All Products
Search
Document Center

PrivateLink:Specify a CLB instance as a service resource in PrivateLink

Last Updated:Feb 27, 2024

PrivateLink allows you to specify Classic Load Balancer (CLB) instances as the service resources of endpoint services. This topic describes how to use PrivateLink to allow a CLB instance in a virtual private cloud (VPC) to provide services for another VPC within the same Alibaba Cloud account.

Background information

VPCs are private networks that are isolated from each other in the cloud. You can use PrivateLink to establish a secure and stable private connection between a VPC and an Alibaba Cloud service. This simplifies the network architecture and prevents security risks over the Internet.

To establish a PrivateLink connection, you must create an endpoint service and an endpoint.

  • Endpoint service

    An endpoint service can be accessed by using an endpoint in another VPC over a PrivateLink connection. Endpoint services are created and managed by service providers.

  • Endpoint

    An endpoint can be associated with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services. Endpoints are created and managed by service consumers.

Entity

Description

Service provider

Creates and manages endpoint services.

Service consumer

Creates and manages endpoints.

CLB distributes inbound network traffic across multiple Elastic Compute Service (ECS) instances that act as backend servers based on forwarding rules. Specifying CLB instances as the service resources of endpoint services improves the performance and availability of your applications. For more information, see What is CLB?

Scenarios

The following scenario is used as an example. Company A creates two VPCs named VPC 1 and VPC 2 in the Germany (Frankfurt) region with Alibaba Cloud Account A and deploys services on ECS instances named ECS 2 and ECS 3 in VPC 2. Due to business growth, resources in VPC 1 require access to the services in VPC 2 over a private connection.

You can create a CLB instance that supports PrivateLink in VPC 2, and specify ECS 2 and ECS 3 as the backend servers of the CLB instance. This allows the CLB instance to receive the traffic from clients and distribute the traffic to the backend servers based on listener forwarding rules. Then, create an endpoint service and specify the CLB instance as the service resource of the endpoint service. Then, create an endpoint in VPC 1. After the endpoint is created and connected to the endpoint service as expected, ECS 1 in VPC 1 can access the services in VPC 2 over the private network. 架构图

Limits

  • To support PrivateLink, the CLB instance that serves as a service resource in VPC 2 must be a pay-as-you-go internal-facing CLB instance.

  • When you create an endpoint service, you must select a region that supports PrivateLink and CLB instances. For more information about the regions that support PrivateLink and CLB instances, see Regions and zones that support PrivateLink and Regions that support CLB.

  • The endpoint and endpoint service must be deployed in the same zone where the CLB instance is deployed.

Prerequisites

  • VPC 1 and VPC 2 are created in the Germany (Frankfurt) region, and a vSwitch is created for each VPC. For more information, see Create a VPC and a vSwitch.

  • ECS 1 is created in VPC 1, ECS 2 and ECS 3 are created in VPC 2, and different NGINX services are deployed on ECS 2 and ECS 3. For more information about how to create ECS instances and deploy NGINX services, see Create an instance on the Custom Launch tab and Manually build an LNMP stack on an Alibaba Cloud Linux 2 instance.

  • A security group is created in VPC 1. You can configure security group rules based on your requirements for business and security.

    We recommend that you configure the following security group rules:

    • An inbound rule that allows traffic on SSH port 22 and Remote Desktop Protocol (RDP) port 3389 to access the ECS instance.

    • An inbound rule that allows traffic on HTTP port 80 and HTTPS port 443. This rule allows the VPC of the endpoint to access the VPC of the endpoint service over HTTP or HTTPS.

    For more information, see Create a security group.

    Note

    ECS 2 and ECS 3 in VPC 2 belong to the default security group, which is created by the system when the ECS instances are created.

The following table describes how networks are planned for the VPCs in this example. Your services are not adversely affected if the CIDR blocks of your VPCs overlap with each other.

Item

VPC 1

VPC 2

Region

Germany (Frankfurt)

Germany (Frankfurt)

CIDR block

  • VPC: 10.10.0.0/16

  • vSwitch: 10.10.2.0/24

  • VPC: 192.168.0.0/16

  • vSwitch: 192.168.24.0/24

vSwitch zone

Zone B

Zone B

ECS instance IP address

ECS 1: 10.10.2.1

  • ECS 2: 192.168.24.200

  • ECS 3: 192.168.24.12

Procedure

liuchengtu

Step 1: Create an internal-facing CLB instance that supports PrivateLink

  1. Log on to the CLB console.

  2. Choose CLB (FKA SLB) > Instances in the left-side navigation pane. On the page that appears, click Create CLB.

  3. On the Server Load Balancer page, configure the CLB instance by specifying the parameters that are described in the following table, click Buy Now, and then complete the payment.

