If you want to allow a Server Load Balancer (SLB) instance in a virtual private cloud (VPC) to provide services for a VPC that belongs to another account, you can use PrivateLink to establish a network connection between the two VPCs. This topic describes how to use PrivateLink to access a Classic Load Balancer (CLB) instance in a VPC that belongs to another account.
Background information
VPCs are private networks that are isolated from each other in the cloud. You can use PrivateLink to establish a secure and stable private connection between a VPC and an Alibaba Cloud service. This simplifies the network architecture and prevents security risks over the Internet.
To establish a PrivateLink connection, you must create an endpoint service and an endpoint.
Endpoint service
An endpoint service can be accessed by using an endpoint in another VPC over a PrivateLink connection. Endpoint services are created and managed by service providers.
Endpoint
An endpoint can be associated with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services. Endpoints are created and managed by service consumers.
Entity | Description |
Service provider | Creates and manages endpoint services. |
Service consumer | Creates and manages endpoints. |
Scenarios
The following scenario is used as an example. Company A creates two VPCs in the Germany (Frankfurt) region with Alibaba Cloud accounts: VPC 1 and VPC 2. VPC 1 is created by using Account A and VPC 2 is created by using Account B. Two Elastic Compute Service (ECS) instances are created in VPC 2: ECS 2 and ECS 3. Application services are deployed on the ECS instances in VPC 2. Due to business growth, VPC 1 needs to access services in VPC 2. To prevent security risks over the Internet, a private connection needs to be established between the two VPCs.
In this scenario, you can create a CLB instance that supports PrivateLink in VPC 2 and specify the ECS instances as the backend servers of the CLB instance. As a result, the CLB instance can receive client traffic and distribute the traffic to the corresponding ECS instances based on the forwarding rules of a listener. Create an endpoint service, specify the CLB instance as the service resource of the endpoint service, and then add the ID of Account A to the whitelist of the endpoint service. Then, create an endpoint in VPC 1. After the endpoint is created and connected to the endpoint service in VPC 2 as expected, VPC 1 can access the services in VPC 2.
Limits
To support PrivateLink, the CLB instance that serves as a service resource in VPC 2 must be a pay-as-you-go internal-facing CLB instance.
When you create an endpoint service, you must select a region that supports PrivateLink and CLB instances. For more information about the regions that support PrivateLink and CLB instances, see Regions and zones that support PrivateLink and Regions that support CLB.
The endpoint and endpoint service must be deployed in the same zone where the CLB instance is deployed.
Prerequisites
If this is the first time that you use PrivateLink, go to the PrivateLink activation page to activate PrivateLink as instructed.
VPC 1 is created by using Account A and VPC 2 is created by using Account B in the Germany (Frankfurt) region. A vSwitch is created for each VPC. For more information, see the Step 1: Create a VPC and vSwitches section of the Create a VPC with an IPv4 CIDR block topic.
ECS 1 is created in VPC 1 that belongs to Account A. ECS 2 and ECS 3 are created in VPC 2 that belongs to Account B. Different NGINX services are deployed on ECS 2 and ECS 3. For more information about how to create ECS instances and deploy NGINX services, see Create an instance on the Custom Launch tab and Manually build an LNMP stack on an Alibaba Cloud Linux 2 or Linux 3 instance.
A security group is created in VPC 1. You can configure security group rules based on your requirements for business and security.
For more information, see Create a security group.
NoteECS 2 and ECS 3 in VPC 2 belong to the default security group, which is created by the system when the ECS instances are created.
The following table describes how networks of the VPCs are planned in this example. Your services are not adversely affected if the CIDR blocks of your VPCs overlap with each other.
Item | VPC 1 | VPC 2 |
Region | Germany (Frankfurt) | Germany (Frankfurt) |
CIDR block |
|
|
vSwitch zone | Zone B | Zone B |
ECS instance IP address | ECS 1: 10.10.2.1 |
|
Procedure
Step 1: Create a CLB instance that supports PrivateLink
Log on to the CLB console with Account B.
On the Instances page, click Create CLB.
On the CLB (Pay-As-You-Go) International Site buy page, set the parameters of the CLB instance described in the following table, and click Buy Now to complete the payment.
Parameter
Description
Region
Select a region where you want to create the CLB instance.
In this example, Germany (Frankfurt) is selected.
NoteMake sure that the CLB instance and the ECS instances that you want to specify as backend servers belong to the same region.
Zone Type
Specify whether to deploy the CLB instance in one zone or across multiple zones. Default value: Multi-zone.
