×
Community Blog How to Use PrivateLink to Connect Two VPCs in Different Accounts

How to Use PrivateLink to Connect Two VPCs in Different Accounts

In this article, we'll show you how to use Alibaba Cloud PrivateLink to establish private connections between VPCs and other services, and even across different accounts.

By Alpha Tong, Alibaba Cloud Solution Architect

In this article, we will show you how to use Alibaba Cloud PrivateLink to establish private connections between virtual private clouds (VPCs) and other Alibaba Cloud services, as well as across different accounts.

Background

In some cases, a customer may have different services deployed across different VPCs or even in different Alibaba Cloud accounts. When the customer needs to expose a service to another VPC, he/she has to use Cloud Enterprise Network (CEN) to connect both VPCs. But this approach only works when the two VPCs are in the same Alibaba Cloud account. If not, the customer may need to expose the service using public internet or VPN. This approach, although feasible, will increase the security risk and the cost as well.

With PrivateLink, customers can easily build up a connection between two VPCs via Alibaba Cloud intranet. That means you don't have to use public network server load balancer (SLB) for your service. In fact, PrivateLink is only available in intranet SLB type.

What Is PrivateLink?

In the past, enterprises needed to create Internet egresses to provide on-cloud services or access resources of other business networks. Enterprises used products such as Enterprise Information Portal (EIP) based on elastic public networks, Server Load Balancers (SLB) for public networks, and gateways for Network Address Translation (NAT), to create connections and provide on-cloud services. However, as the number of enterprises on the cloud gradually increases, enterprises also gradually want to provide services on the cloud network. By doing so, they can solve problems such as network security and network latency. Fortunately, PrivateLink can provide private network connections within the cloud.

Alibaba Cloud PrivateLink provides private connections for secure and stable data transmission between Virtual Private Cloud (VPC) networks and other Alibaba Cloud services.

1

PrivateLink offers the following benefits:

  • Low risk: You can access endpoint services through PrivateLink connections. Requests are forwarded within Alibaba Cloud, minimizing risks over the Internet.
  • Robust security: When you use PrivateLink to access cloud services in a VPC, you can add rules to the security group of the elastic network interface (ENI) that is used to access the services. This ensures greater security and reliability.
  • Low latency and high quality: When you use PrivateLink to access cloud services, requests are forwarded within the same zone. This greatly reduces the network latency.
  • Simplified management: PrivateLink allows you to access cloud services that are deployed in another VPC within the same account, or services that belong to another account. This avoids complicated route settings and security configurations.

Limitation

You can use the PrivateLink service provided by Alibaba Cloud in the following regions and zones. You are only charged by traffic.

Region Zones
China (Beijing) Zone H and Zone G
China (Zhangjiakou) Zone A and Zone B
China (Hangzhou) Zone H and Zone I
China (Shanghai) Zone E and Zone G
China (Shenzhen) Zone D and Zone E
China (Heyuan) Zone A and Zone B
China (Hong Kong) Zone B and Zone C
Singapore (Singapore) Zone B and Zone C
Germany (Frankfurt) Zone A and Zone B
UK (London) Zone A and Zone B

Solution Architecture

In this article, we will be connecting Company A with Company B using PrivateLink. The image below shows the architecture of our solution.

2

In this architecture, I have used two different Alibaba Cloud accounts for Company A and Company B.

Company A (Suffix 1)

VPC HK-VPC-PVL-1 10.100.0.0/16
vSwitch (Zone B) HK-SW-PVL-B1 10.100.0.0/24
vSwitch (Zone C) HK-SW-PVL-C1 10.100.1.0/24
ECS PVL-Client-1 10.100.0.25

Company B (Suffix 2)

VPC HK-VPC-PVL-2 10.100.0.0/16
vSwitch (Zone C) HK-SW-PVL-C2 10.100.0.0/24
ECS PVL-Nginx-2 10.200.0.96
SLB HK-PVL-SLB-2 10.200.0.98

Configuration

In this section, I will describe the steps required to configure and set up the connection between the two VPCs. As most of the steps involve navigating through the Alibaba Cloud console, I will illustrate the steps using screen shots.

Step 1: Create VPC and vSwitch

Company A

3


4

Company B

5


6

Step 2: Create ECS Instance

7


8

Step 3: Install Nginx (Site 2)

In our test scenario, we will deploy a web server in Company B account. Execute the command as below:

$sudo yum install nginx
$sudo systemctl enable nginx
$sudo systemctl start nginx

Step 4: Create Endpoint Service (Site 2)

1.  Log in to the PrivateLink Endpoint Service console.

9

2.  Create SLB Instance for the Nginx service

10

3.  Choose Internal Network instance type and PrivateLink feature

11

4.  Configure SLB listener

12


13


14

5.  After creating the Endpoint Service, we have to add the Account ID to Whitelist so that this two accounts can build up the PrivateLink. You can go to Account Management to check the Account ID.

15

6.  Add the Account ID to Whitelist

16


17

Step 5: Create Endpoint (Site 1)

1.  Before we configure the Whitelist, there is no Endpoint Service to select from.

18

2.  After we configure the Whitelist, we can see that the Endpoint Service is showing and we can proceed with the Endpoint configuration.

19

3.  The Endpoint Domain is what we use for our connection.

20

Step 6: Allow Endpoint ID

1.  After creating the Endpoint, we need to allow this endpoint to connect to the Endpoint Service.

21

2.  The status will show Connected after allowing the connection.

22

Step 7: Connection Test

1.  SSH to ECS PVL-Client-1. Ping the PrivateLink Domain Name. It will respond with the IP address (10.100.1.74), which is the international site Zone C IP.

[root@iZj6ceaqal2hxvvptdh0l4Z ~]# ping ep-j6cdxwbbkj4w1zwhkklq-cn-hongkong-c.epsrv-j6ciclh2l6vth59grxhp.cn-hongkong.privatelink.aliyuncs.com
PING ep-j6cdxwbbkj4w1zwhkklq-cn-hongkong-c.epsrv-j6ciclh2l6vth59grxhp.cn-hongkong.privatelink.aliyuncs.com (10.100.1.74) 56(84) bytes of data.
64 bytes from 10.100.1.74 (10.100.1.74): icmp_seq=1 ttl=102 time=0.894 ms
64 bytes from 10.100.1.74 (10.100.1.74): icmp_seq=2 ttl=102 time=0.681 ms
64 bytes from 10.100.1.74 (10.100.1.74): icmp_seq=3 ttl=102 time=0.677 ms
64 bytes from 10.100.1.74 (10.100.1.74): icmp_seq=4 ttl=102 time=0.677 ms
64 bytes from 10.100.1.74 (10.100.1.74): icmp_seq=5 ttl=102 time=0.680 ms
^C
--- ep-j6cdxwbbkj4w1zwhkklq-cn-hongkong-c.epsrv-j6ciclh2l6vth59grxhp.cn-hongkong.privatelink.aliyuncs.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 0.677/0.721/0.894/0.092 ms

2.  Curl the Domain Name to check the Nginx service. Now we can see that the service is accessible.

23

That's it! We have successfully connected two VPCs in different accounts using PrivateLink.

0 0 0
Share on

Alibaba Clouder

2,630 posts | 644 followers

You may also like

Comments