This topic describes how to use PrivateLink to share an internal Server Load Balancer (SLB) service that is deployed in a Virtual Private Cloud (VPC) network with a VPC network under another account.

Background information

VPCs are private networks that are independent of each other. You can use PrivateLink to establish private connections between VPCs and Alibaba Cloud services. This simplifies network architecture and secures data transmission.

To use PrivateLink connections to share services between different VPCs that belong to the same account, you must create endpoint services and endpoints.
  • Endpoint services

    Endpoint services within a VPC can be accessed by other VPCs through PrivateLink. You must create endpoints for these VPCs to establish PrivateLink connections. Endpoint services are created and managed by service providers.

  • Endpoints

    You can associate an endpoint with an endpoint service to establish PrivateLink connections, which allows a VPC to access external services. Endpoints are created and managed by service consumers.

Note PrivateLink is available for use in only specific regions. For more information, see Regions and zones that support PrivateLink.

Scenario

The scenario in the following figure is used as an example. Assume that you have two Alibaba Cloud accounts (Account 1 and Account 2). The UID of Account 1 is 12345678, and the UID of Account 2 is 87654321. VPC 1 is created under Account 1 and VPC 2 is created under Account 2. Application services are deployed on Elastic Compute Service (ECS) instances in VPC 2. For security reasons, VPC 1 must access the services in VPC 2 through a private connection.

You can create an SLB instance that supports PrivateLink within VPC 2, and specify the ECS instances in VPC 2 as backend servers for the SLB instance. Then, create an endpoint service, specify the SLB instance as the service resource for the endpoint service, and add the UID of Account 1 to the whitelist of the endpoint service. Create an endpoint in VPC 1 After an endpoint is created in VPC 1 under Account 1, VPC 1 can access the services in VPC 2 under Account 2.Create an endpoint service

Prerequisites

Before you start, make sure that the following requirements are met:

Procedure

Procedure

Step 1: Create an SLB instance that supports PrivateLink

Only SLB instances that support PrivateLink can serve as service resources for endpoint services. Before you establish a PrivateLink connection between the VPC networks, you must create an SLB instance that supports PrivateLink.

To create an SLB instance that supports PrivateLink, perform the following operations:

  1. Log on to the SLB console with Account 2.
  2. In the left-side navigation pane, choose Instances > Instances.
  3. On the Instances page, click Create Instance.
  4. On the buy page, set the following parameters to create a CLB instance:
    • Billing Method: Select a billing method. In this example, Pay-As-You-Go is selected.
      Note Only CLB instances that are billed on a pay-as-you-go basis support PrivateLink.
    • Region and Zone: Select the region and zone where you want to create the CLB instance. Make sure that the CLB instance and the ECS instances to be specified as backend servers are deployed in the same region. In this example, Germany (Frankfurt) and EU Central 1 Zone A are selected.
    • Instance Type: Select the type of CLB instance that you want to create. The system automatically allocates an IP address to the CLB instance based on the specified instance type. For more information, see SLB instance overview.
      • Public Network: If you select Public Network, a public IP address is allocated to the CLB instance. You can access the CLB service over the Internet.
      • Internal Network: If you select Internal Network, a private IP address is allocated to the CLB instance. You can access the CLB service only within networks of Alibaba Cloud. You cannot access the CLB service over the Internet.
      In this example, Internal network is selected.
      Note Only CLB instances that are deployed in an Internal network support the PrivateLink.
    • VPC: Select VPC 2 and the vSwitch in VPC 2.
    • Features: Select the service that the CLB instance supports.

      In this example, Support PrivateLink is selected.

    • For more information about other parameters, see Create a CLB instance that supports PrivateLink.
  5. Click Buy Now and complete the payment.

Step 2: Configure the CLB instance

After you create the CLB instance, you must add at least one listener and one group of backend servers to the CLB instance. This way, connection requests can be directed to the CLB instance.

To configure the CLB instance, perform the following operations:

  1. On the Instances page, find the CLB instance that you created in Step 1, and click Configure Listener in the Actions column.
  2. In the Protocol and Listener wizard, set the following parameters:
    • Select Listener Protocol: In this example, TCP is selected.
    • Listening Port: Specify the frontend port that is used to receive requests and distribute requests to backend servers.