    Parameter

    Description

    Region

    Select a region where you want to create the CLB instance.

    In this example, Germany (Frankfurt) is selected.

    Note

    Make sure that the CLB instance and the ECS instances that you want to specify as backend servers belong to the same region.

    Zone Type

    Specify whether you want to deploy the CLB instance in one zone or across multiple zones. By default, Multi-zone is selected.

    Primary Zone

    Select a primary zone for the CLB instance to receive network traffic. In this example, Europe Central 1 Zone B is selected.

    Backup Zone

    Select a secondary zone for the CLB instance. Traffic is distributed to the secondary zone only when the primary zone is down.

    In this example, Europe Central 1 Zone A is selected.

    Instance name

    Enter a name for the CLB instance.

    SLB instance

    Select a type for the CLB instance. You can create an Internet-facing CLB instance or an internal-facing CLB instance based on your business requirements. The system allocates a public or private IP address to the CLB instance based on the specified instance type.

    In this example, Intranet is selected.

    Instance Billing Method

    Select a billing method for the CLB instance. Valid values:

    • Pay-By-Specification

    • Pay-By-CLCU

    In this example, Pay-By-Specification is selected.

    Specification

    Select a specification for the CLB instance. CLB instances with different specifications deliver different performances. In this example, Small I (slb.s1.small) is selected.

    Network Type

    Select a network type for the CLB instance.

    In this example, VPC is selected.

    IP Version

    Select an IP version for the CLB instance. In this example, IPv4 is selected.

    Feature

    Select a feature type for the CLB instance. By default, Standard is selected.

    VPC ID

    Select VPC 2.

    Vswitch ID

    Select a vSwitch in VPC 2.

    Internet Data Transfer Fee

    Select a metering method. Internet-facing CLB instances support the following metering methods:

    • By traffic: the pay-by-data-transfer metering method

    • By bandwidth: the pay-by-bandwidth metering method

    By default, By traffic is selected.

    Note

    Internet-facing CLB instances use the pay-by-data-transfer metering method. In this example, the CLB instance that you want to create is internal-facing and does not incur traffic fees.

    Resource Group

    Select a resource group for the CLB instance. In this example, Default Resource Group is selected.

    Quantity

    Specify the number of CLB instances that you want to purchase. In this example, 1 is specified.

Step 2: Configure the CLB instance

After the CLB instance is created, you must add at least one listener and one group of backend servers to the CLB instance. This way, network traffic can be forwarded by the CLB instance.

  1. On the Instances page, find the CLB instance that was created in Step 1 and click Configure Listener in the Actions column.

  2. On the Protocol and Listener wizard page, specify the following parameters, use the default values for other parameters, and then click Next:

    • Select Listener Protocol: In this example, TCP is selected.

    • Listening Port: specifies the port that the CLB instance uses to receive requests and forward the requests to backend servers.

      In this example, 80 is specified.

  3. On the Backend Servers wizard page, select Default Server Group and click Add More to add backend servers.

    1. In the My Servers panel, select ECS 2 and ECS 3 that you created, and click Next.

    2. Specify weights for the backend servers and click Add.

      A backend server with a higher weight receives more requests. In this example, the default value 100 is used.

    3. On the Default Server Group tab, specify a backend port and click Next. In this example, 80 is specified.

      You can specify the same port for multiple backend servers of a CLB instance.

  4. On the Health Check wizard page, configure the health check feature and click Next. In this example, the default values of the parameters are used.

  5. On the Confirm wizard page, check the configurations and click Submit.

  6. Click OK to return to the Instances page.

    If the health check state of an ECS instance is Normal, the ECS instance can process requests that are forwarded by the CLB instance.

Step 3: Create an endpoint service

  1. Log on to the endpoint service console.
  2. In the top navigation bar, select the region in which you want to create an endpoint service. In this example, Germany (Frankfurt) is selected.

  3. On the Endpoints Service page, click Create Endpoint Service.

  4. On the Create Endpoint Service page, specify the parameters that are described in the following table and click OK.

    The following table describes only the parameters that are relevant to this topic. For more information about how to configure other parameters, see Create an endpoint service.

    Parameter

    Description

    Service Resource Type

    Select the type of service resource that you want to add to the endpoint service. In this example, CLB is selected.

