This topic describes how to use PrivateLink connections to share an internal-facing Classic Load Balancer (CLB) service with different virtual private clouds (VPCs) that belong to the same account.

Background information

VPCs are private networks that are independent of each other. You can use PrivateLink to establish private connections between VPCs and Alibaba Cloud services. This simplifies network architecture and secures data transmission.

To use PrivateLink connections to share services between different VPCs that belong to the same account, you must create endpoint services and endpoints.
  • Endpoint services

    Endpoint services within a VPC can be accessed by other VPCs through PrivateLink. You must create endpoints for these VPCs to establish PrivateLink connections. Endpoint services are created and managed by service providers.

  • Endpoints

    You can associate an endpoint with an endpoint service to establish PrivateLink connections, which allows a VPC to access external services. Endpoints are created and managed by service consumers.

Note PrivateLink is available for use in only specific regions. For more information, see Regions and zones that support PrivateLink.

Scenario

The scenario in the following figure is used as an example. Assume that you have created two VPCs (VPC 1 and VPC 2) with the same Alibaba Cloud account in the Germany (Frankfurt) region. Application services are deployed on the Elastic Compute Service (ECS) instances in VPC 2. For security reasons, VPC 1 must access the services in VPC 2 through a private connection to avoid security risks over the Internet.

You can create a CLB instance that supports PrivateLink in VPC 2, and specify the ECS instances in VPC 2 as the backend servers of the CLB instance. Then, create an endpoint service, and specify the CLB instance as a service resource for the endpoint service. Create an endpoint for VPC 1. After the endpoint for VPC 1 is created, VPC 1 can access the services that are deployed in VPC 2. Establish PrivateLink connections

Prerequisites

Before you start, make sure that the following requirements are met:

Procedure

PrivateLink procedure

Step 1: Create a CLB instance that supports PrivateLink

Only CLB instances that support PrivateLink can serve as service resources for endpoint services. Before you use PrivateLink connections to access services across VPCs that belong to the same account, you must create a CLB instance that supports PrivateLink.

To create a CLB instance that supports PrivateLink in VPC 2, perform the following operations:

  1. Log on to the SLB console.
  2. In the left-side navigation pane, choose Instances > Instances.
  3. On the Instances page, click Create Instance.
  4. On the buy page, set the following parameters to create a CLB instance:
    • Billing Method: Select a billing method. In this example, Pay-As-You-Go is selected.
      Note Only CLB instances that are billed on a pay-as-you-go basis support PrivateLink.
    • Region and Zone: Select the region and zone where you want to create the CLB instance. Make sure that the CLB instance and the ECS instances to be specified as backend servers are deployed in the same region. In this example, Germany (Frankfurt) and EU Central 1 Zone A are selected.
    • Instance Type: Select the type of CLB instance that you want to create. The system automatically allocates an IP address to the CLB instance based on the specified instance type. For more information, see SLB instance overview.
      • Public Network: If you select Public Network, a public IP address is allocated to the CLB instance. You can access the CLB service over the Internet.
      • Internal Network: If you select Internal Network, a private IP address is allocated to the CLB instance. You can access the CLB service only within networks of Alibaba Cloud. You cannot access the CLB service over the Internet.
      In this example, Internal network is selected.
      Note Only CLB instances that are deployed in an Internal network support the PrivateLink.
    • VPC: Select VPC 2 and the vSwitch in VPC 2.
    • Features: Select the service that the CLB instance supports.

      In this example, Support PrivateLink is selected.

    • For more information about other parameters, see Create a CLB instance that supports PrivateLink.
  5. Click Buy Now and complete the payment.

Step 2: Configure the CLB instance

After you create the CLB instance, you must add at least one listener and one group of backend servers to the CLB instance. This way, connection requests can be directed to the CLB instance.

To configure the CLB instance, perform the following operations:

  1. On the Instances page, find the CLB instance that you created in Step 1, and click Configure Listener in the Actions column.
  2. In the Protocol and Listener wizard, set the following parameters:
    • Select Listener Protocol: In this example, TCP is selected.
    • Listening Port: Specify the frontend port that is used to receive requests and distribute requests to backend servers.

