Create an endpoint service

You can associate endpoint services with endpoints to establish PrivateLink connections. This topic describes how to create a Server Load Balancer (SLB) instance that supports PrivateLink. This topic also describes how to specify the created SLB instance as a service resource of an endpoint service to allow private access from other virtual private clouds (VPCs).

Limits

The Classic Load Balancer (CLB) instance that you create to support PrivateLink must be an internal-facing CLB instance that supports only the VPC network type.
The Application Load Balancer (ALB) instance that you create to support PrivateLink must be an internal-facing ALB instance that uses a fixed IP address.
The Network Load Balancer (NLB) instance that you create to support PrivateLink must be an internal-facing NLB instance.
Make sure that the region and zone where you want to deploy an endpoint service support PrivateLink and SLB instances. For more information about the regions and zones that support PrivateLink and SLB instances, see the following topics:
The zone that you select when you create an endpoint service must be the zone where a CLB, ALB, or NLB instance is deployed.

Prerequisites

PrivateLink is activated. If this is the first time that you use PrivateLink, go to the activation page to activate PrivateLink as prompted.
The VPC in which a CLB, ALB, or NLB instance resides is created. A vSwitch is created in the corresponding zone in the VPC. For more information, see the Step 1: Create a VPC and vSwitches section of the Create a VPC with an IPv4 CIDR block topic.
Note
Make sure that the region and zone that you select when you create the vSwitch are the same as those you select when you create the CLB, ALB, or NLB instance.

Create an SLB instance

PrivateLink allows you to specify internal-facing CLB, ALB, and NLB instances as the service resources of endpoint services. You can select an appropriate SLB instance based on your business requirements.

Create a CLB instance

Log on to the CLB console.
On the Instances page, click Create CLB.

On the buy page, specify the parameters for the CLB instance that supports PrivateLink, click Buy Now, and then complete the payment.

Parameter	Description
Region	Select the region where you want to create the CLB instance. Note Make sure that the CLB instance and the Elastic Compute Service (ECS) instances that you want to specify as backend servers belong to the same region.
Zone Type	Specify whether to deploy the CLB instance in one zone or across multiple zones. Default value: Multi-zone.
Primary Zone	Select a primary zone for the CLB instance to distribute network traffic.
Backup Zone	Select a secondary zone for the CLB instance. The CLB instance distributes network traffic to backend servers in the secondary zone only when the primary zone is unavailable.
Instance Name	Enter a name for the CLB instance.
SLB instance	Select a type for the CLB instance. You can create an Internet-facing CLB instance or an internal-facing CLB instance based on your business requirements. The system allocates a public or private IP address to the CLB instance based on the specified instance type. In this example, Intranet is selected.
Instance Billing Method	Select a billing method for the CLB instance. Valid values: Pay-By-Specification Pay-By-CLCU In this example, Pay-By-Specification is selected.
Specification	Select a specification for the CLB instance. CLB instances with different specifications deliver different performances. For more information, see Overview of CLB instances.
Network Type	Select a network type for the CLB instance. In this example, VPC is selected.
IP Version	Select an IP version for the CLB instance. In this example, IPv4 is selected.
VPCId	Select an existing VPC in which you want to deploy the CLB instance.
VswitchId	Select a vSwitch in the selected VPC.
Internet Data Transfer Fee	Default value: By traffic. Note Internet-facing CLB instances use the pay-by-data-transfer metering method. In this example, the CLB instance that you want to create is internal-facing and does not generate traffic fees.
Resource Group	Select the resource group to which the CLB instance belongs.
Quantity	Specify the number of CLB instances that you want to purchase.

After you create the CLB instance, you can create backend servers and configure listeners for the CLB instance to process the requests from the client. This topic provides the configuration steps only related to endpoint services. For more information about how to create backend servers and configure listeners, see Configure a CLB instance.

Create an ALB instance

Log on to the ALB console.
On the Instances page, click Create ALB.

On the buy page, specify the parameters for the ALB instance that supports PrivateLink, click Buy Now, and then complete the payment.

