the region where you want to create an endpoint service. In this example, China (Hangzhou) is selected.

  3. On the Endpoint Service page, click Create Endpoint Service.

  4. On the Create Endpoint Service page, set the parameters described in the following table and click OK.

    The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see the Create an endpoint service section of the Create and manage endpoint services topic.

    Parameter

    Description

    Service Resource Type

    Select the type of the service resource that you want to add to the endpoint service. In this example, ALB is selected.

    Select Service Resource

    Select the zones where the service resource is deployed and then select the service resource.

    In this example, Hangzhou Zone H and Hangzhou Zone I are selected, and the ALB instance created in Step 1 is selected as the service resource.

    Automatically Accept Endpoint Connections

    Specify whether the endpoint service automatically accepts connection requests from endpoints. In this example, No is selected.

    Enable Zone Affinity

    In this example, No is selected. This indicates that among all endpoints that are associated with the endpoint service, the domain name of the nearest endpoint is not resolved first.

    Resource Group

    Select the resource group to which the endpoint service belongs.

    After you create the endpoint service, you can view the endpoint service whose Service Resource Type is ALB.终端节点服务

Step 5: Create an endpoint

  1. Log on to the endpoint console.

  2. In the top navigation bar, select the region where you want to create an endpoint. In this example, China (Hangzhou) is selected.

  3. On the Endpoints page, click the Interface Endpoint tab, and click Create Endpoint.

  4. On the Create Endpoint page, set the parameters described in the following table and click OK.

    The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see the Create an endpoint section of the Create and manage endpoints topic.

    Parameter

    Description

    Endpoint Name

    Enter a name for the endpoint.

    Endpoint Type

    Select a type for the endpoint. In this example, Interface Endpoint is selected.

    Endpoint Service

    Select the endpoint service that you want to associate.

    In this example, Select Service is clicked, and the endpoint service that is created in Step 4 is selected.

    VPC

    Select the VPC to which the endpoint belongs. In this example, VPC 1 is selected.

    Security Groups

    Select the security group that you want to associate with the elastic network interface (ENI) of the endpoint. The security group is used to control data transfer from VPC 1 to the endpoint ENI.

    Note

    Make sure that the rules in the security group allow clients to access the endpoint ENI.

    By default, you can add an endpoint to up to five security groups.

    Zone and vSwitch

    Select the zones where the endpoint service is deployed and select a vSwitch in each zone. The system automatically creates an endpoint ENI for each vSwitch and attaches the endpoint ENIs to the vSwitches.

    In this example, Hangzhou Zone H, Hangzhou Zone I, and a vSwitch in each zone are selected.

    Resource Group

    Select the resource group to which the endpoint belongs.

    After you create the endpoint, you can view the domain names and IP addresses of the zones.

Step 6: Accept connection requests

After you create an endpoint in VPC 1, you must configure the endpoint service to accept connection requests from the endpoint. Then, VPC 1 can use the endpoint to access the endpoint service.

Note

Skip this step if you set the Automatically Accept Endpoint Connections parameter to Yes in Step 4.

  1. In the left-side navigation pane, click Endpoint Service.

  2. In the top navigation bar, select the region where the endpoint service is deployed. In this example, China (Hangzhou) is selected.

  3. On the Endpoint Service page, find the endpoint service that you created in Step 4 and click its ID.

  4. On the details page of the endpoint service, click the Endpoint Connections tab, find the endpoint that you want to manage, and then click Allow in the Actions column.

  5. In the Allow Connection dialog box, click OK.

After the connection requests are accepted, the state of the endpoint connection changes from Disconnected to Connected. Then, the endpoint service can process requests from the endpoint. You can use the domain names and IP addresses of the zones that are generated in Step 5 to access the endpoint service.接受终端节点连接

Step 7: Test the network connectivity

After you complete the preceding operations, VPC 1 can access VPC 2 over private connections. The following section describes how to test the network connectivity.

Note
  • In this example, ECS instances run the Alibaba Cloud Linux operating system. For more information about how to test the network connectivity between VPC 1 and VPC 2 in other operating systems, see the user guide of the operating system that you use.

  • In this example, two zones are created for the endpoint service and two zones are created for the endpoint to support high availability. You can use the domain name of the endpoint service to access the endpoint service.

  1. Log on to ECS 01 and ECS 02 in VPC 1. For more information, see Connection method overview.

  2. After you log on to the ECS instances in VPC 1, you can use one of the following methods to test the connectivity between VPCs:

    • Access the service deployed in VPC 2 by using the domain name of the endpoint service. This domain name supports automatic traffic switch between zones to ensure high availability. When a zone fails, traffic can be forwarded through the other zone.

      1. On the endpoint details page, view the generated domain name of the endpoint service.

        image

      2. Run the curl command to test the network connectivity.

        image

    • Access the services deployed in VPC 2 by using the domain names or IP addresses of the zones.

      1. On the details page of the endpoint, click the Zone and ENI tab to view the generated domain names and IP addresses of the zones.

        image

      2. Run the curl command to test the network connectivity.

        image

References