      In this example, the port number is set to 80.

    Use the default values for other parameters.

  3. Click Next. In the Backend Servers wizard, select Default Server Group and click Add More to add backend servers.
    1. In the My Servers pane, select the ECS instances that you created and click Next.
    2. Weight: A backend server with a higher weight receives more requests. The default value is 100. We recommend that you use the default value.
    3. Click Add.
    4. On the Default Server Group tab, specify the ports that are open on the backend servers (ECS instances) to receive requests. You can specify the same port for backend servers that belong to the same CLB instance. In this example, the port number is set to 80.
  4. Click Next to configure health checks. In this example, the default health check configurations are used.
  5. Click Next. In the Confirm wizard, confirm the parameters and click Submit.
  6. Click OK to go back to the Instance page.

    If the health check status of an ECS instance is Normal, this indicates that the ECS instance is ready to process requests.

Step 3: Create an endpoint service

After you create an endpoint service in a VPC, you can use an endpoint that is deployed in another VPC to access the endpoint service through PrivateLink connections.

To create an endpoint service, perform the following operations:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose Endpoint > Endpoint Service.
  3. In the top navigation bar, select the region where you want to create an endpoint service.
    In this example, Germany (Frankfurt) is selected.
  4. On the Endpoint Service page, click Create Endpoint.
  5. On the Create Endpoint Service page, set the following parameters for the endpoint service and click OK.
    • Select Service Resource: Select a zone to receive network traffic, and select the CLB instance to be associated with the endpoint service.

      CLB instances serve as service resources and can be associated with endpoint services. The associated CLB instances receive requests from clients. The zone where an endpoint service is deployed must be the same as the primary zone where the service resource is deployed. Only CLB instances that support PrivateLink and are deployed in VPCs can serve as service resources.

      In this example, Frankfurt Zone A and the CLB instance that is created in Step 1 are selected.

    • Automatically Accept Endpoint Connections: Specify whether to automatically accept connection requests from endpoints.
      • Yes: The endpoint service accepts all connection requests from an associated endpoint. Users can access the endpoint service through the associated endpoint.
      • No: The endpoint connection is in the Disconnected state. Endpoint connection requests to the endpoint service must be manually accepted or denied by the service administrator.
        • If the service administrator accepts endpoint connection requests from the associated endpoint, the endpoint service can be accessed through the endpoint.
        • If the service administrator denies endpoint connection requests from the associated endpoint, the endpoint service cannot be accessed through the endpoint.

      In this example, No is selected.

    • Description: Enter a description for the endpoint service.

      The description must be 2 to 256 characters in length, and cannot start with http:// or https://.

    Create an endpoint service

After the endpoint service is created, the account ID of the service owner is automatically added to the whitelist.

You can view the service ID and service name on the endpoint service page. The ID of the endpoint service

Step 4: Create a vSwitch

Create a vSwitch in VPC 1. The vSwitch must be deployed in the same zone as the CLB instance that is created in Step 1. After the vSwitch is created, the system creates an endpoint elastic network interface (ENI) within the vSwitch. The endpoint ENI functions as the entry for VPC 1 to access services deployed in VPC 2.

To create a vSwitch in VPC 1, perform the following operations:

  1. In the left-side navigation pane, click VSwitches.
  2. In the top navigation bar, select the region where you want to create the vSwitch.
    In this example, Germany (Frankfurt) is selected.
  3. On the VSwitches page, click Create VSwitch.
  4. On the Create VSwitch page, set the following parameters for the vSwitch and click OK.
    • VPC: Select the VPC to which the vSwitch belongs. In this example, VPC 1 is selected.
    • Name: Enter a name for the vSwitch.

      The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter.