Parameter	Description
Region	Select the region where you want to create the ALB instance.
Network Type	Select a network type for the ALB instance. The system allocates a public IP address or a private IP address to the ALB instance based on the selected network type. In this example, Intranet is selected.
VPC	Select an existing VPC in which you want to deploy the ALB instance.
Zone	Select the zone where you want to deploy the ALB instance. Select at least two zones for the ALB instance. Select an existing vSwitch in each zone.
IP Mode	Select the type of the IP address that is used by the ALB instance. In this example, Static IP is selected.
IP Version	Select an IP version for the ALB instance. In this example, IPv4 is selected. IPv4: If you select this option, the ALB instance can be accessed only by IPv4 clients. Dual-stack: If you select this option, the ALB instance can be accessed by both IPv4 and IPv6 clients.
Edition	Select an edition for the ALB instance. Basic: Basic ALB instances support basic routing features such as forwarding requests based on domain names, URLs, and HTTP headers. Standard: Standard ALB instances support basic and advanced routing features, such as custom TLS security policies, redirects, and rewrites. WAF Enabled: As an upgrade from standard ALB instances, WAF-enabled ALB instances are integrated with Web Application Firewall (WAF) 3.0 to protect web applications. Network traffic is filtered by WAF before traffic is routed to ALB listeners. Note For more information about how to enable Web Application Firewall (WAF) for an ALB instance, see Activate and manage WAF-enabled ALB instances. For more information about the differences among basic ALB instances, standard ALB instances, and WAF-enabled ALB instances, see Functions and features.
Instance Name	Enter a name for the ALB instance.
Resource Group	Select the resource group to which the ALB instance belongs.
Service-linked Role	If this is the first time that you create an ALB instance, you must click Create Service-linked Role to create a service-linked role.

After you create the ALB instance, you can create backend servers and configure listeners for the ALB instance to process the requests from the client. For more information about how to create backend servers and configure listeners, see Use an ALB instance to provide IPv4 services.

Create an NLB instance

Log on to the NLB console.
In the top navigation bar, select the region in which the NLB instance is deployed.
On the Instances page, click Create NLB.

On the NLB (Pay-As-You-Go) International Site page, specify the parameters described in the following table and click Buy Now.

Parameter	Description
Region	Select the region where you want to create the NLB instance.
Network Type	Select a network type for the NLB instance. In this example, Intranet is selected.
IP Version	Select an IP version for the NLB instance. In this example, IPv4 is selected. IPv4: If you select this option, the NLB instance can be accessed only by IPv4 clients. Dual-stack Networking: If you select this option, the NLB instance can be accessed by IPv4 and IPv6 clients.
VPC	Select the VPC in which you want to deploy the NLB instance.
Zone	Select a zone for the NLB instance.
Instance Name	Enter a name for the NLB instance.
Resource Group	Select the resource group to which the NLB instance belongs. In this example, Default Resource Group is selected.
Service-linked Role	If this is the first time that you create an NLB instance, you must click Create Service-linked Role to create a service-linked role.

Log on to the endpoint service console.
In the top navigation bar, select the region where you want to create an endpoint service.
On the Endpoints Service page, click Create Endpoint Service.

On the Create Endpoint Service page, specify the parameters described in the following table and click OK.

Parameter	Description
Region	Select the region where you want to create the endpoint service.
Service Resource Type	Select the type of the service resource. CLB, ALB, and NLB instances are supported.
Select Service Resource	Select the zone where the service resource is deployed and select the service resource. You can select a service resource from one zone. Click the icon next to a service resource. In the message that appears, click OK. You can select service resources from multiple zones. By default, you must select service resources from two zones. If you want to add service resources in multiple zones, you can click +Add Service Resource to add service resources. Note A CLB instance can serve as a service resource only in the zone in which the vSwitch of the CLB instance resides. An ALB instance or an NLB instance can be deployed in multiple zones and can serve as a service resource across zones. You can select multiple zones to ensure that a failover can be quickly performed if one of the zones is down. This ensures high service availability and stability and prevents service interruptions or data loss.
Automatically Accept Endpoint Connections	Select whether the endpoint service automatically accepts connection requests from endpoints. Yes: The endpoint service automatically accepts all connection requests from endpoints. If you select this option, the endpoint service can be accessed by using endpoints. No: The endpoint connection of the endpoint service is in the Disconnected state. In this case, connection requests to the endpoint service must be manually accepted. For more information, see the Manually accept connection requests section of the Accept endpoint connection requests and manage endpoint connections topic.
Enable Zone Affinity	Specify whether to first resolve the domain name of the nearest endpoint that is associated with the endpoint service. Yes: Among all endpoints that are associated with the endpoint service, the domain name of the nearest endpoint is resolved first. No: Among all endpoints that are associated with the endpoint service, the domain name of the nearest endpoint is not resolved first.
Service Payer	Select the account that pays the bills.
Resource Group	Select the resource group to which the endpoint service belongs.
Tag Key	Select or enter a tag key. To facilitate management, you can use custom tags to identify endpoint services.
Tag Value	Select or enter a tag value.
Description	Enter a description for the endpoint service.