Primary Zone
Select a primary zone for the CLB instance to receive network traffic. In this example, Europe Central 1 Zone B is selected.
Backup Zone
Select a secondary zone for the CLB instance. The secondary zone receives network traffic only if the primary zone is unavailable.
In this example, Europe Central 1 Zone A is selected.
Instance Name
Enter a name for the CLB instance.
SLB instance
Select a type for the CLB instance. You can create an Internet-facing CLB instance or an internal-facing CLB instance based on your business requirements. The system allocates a public or private IP address to the CLB instance based on the specified instance type.
In this example, Intranet is selected.
Instance Billing Method
Select a billing method for the CLB instance. Valid values:
Pay-By-Specification
Pay-By-CLCU
In this example, Pay-By-Specification is selected.
Specification
Select a specification for the CLB instance. CLB instances with different specifications deliver different performances. In this example, Small I (slb.s1.small) is selected.
Network Type
Select a network type for the CLB instance.
In this example, VPC is selected.
IP Version
Select an IP version for the CLB instance. In this example, IPv4 is selected.
Feature
Select a feature type for the CLB instance. Default value: Standard.
VPCId
Select VPC 2.
VswitchId
Select a vSwitch in VPC 2.
Internet Data Transfer Fee
Select a metering method for Internet traffic. Internet-facing CLB instances support the following metering methods:
By traffic: the pay-by-data-transfer metering method
By bandwidth: the pay-by-bandwidth metering method
Default value: By traffic.
NoteInternet-facing CLB instances use the pay-by-data-transfer metering method. In this example, the CLB instance that you want to create is internal-facing and does not generate traffic fees.
Resource Group
Select the resource group to which the CLB instance belongs. In this example, Default Resource Group is selected.
Quantity
Specify the number of CLB instances that you want to purchase. In this example, 1 is specified.
Step 2: Configure the CLB instance
After the CLB instance is created, you must add at least one listener and one group of backend servers to the CLB instance. This way, network traffic can be forwarded by the CLB instance.
Log on to the CLB console with Account B.
On the Instances page, find the CLB instance that was created in Step 1 and click Configure Listener in the Actions column.
On the Protocol & Listener wizard page, set the following parameters, use the default values for other parameters, and then click Next:
Select Listener Protocol: In this example, TCP is selected.
Listener Port: specifies the port that the CLB instance uses to receive requests and forward the requests to the backend servers.
In this example, 80 is specified.
On the Backend Servers wizard page, select Default Server Group and click Add More to add backend servers.
In the Servers panel, select ECS 2 and ECS 3 that you created, and click Next.
Specify weights for the backend servers and click Add.
A backend server with a higher weight receives more requests. In this example, the default value 100 is used.
On the Default Server Group tab, specify a backend port and click Next. In this example, 80 is specified.
You can specify the same port for multiple backend servers of a CLB instance.
On the Health Check wizard page, configure the health check feature and click Next. In this example, the default values of the parameters are used.
On the Confirm wizard page, check the configurations and click Submit.
Click OK to return to the Instances page.
If the health check status of an ECS instance is Healthy, the ECS instance can process requests that are forwarded by the CLB instance.
Step 3: Create an endpoint service
After you create an endpoint service in a VPC, you can use an endpoint that is deployed in another VPC to access the endpoint service by using PrivateLink.
Log on to the Log on to the endpoint service console with Account B.
In the top navigation bar, select the region in which you want to create an endpoint service. In this example, Germany (Frankfurt) is selected.
On the Endpoints Service page, click Create Endpoint Service.
On the Create Endpoint Service page, set the parameters described in the following table and click OK.
The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see the Create an endpoint service section of the Create and manage endpoint services topic.
Parameter
Description
Select Service Resource
Select a zone that you want to receive network traffic. Then, select the CLB instance that you want to associate with the endpoint service.
In this example, Frankfurt Zone B and the CLB instance created in Step 1 are selected.
Automatically Accept Endpoint Connections
Specify whether the endpoint service automatically accepts connection requests from endpoints. In this example, No is selected.
Yes: If you select this option, the endpoint service automatically accepts connection requests from endpoints. As a result, you can use endpoints to access the service resources of the endpoint service.
No: If you select this option, the endpoint connections of the endpoint service are in the Disconnected state by default. In this case, connection requests to the endpoint service must be manually accepted or denied by the service provider.
If the service provider accepts a connection request from an endpoint, the service resources of this endpoint service can be accessed by using the endpoint.