    • Zone: Select the zone where you want to deploy the vSwitch. In this example, Frankfurt Zone A is selected.
    • IPv4 CIDR Block: Specify the IPv4 CIDR block of the vSwitch.
    • Description: Enter a description for the vSwitch.

      The description must be 2 to 256 characters in length. It cannot start with http:// or https://.

Step 5: Create an endpoint

You can associate an endpoint with an endpoint service to establish a PrivateLink connection connection. This way, the VPC to which the endpoint belongs can access the VPC to which the endpoint service belongs.

To create an endpoint in VPC 1, perform the following operations:

  1. In the left-side navigation pane, choose Endpoint > Endpoint.
  2. In the top navigation bar, select the region where you want to create the endpoint.
    In this example, Germany (Frankfurt) is selected.
  3. On the Endpoint page, click Create Endpoint.
  4. In the Create Endpoint dialog box, set the following parameters for the endpoint and click OK.
    • Name: Enter a name for the endpoint.

      The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter or Chinese character.

    • Endpoint Service: You can specify an endpoint service to be associated with the endpoint by performing the following operations:
      • Click Add by Service Name and enter the name of the endpoint service that you want to associate with the endpoint.
      • Click Select Services, and select an endpoint service that belongs to the current account.

      In this example, Select Services is clicked, and the endpoint service that is created in Step 3 is selected. For more information, see Step 3: Create an endpoint service.

    • VPC: Select the VPC for which you want to create the endpoint. In this example, VPC 1 is selected.
    • Security Group: Assign a security group to the endpoint ENI. The security group can manage the data that is transmitted between the VPC and the endpoint ENI.
      Note Make sure that the rules in the security group allow access from clients to the endpoint ENI.
    • Zone and VSwitch: Select the zone of the endpoint service, and select a vSwitch in the zone. The system automatically creates an endpoint ENI within the vSwitch.

      In this example, Frankfurt Zone A is selected, and the vSwitch that is created in Step 4 is selected. For more information, see Step 4: Create a vSwitch.

    • Description: Enter a description for the endpoint.

      The description must be 2 to 256 characters in length. It cannot start with http:// or https://.

After the endpoint is created, you can view the domain name or IP address that is used to access the endpoint service. You can access the endpoint service in the following ways:
  • Use the domain name of the endpoint
  • Use the IP address of the ENI
  • Use the domain name of the zone
Domain names or the IP address used to access the endpoint service

Step 6: Accept endpoint connection requests

After the endpoint is created for VPC 1. The endpoint can send connection requests to the endpoint service. After a connection request is accepted by the endpoint service, VPC 1 can access the endpoint service in VPC 2.
Note Skip this step if you set the endpoint service to automatically accept connection requests in Step 3.

To manually accept endpoint connection requests, perform the following operations:

  1. In the left-side navigation pane, choose Endpoint > Endpoint Service.
  2. In the top navigation bar, select the region where the endpoint service is deployed.
    In this example, Germany (Frankfurt) is selected.
  3. On the Endpoint Service page, find the endpoint service that you created in Step 3, and then click its ID.
  4. Click the Endpoint Connections tab, find the endpoint from which you want to accept connection requests, and then click Allow in the Actions column.
  5. In the Allow Connection message, click OK.
After you set the endpoint service to accept connection requests from the endpoint, the connection state of the endpoint changes from Disconnected to Connected. Connection status

Step 7: Use the endpoint to access services that are deployed in VPC 2

To test whether an Elastic Compute Service (ECS) instance that is deployed in VPC 1 can use the endpoint to access services that are deployed in VPC 2, perform the following operations:

  1. Open the browser on an ECS instance that is deployed in VPC 1.
  2. Enter the domain name or IP address of the endpoint service in VPC 2 into the address bar of the browser, and check whether the ECS instance in VPC 1 can access the service that is deployed in VPC 2.
    In this example, the domain name or IP address that is generated in Step 5 is entered. For more information, see Step 5: Create an endpoint.
    The result shows that the ECS instance that is deployed in VPC 1 can access the service that is deployed in VPC 2 through PrivateLink connections.