What to do next

After service providers create endpoint services, service consumers need to create endpoints that are associated with the corresponding endpoint services. This way, the VPCs in which endpoints are deployed can access SLB resources deployed in other VPCs by using PrivateLink. For more information, see Create and manage endpoints.

Related operations

Modify the basic information about an endpoint service

You can modify the basic information about an endpoint service. For example, you can modify the description, default peak bandwidth, and setting about whether to automatically accept connection requests from endpoints.

Log on to the endpoint service console.
In the top navigation bar, select the region where you want to create an endpoint service.
On the Endpoints Service page, find the endpoint service that you want to modify and click the ID of the endpoint service.

Modify the basic information about the endpoint service based on your business requirements.

Parameter	Description
Automatically Accept Connections	Specify whether the endpoint service automatically accepts connection requests from endpoints. Click Enable or Disable next to Automatically Accept Connections. In the message that appears, click OK.
Enable Zone Affinity	Specify whether the domain name of the nearest endpoint that is associated with the endpoint service is resolved first. Click Enable or Disable next to Enable Zone Affinity. In the message that appears, click OK.
Description	Click Edit next to Description. In the dialog box that appears, enter a new description and click OK.
Default Speed Limit	Specify the default peak bandwidth of the endpoint service. Click Modify next to Default Speed Limit. In the Set Default Speed Limit dialog box, enter a new value in the Adjust Speed Limit field and click OK.

Delete an endpoint service

You can delete an endpoint service that you no longer need. After you delete the endpoint service, the SLB instances that are associated with the endpoint service in the corresponding VPC are still retained.

Warning

After you delete an endpoint service, other VPCs cannot access the service resources of the endpoint service over private connections. Exercise caution when you perform this operation.

Before you delete an endpoint service, make sure that the following requirements are met:

Connection requests from the endpoints that are associated with the endpoint service are rejected. For more information, see Reject endpoint connection requests.
Service resources that are added to the endpoint service are removed. For more information, see the Delete a service resource section of the Manage service resources topic.

Log on to the endpoint service console.
In the top navigation bar, select the region where you want to create an endpoint service.
On the Endpoints Service page, find the endpoint service that you want to delete and click Delete in the Actions column.
In the message that appears, click OK.

(Optional) Add tags to an endpoint service

As the number of endpoint services increases, endpoint service management becomes more difficult. You can use tags to group endpoint services. In this way, you can efficiently search for and filter endpoint services. For more information about tags, see Tags.

Log on to the endpoint service console.
In the top navigation bar, select the region where you want to create an endpoint service.
On the Endpoints Service page, find the endpoint service to which you want to add a tag, move the pointer over the icon in the Tags column, and then click Edit in the pop-up box that appears.

In the Configure Tags dialog box, set the following parameters and click OK.

Parameter

Description

Tag Key

The key of the tag. You can select or enter a key.

The tag key can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

Tag Value

The value of the tag. You can select or enter a value.

The tag value can be up to 128 characters in length. It cannot start with aliyun or acs:, and cannot contain http:// or https://.

Return to the Endpoints Service page and click Filter by Tag. In the filter section, search for an endpoint service based on a tag key and a tag value.

References

User guides:
- For more information about how to create an endpoint that is associated with an endpoint service, see Create and manage endpoints.
- For more information about how to add multiple service resources to an endpoint service, see Add and remove service resources.
- If you want a VPC that belongs to another Alibaba Cloud account to access an endpoint service, you must add the ID of the Alibaba Cloud account to the whitelist of the endpoint service. For more information, see Manage account IDs in the whitelist of an endpoint service.
API references:
- CreateVpcEndpointService: creates an endpoint service.
- UpdateVpcEndpointServiceAttribute: modifies the attributes of an endpoint service.
- DeleteVpcEndpointService: deletes an endpoint service.