By Alpha Tong, Alibaba Cloud Solution Architect
In this article, we will show you how to use Alibaba Cloud PrivateLink to establish private connections between virtual private clouds (VPCs) and other Alibaba Cloud services, as well as across different accounts.
In some cases, a customer may have different services deployed across different VPCs or even in different Alibaba Cloud accounts. When the customer needs to expose a service to another VPC, he/she has to use Cloud Enterprise Network (CEN) to connect both VPCs. But this approach only works when the two VPCs are in the same Alibaba Cloud account. If not, the customer may need to expose the service using public internet or VPN. This approach, although feasible, will increase the security risk and the cost as well.
With PrivateLink, customers can easily build up a connection between two VPCs via Alibaba Cloud intranet. That means you don't have to use public network server load balancer (SLB) for your service. In fact, PrivateLink is only available in intranet SLB type.
In the past, enterprises needed to create Internet egresses to provide on-cloud services or access resources of other business networks. Enterprises used products such as Enterprise Information Portal (EIP) based on elastic public networks, Server Load Balancers (SLB) for public networks, and gateways for Network Address Translation (NAT), to create connections and provide on-cloud services. However, as the number of enterprises on the cloud gradually increases, enterprises also gradually want to provide services on the cloud network. By doing so, they can solve problems such as network security and network latency. Fortunately, PrivateLink can provide private network connections within the cloud.
Alibaba Cloud PrivateLink provides private connections for secure and stable data transmission between Virtual Private Cloud (VPC) networks and other Alibaba Cloud services.
PrivateLink offers the following benefits:
You can use the PrivateLink service provided by Alibaba Cloud in the following regions and zones. You are only charged by traffic.
|China (Beijing)||Zone H and Zone G|
|China (Zhangjiakou)||Zone A and Zone B|
|China (Hangzhou)||Zone H and Zone I|
|China (Shanghai)||Zone E and Zone G|
|China (Shenzhen)||Zone D and Zone E|
|China (Heyuan)||Zone A and Zone B|
|China (Hong Kong)||Zone B and Zone C|
|Singapore (Singapore)||Zone B and Zone C|
|Germany (Frankfurt)||Zone A and Zone B|
|UK (London)||Zone A and Zone B|
In this article, we will be connecting Company A with Company B using PrivateLink. The image below shows the architecture of our solution.
In this architecture, I have used two different Alibaba Cloud accounts for Company A and Company B.
Company A (Suffix 1)
|vSwitch (Zone B)||HK-SW-PVL-B1||10.100.0.0/24|
|vSwitch (Zone C)||HK-SW-PVL-C1||10.100.1.0/24|
Company B (Suffix 2)
|vSwitch (Zone C)||HK-SW-PVL-C2||10.100.0.0/24|
In this section, I will describe the steps required to configure and set up the connection between the two VPCs. As most of the steps involve navigating through the Alibaba Cloud console, I will illustrate the steps using screen shots.
In our test scenario, we will deploy a web server in Company B account. Execute the command as below:
$sudo yum install nginx $sudo systemctl enable nginx $sudo systemctl start nginx
1. Log in to the PrivateLink Endpoint Service console.
2. Create SLB Instance for the Nginx service
3. Choose Internal Network instance type and PrivateLink feature
4. Configure SLB listener
5. After creating the Endpoint Service, we have to add the Account ID to Whitelist so that this two accounts can build up the PrivateLink. You can go to Account Management to check the Account ID.
6. Add the Account ID to Whitelist
1. Before we configure the Whitelist, there is no Endpoint Service to select from.
2. After we configure the Whitelist, we can see that the Endpoint Service is showing and we can proceed with the Endpoint configuration.
3. The Endpoint Domain is what we use for our connection.
1. After creating the Endpoint, we need to allow this endpoint to connect to the Endpoint Service.
2. The status will show Connected after allowing the connection.
1. SSH to ECS PVL-Client-1. Ping the PrivateLink Domain Name. It will respond with the IP address (10.100.1.74), which is the international site Zone C IP.
[root@iZj6ceaqal2hxvvptdh0l4Z ~]# ping ep-j6cdxwbbkj4w1zwhkklq-cn-hongkong-c.epsrv-j6ciclh2l6vth59grxhp.cn-hongkong.privatelink.aliyuncs.com PING ep-j6cdxwbbkj4w1zwhkklq-cn-hongkong-c.epsrv-j6ciclh2l6vth59grxhp.cn-hongkong.privatelink.aliyuncs.com (10.100.1.74) 56(84) bytes of data. 64 bytes from 10.100.1.74 (10.100.1.74): icmp_seq=1 ttl=102 time=0.894 ms 64 bytes from 10.100.1.74 (10.100.1.74): icmp_seq=2 ttl=102 time=0.681 ms 64 bytes from 10.100.1.74 (10.100.1.74): icmp_seq=3 ttl=102 time=0.677 ms 64 bytes from 10.100.1.74 (10.100.1.74): icmp_seq=4 ttl=102 time=0.677 ms 64 bytes from 10.100.1.74 (10.100.1.74): icmp_seq=5 ttl=102 time=0.680 ms ^C --- ep-j6cdxwbbkj4w1zwhkklq-cn-hongkong-c.epsrv-j6ciclh2l6vth59grxhp.cn-hongkong.privatelink.aliyuncs.com ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4001ms rtt min/avg/max/mdev = 0.677/0.721/0.894/0.092 ms
2. Curl the Domain Name to check the Nginx service. Now we can see that the service is accessible.
That's it! We have successfully connected two VPCs in different accounts using PrivateLink.
PM - C2C_Yuan - July 13, 2021
Alibaba Clouder - October 22, 2020
JDP - February 10, 2022
AlibabaCloud_Network - May 31, 2021
Alibaba Clouder - April 23, 2020
Alibaba Clouder - March 21, 2019
Respond to sudden traffic spikes and minimize response time with Server Load BalancerLearn More
High-performance virtual machines with data transfer plan, starting from $2.50 per monthLearn More
Deploy custom Alibaba Cloud solutions for business-critical scenarios with Quick Start templates.Learn More
Connect your business globally with our stable network anytime anywhere.Learn More
More Posts by Alibaba Clouder