    Select Service Resource

    Select a zone that you want to receive network traffic. Then, select the CLB instance that you want to associate with the endpoint service.

    In this example, Frankfurt Zone B and the CLB instance created in Step 1 are selected.

    Automatically Accept Endpoint Connections

    Specify whether the endpoint service automatically accepts connection requests from endpoints. In this example, No is selected.

    • Yes: If you select this option, the endpoint service automatically accepts connection requests from endpoints. Then, you can use endpoints to access the service resources of this endpoint service.

    • No: If you select this option, the endpoint connection of the endpoint service is in the Disconnected state by default. In this case, connection requests to the endpoint service must be manually accepted or denied by the service provider.

      • If the service provider accepts a connection request from an endpoint, the service resources of this endpoint service can be accessed by using the endpoint.

      • If the service provider denies a connection request from an endpoint, the service resources of this endpoint service cannot be accessed by using the endpoint.

    Enable Zone Affinity

    In this example, Yes is selected. This indicates that the domain name of the nearest endpoint is first resolved among all the endpoints that are associated with the endpoint service.

    Resource Group

    Select the resource group to which the endpoint service belongs.

After the endpoint service is created, the account ID of the service provider is automatically added to the service whitelist.

You can view the instance ID and instance name on the details page of the endpoint service.

Step 4: Create an endpoint

  1. Log on to the endpoint console.
  2. In the top navigation bar, select the region in which you want to create an endpoint. In this example, Germany (Frankfurt) is selected.

  3. On the Endpoints page, click Endpoints.Create Endpoint

  4. On the Create Endpoint page, specify the parameters that are described in the following table and click OK.

    The following table describes only the parameters that are relevant to this topic. For more information about how to configure other parameters, see Create an endpoint.

    Parameter

    Description

    Endpoint Name

    Enter a name for the endpoint.

    Endpoint Type

    Select a type for the endpoint that you want to create. In this example, Interface Endpoint is selected.

    Endpoints Service

    In this example, the endpoint service that was created in Step 3 is selected.

    VPC

    Select the VPC where you want to create the endpoint. In this example, VPC 1 is selected.

    Security Groups

    Select the security group that you want to associate with the endpoint elastic network interface (ENI). The security group is used to control data transfer from the VPC to the endpoint ENI.

    Note

    Make sure that the rules in the security group allow access to the endpoint ENI from clients.

    Zone and vSwitch

    Select the zone where the endpoint service is deployed and select a vSwitch in the zone. The system automatically creates an endpoint ENI and attaches it to the vSwitch.

    In this example, Frankfurt Zone B and a vSwitch that was created in VPC 1 are selected.

    Resource Group

    Select the resource group to which the endpoint belongs.

After you create the endpoint, you can view the domain name of the endpoint and the domain name and IP address of the selected zone on the details page of the endpoint.

Step 5: Accept connection requests from the endpoint

After you create an endpoint in VPC 1, you must configure the endpoint service to accept connection requests from the endpoint. This way, resources in VPC 1 can access the endpoint service in VPC 2 by using the endpoint.

Note

Skip this step if you allow the endpoint service to automatically accept connection requests in Step 3.

  1. In the left-side navigation pane, click Endpoints Service.

  2. In the top navigation bar, select the region where the endpoint service is deployed. In this example, Germany (Frankfurt) is selected.

  3. On the Endpoints Service page, find the endpoint service created in Step 3 and click its ID.

  4. On the details page of the endpoint service, click the Endpoint Connections tab, find the endpoint that you want to manage, and then click Allow in the Actions column.

  5. In the Allow Connection dialog box, select Allow connections and automatically allocate service resources, and click OK.

After you allow the endpoint service to accept connection requests from the endpoint, the state of the endpoint connection changes from Disconnected to Connected. Then, the endpoint service can process requests from the endpoint.

Step 6: Access services by using the endpoint

The following section describes how to test whether ECS 1 in VPC 1 can access the services that are deployed on ECS 2 and ECS 3 in VPC 2 by using the endpoint.

  1. Log on to ECS 1 in VPC 1. For more information, see Connection method overview.

  2. Run the cURL command on the terminal of ECS 1 by using the domain name or IP address of the zone for the endpoint to test the connectivity.

    In this example, the domain name or IP address of Frankfurt Zone B generated in Step 4 is entered.

    The test result shows that ECS 1 in VPC 1 can access the services in VPC 2.

    image.png

    image.png