      In this example, the port number is set to 80.

    Use the default values for other parameters.

  3. Click Next. In the Backend Servers wizard, select Default Server Group and click Add More to add backend servers.
    1. In the My Servers pane, select the ECS instances that you created and click Next.
    2. Weight: A backend server with a higher weight receives more requests. The default value is 100. We recommend that you use the default value.
    3. Click Add.
    4. On the Default Server Group tab, specify the ports that are open on the backend servers (ECS instances) to receive requests. You can specify the same port for backend servers that belong to the same CLB instance. In this example, the port number is set to 80.
  4. Click Next to configure health checks. In this example, the default health check configurations are used.
  5. Click Next. In the Confirm wizard, confirm the parameters and click Submit.
  6. Click OK to go back to the Instance page.

    If the health check status of an ECS instance is Normal, this indicates that the ECS instance is ready to process requests.

Step 3: Create an endpoint service

An endpoint service within a VPC network can be accessed by other VPC networks after you connect the endpoints of these VPC networks to the endpoint service.

To create an endpoint service with Account 2, perform the following operations:

  1. Log on to the VPC console with Account 2.
  2. In the left-side navigation pane, choose Endpoint > Endpoint Service.
  3. In the top navigation bar, select the region where you want to create an endpoint service.
    In this example, Germany (Frankfurt) is selected.
  4. On the Endpoint Service page, click Create Endpoint.
  5. On the Create Endpoint Service page, set the following parameters for the endpoint service and click OK.
    • Select Service Resource: Select a zone to receive network traffic, and select the CLB instance to be associated with the endpoint service.

      CLB instances serve as service resources and can be associated with endpoint services. The associated CLB instances receive requests from clients. The zone where an endpoint service is deployed must be the same as the primary zone where the service resource is deployed. Only CLB instances that support PrivateLink and are deployed in VPCs can serve as service resources.

      In this example, Frankfurt Zone A and the CLB instance that is created in Step 1 are selected.

    • Automatically Accept Endpoint Connections: Specify whether to automatically accept connection requests from endpoints.
      • Yes: The endpoint service accepts all connection requests from an associated endpoint. Users can access the endpoint service through the associated endpoint.
      • No: The endpoint connection is in the Disconnected state. Endpoint connection requests to the endpoint service must be manually accepted or denied by the service administrator.
        • If the service administrator accepts endpoint connection requests from the associated endpoint, the endpoint service can be accessed through the endpoint.
        • If the service administrator denies endpoint connection requests from the associated endpoint, the endpoint service cannot be accessed through the endpoint.

      In this example, No is selected.

    • Description: Enter a description for the endpoint service.

      The description must be 2 to 256 characters in length, and cannot start with http:// or https://.

    Create an endpoint service
After the endpoint service is created, you can view the service ID and service name of the endpoint service.The ID of the endpoint service

Step 4: Configure a whitelist for the endpoint service

You can configure a whitelist for an endpoint service. If the UID of your account is in the whitelist, you can create an endpoint and use the endpoint to connect to the endpoint service.

To add the UID of Account 1 to the whitelist of the endpoint service configured by Account 2, perform the following operations:

  1. Log on to the VPC console with Account 2.
  2. In the left-side navigation pane, choose Endpoint > Endpoint Service.
  3. On the Endpoint Service page, find the endpoint service that you created in Step 3, and then click its service ID.
  4. Click the Service Whitelist tab, and then click Add Whitelist Account.
  5. In the Add Whitelist Account dialog box, enter the UID of the account that you want to add to the whitelist, and then click OK.
    In this example, the UID of Account 1 is entered, which is 12345678.

Step 5: Create a VSwitch

Create a vSwitch in VPC 1. The vSwitch must be deployed in the same zone as the CLB instance that is created in Step 1. After the vSwitch is created, the system creates an endpoint elastic network interface (ENI) within the vSwitch. The endpoint ENI functions as the entry for VPC 1 to access services deployed in VPC 2.

  1. In the left-side navigation pane, click VSwitches.
  2. In the top navigation bar, select the region where you want to create the vSwitch.
    In this example, Germany (Frankfurt) is selected.
  3. On the VSwitches page, click Create VSwitch.
  4. On the Create VSwitch page, set the following parameters for the vSwitch and click OK.
    • VPC: Select the VPC to which the vSwitch belongs. In this example, VPC 1 is selected.
    • Name: Enter a name for the vSwitch.

