This topic describes how to configure Alibaba Cloud DNS PrivateZone so that VPC-type ECS instances in a scaling group can initiate API requests over the Alibaba Cloud internal network.

Background information

Auto Scaling provides public network endpoints. However, if your ECS instance does not have a public bandwidth package or a public IP address, the instance cannot initiate an API request by using tools such as Alibaba Cloud CLI or corresponding SDKs. Alibaba Cloud provides Alibaba Cloud DNS PrivateZone to ensure that your instance can send API requests over the Alibaba Cloud internal network. You can use PrivateZone to associate the VPC with the region to which your ECS instance belongs.

  • You can only configure PrivateZone for regions that contain VPC-type ECS instances. You cannot configure PrivateZone across multiple regions.
  • We recommend that you create ECS instances in a scaling group by using custom images that have Alibaba Cloud CLI or the SDK deployed. This way, your instances can add relevant dependencies when they have no access to the public network.
  • The following table describes the endpoints that support PrivateZone. Make sure that you use the endpoint listed in the table.
    Alibaba Cloud region Region ID CNAME record value Public network endpoint
    China (Beijing) cn-beijing popunify-vpc.cn-beijing.aliyuncs.com ess.cn-beijing.aliyuncs.com
    China (Hangzhou) cn-hangzhou popunify-vpc.cn-hangzhou.aliyuncs.com ess.cn-hangzhou.aliyuncs.com
    China (Shanghai) cn-shanghai popunify-vpc.cn-shanghai.aliyuncs.com ess.cn-shanghai.aliyuncs.com
    China (Shenzhen) cn-shenzhen popunify-vpc.cn-shenzhen.aliyuncs.com ess.cn-shenzhen.aliyuncs.com
    China (Hong Kong) cn-hongkong popunify-vpc.cn-hongkong.aliyuncs.com ess.cn-hongkong.aliyuncs.com
    Singapore ap-southeast-1 popunify-vpc.ap-southeast-1.aliyuncs.com ess.ap-southeast-1.aliyuncs.com

Procedure

  1. Log on to the Alibaba Could DNS console.
  2. In the left-side navigation pane, click PrivateZone. On the page that appears, click Add Zone.
  3. Configure the following parameters and click OK.
    • Zone Name: Enter an ECS endpoint that supports PrivateZone. In this example, enter ess.cn-hangzhou.aliyuncs.com.
    • Subdomain recursive resolution proxy: If you select this check box, the name resolved on the public network is used for DNS domain name checks for the specified Zone Name but is not included in the Zone file.
  4. Click Configure in the Actions column corresponding to the created PricateZone.
  5. On the Resolution Settings page that appears, click Add Record.
  6. In the Add Record dialog box that appears, configure the following parameters and click OK.
    • Record Type: Select CNAME.
    • Resource Records: Enter @ to resolve the @.example.com domain name.
    • Record Value: Set the value to the CNAME record value of the corresponding region.
    • TTL Value: The time to live value. In this example, select 1 minute(s).
  7. Go back to the PrivateZone page. Click Bind VPC in the Actions column corresponding to the created PrivateZone.
  8. In the dialog box that appears, select the region where the PrivateZone is located. Select one or more VPCs to which your ECS instances belong. Click OK.
    Note Select the VPC to which the ECS instance belongs.

Result

After you associate a VPC with an Alibaba Cloud DNS PrivateZone, you can log on to your ECS instance to check whether the instance can access the endpoint of the corresponding region. For more information about how to log on to an ECS instance in a scaling group, see Connect to a Linux instance by using the Management Terminal.

For example, if the enpoint is ess.cn-hangzhou.aliyuncs.com, you can:
  • Run a ping command to check whether data packets can be properly transmitted and received.
    ping ess.cn-hangzhou.aliyuncs.com
  • Use Alibaba Cloud CLI to call DescribeRegions, and specify the value of the --endpoint field to the example endpoint.
    aliyun ecs DescribeRegions --endpoint ess.cn-hangzhou.aliyuncs.com