If the service provider denies a connection request from an endpoint, the service resources of this endpoint service cannot be accessed by using the endpoint.
Enable Zone Affinity
In this example, Yes is selected. This indicates that the domain name of the nearest endpoint is first resolved among all the endpoints that are associated with the endpoint service.
After the endpoint service is created, you can view the instance ID and name of the endpoint service.
Step 4: Add a whitelist for the endpoint service
You can add a whitelist for an endpoint service. If the ID of your account is in the whitelist, you can use your account to create an endpoint and connect the endpoint to the endpoint service.
To add the ID of Account A to the whitelist for the endpoint service that you created by using Account B, perform the following steps:
Log on to the Log on to the endpoint service console with Account B.
In the left-side navigation pane, click Endpoints Service.
On the Endpoints Service page, find the endpoint service that you created in Step 3, and click its ID.
Click the Service Whitelist tab and click Add to Whitelist.
In the Add to Whitelist dialog box, enter the account ID that you want to add to the whitelist, and click OK.
In this example, the ID of Account A is entered. The following figure shows an example.
Step 5: Create an endpoint
An endpoint can be associated with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services.
Log on to the Log on to the endpoint console with Account A.
In the top navigation bar, select the region in which you want to create an endpoint. In this example, Germany (Frankfurt) is selected.
On the Endpoints page, click Endpoints.Create Endpoint
On the Create Endpoint page, set the parameters described in the following table and click OK.
The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see the Create an endpoint section of the Create and manage endpoints topic.
Parameter
Description
Endpoint Name
Enter a name for the endpoint.
Endpoint Type
Select a type for the endpoint that you want to create. In this example, Interface Endpoint is selected.
Endpoints Service
Select the endpoint service that you want to associate.
In this example, Select Service is clicked, and the endpoint service created in Step 3 is selected.
VPC
Select the VPC where you want to create the endpoint. In this example, VPC 1 is selected.
Security Groups
Select the security group that you want to associate with the endpoint elastic network interface (ENI). The security group is used to control data transfer from the VPC to the endpoint ENI.
NoteMake sure that the rules in the security group allow clients to access the endpoint ENI.
By default, you can add an endpoint to up to five security groups.
Zone and vSwitch
Select the zone where the endpoint service is deployed and select a vSwitch in the zone. The system automatically creates an endpoint ENI and attaches it to the vSwitch.
In this example, Frankfurt Zone B and a vSwitch created in VPC 1 are selected.
After you create the endpoint, you can view the domain name of the endpoint and the domain name and IP address of the selected zone on the details page of the endpoint.
Step 6: Accept connection requests from the endpoint
After you create the endpoint in VPC 1, you must allow the endpoint service to accept connection requests from the endpoint. This way, resources in VPC 1 can access the endpoint service in VPC 2 by using the endpoint.
Skip this step if you set the Automatically Accept Endpoint Connections parameter to Yes in Step 3.
To allow the endpoint service within Account B to accept connection requests from the endpoint within Account A, perform the following steps:
Log on to the Log on to the endpoint service console with Account B.
In the top navigation bar, select the region where the endpoint service is deployed. In this example, Germany (Frankfurt) is selected.
On the Endpoints Service page, find the endpoint service that you created in Step 3, and click its ID.
On the details page of the endpoint service, click the Endpoint Connections tab, find the endpoint that you want to manage, and then click Allow in the Actions column.
In the Allow Connection dialog box, select Allow connections and automatically allocate service resources, and click OK.
After you allow the endpoint service to accept connection requests from the endpoint, the state of the endpoint connection changes from Disconnected to Connected. Then, the endpoint service can process requests from the endpoint.
Step 7: Access services by using the endpoint
To test whether ECS 1 in VPC 1 can access the services that are deployed on ECS 2 and ECS 3 in VPC 2 by using the endpoint, perform the following steps:
In this example, the Alibaba Cloud Linux operating system is installed on the ECS instances. For more information about how to test the network connectivity of servers that run other operating systems, refer to the user guides of the operating systems.
Log on to ECS 1 in VPC 1 with Account A. For more information, see Connection method overview.
Open a browser on ECS 1 by using Account A.
Run the
curlcommand on ECS 1 by using the domain name or IP address of the zone where the endpoint is deployed to test the network connectivity.In this example, the domain name or IP address of Frankfurt Zone B generated in Step 4 is entered.
The test result shows that ECS 1 in VPC 1 can access the services deployed in VPC 2 by using PrivateLink.