      The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter.

    • Zone: Select the zone where you want to deploy the vSwitch. In this example, Frankfurt Zone A is selected.
    • IPv4 CIDR Block: Specify the IPv4 CIDR block of the vSwitch.
    • Description: Enter a description for the vSwitch.

      The description must be 2 to 256 characters in length. It cannot start with http:// or https://.

Step 6: Create an endpoint

You can associate an endpoint with an endpoint service to establish a PrivateLink connection that allows a VPC network to access external services.

To use Account 1 to create an endpoint service, perform the following operations:

  1. Log on to the VPC console with Account 1.
  2. In the left-side navigation pane, choose Endpoint > Endpoint.
  3. In the top navigation bar, select the region where you want to create the endpoint.
    In this example, Germany (Frankfurt) is selected.
  4. On the Endpoint page, click Create Endpoint.
  5. In the Create Endpoint dialog box, set the following parameters, and then click OK:
    • Name: Enter a name for the endpoint.

      The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). The name must start with a letter or Chinese character.

    • Endpoint Service: You can configure the endpoint service by performing the following operations:
      • Select Add by Service Name and enter the name of the endpoint service that you want to associate.
      • Select Select Alibaba Cloud Service and select an endpoint service under the current account.

      In this example, Select Alibaba Cloud Service is selected, and then the endpoint service that was created in Step 3 is selected. For more information, see Step 3: Create an endpoint service.

    • VPC: Select the VPC network for which you want to create the endpoint. In this example, VPC 1 is selected.
    • Security Group: Associate a security group with the endpoint elastic network interface (ENI). The security group can manage data that is transmitted between the VPC network and the endpoint ENI.
      Note Make sure that the rules in the security group allow access from clients to the endpoint ENI.
    • Zone and VSwitch: Select the zone of the endpoint service, and select a VSwitch in the zone. The system automatically creates an endpoint ENI within the VSwitch.

      In this example, Frankfurt Zone A is selected, and then the VSwitch created in Step 5 is selected. For more information, see Step 5: Create a VSwitch.

    • Description: Enter a description for the endpoint.

      The description must be 2 to 256 characters in length and cannot start with http:// or https://.

After the endpoint is created, you can view the domain name or IP address that is used to access the endpoint service. You can access the endpoint service in the following ways:
  • Use the domain name of the endpoint
  • Use the IP address of the ENI
  • Use the domain name of the zone
Domain names or the IP address used to access the endpoint service

Step 7: Accept endpoint connection requests

After the endpoint is created for VPC 1. The endpoint can send connection requests to the endpoint service. After a connection request is accepted by the endpoint service, VPC 1 can access the endpoint service in VPC 2.
Note Skip this step if you set the endpoint service to automatically accept connection requests in Step 3.

To allow the endpoint service of Account 2 to accept endpoint connection requests from Account 1, perform the following operations:

  1. Log on to the VPC console with Account 2.
  2. In the left-side navigation pane, choose Endpoint > Endpoint Service.
  3. In the top status bar, select the region where the endpoint service is deployed.
    In this example, Germany (Frankfurt) is selected.
  4. On the Endpoint Service page, find the endpoint service created in Step 3, and then click its service ID.
  5. Click the Endpoint Connections tab, find the endpoint created in Step 6, and then click Accept in the Actions column.
  6. In the Accept Connection message, click OK.
After you accept the endpoint connection request, the connection status of the endpoint changes from Disconnected to Available.Connection status

Step 8: Use the endpoint to access services that are deployed in VPC 2

To test whether VPC 1 created by Account 1 can use the endpoint to access the services that are deployed in VPC 2 under Account 2, perform the following operations:

  1. Open the browser on the ECS instance under Account 1.
  2. Enter the domain name or IP address of the endpoint service into the address bar of the browser, and check whether the ECS instance can access services that are deployed in VPC 2 under Account 2.
    In this example, the domain name or IP address generated in Step 6 is entered. For more information, see Step 6: Create an endpoint.
    The result shows that the ECS instance of Account 1 can use the endpoint to access the services deployed in VPC 2 under Account 2.