All Products
Search
Document Center

PrivateLink:Create and manage endpoints

Last Updated:Feb 27, 2024

This topic describes how to create and manage endpoints. Endpoints are created and managed by service consumers. You can connect endpoints to endpoint services. This way, you can establish PrivateLink connections between virtual private clouds (VPCs) and external services. An endpoint can be associated with only one endpoint service.

Background information

PrivateLink allows you to establish secure, stable, and private connections between VPCs and endpoint services. Compared with connections over the Internet, PrivateLink connections provide higher security. Supported endpoint services include Alibaba Cloud services, other endpoint services, and available endpoint services within your Alibaba Cloud account.

What are Alibaba Cloud services and other endpoint services?

Term

Description

Alibaba Cloud services

Alibaba Cloud services are services provided and managed by Alibaba Cloud. This means that Alibaba Cloud owns and manages a complete cloud service infrastructure, including servers, network devices, and storage devices. You can purchase and use these cloud services on the Alibaba Cloud official website, and enjoy the technical support and service guarantee provided by Alibaba Cloud.

Note

Alibaba Cloud ActionTrail is supported by PrivateLink.

other endpoint services

Other endpoint services refer to other private services that are not provided by Alibaba Cloud. Before you use these services, you need to evaluate their quality, security, and reliability and select services based on your business requirements.

Limits

  • PrivateLink is available only in specific regions. For more information, see Regions and zones that support PrivateLink.

  • Services that support reverse endpoints can only be provided by Alibaba Cloud and its ecosystem partners. By default, you cannot create a service that supports reverse endpoints. If you want to create such a service, contact your account manager.

Prerequisites

Before you create an endpoint, make sure that the following requirements are met:

  • PrivateLink is activated. If this is the first time that you use PrivateLink, go to the activation page to activate PrivateLink as prompted. Before you activate PrivateLink, make sure that your account balance is greater than USD 0.

  • An endpoint service is created, and at least one service resource is added to the endpoint service. For more information, see Create and manage endpoint services.

  • A VPC that is used to access the endpoint service is created. A vSwitch is created in the zone in which the endpoint service is deployed. For more information, see the Create a VPC and vSwitches section of the Create a VPC with an IPv4 CIDR block topic.

  • A security group is created.

    For more information, see Create a security group.

    If you want to create an interface endpoint, you can configure security group rules based on your requirements for business and security. We recommend that you configure the following security group rules:

    • A default inbound rule that allows Internet Control Message Protocol (ICMP) traffic to support operations such as pinging Elastic Compute Service (ECS) instances.

    • A default inbound rule that allows traffic on SSH port 22 and Remote Desktop Protocol (RDP) port 3389 to access ECS instances.

    • (Optional) An inbound rule that allows traffic on HTTP port 80 and HTTPS port 443. This rule allows the VPC of the endpoint to access the VPC of the endpoint service over HTTP or HTTPS.

  • If you want to create a reverse endpoint, you must configure an inbound rule that allows all traffic. This means that you must allow all CIDR blocks to access all ports over all protocols.

Create an endpoint

  1. Log on to the endpoint console.
  2. In the top navigation bar, select the region where you want to create an endpoint.

  3. On the Endpoints page, you can use one of the following methods to create an endpoint:

    • Click the Interface Endpoint tab, and click Create Endpoint.

    • Click the Reverse Endpoint tab, and click Create Endpoint.

    • Click the Gateway Endpoint tab, and click Create Endpoint.

    Note
    • An interface endpoint allows the service consumer to access the service that is provided by the service provider.

    • A reverse endpoint allows the service provider to access resources in the VPC of the service consumer.

    • A gateway endpoint serves as a virtual gateway device. You can create a gateway endpoint in your VPC for an endpoint service and associate the endpoint with a route table. Then, the system automatically adds a route with the next hop pointing to the gateway endpoint for the VPC route table. This way, your VPC can access the endpoint service. For more information about gateway endpoints, see Gateway endpoints.

    • Endpoints are created and managed by service consumers. Endpoint services are created and managed by service providers.

  4. On the Create Endpoint page, specify the parameters that are described in the following table and click OK.

    The following table describes only the configurations of interface endpoints and reverse endpoints. For more information about the configurations of gateway endpoints, see the Create a gateway endpoint and view the route section of the Gateway endpoints topic.

    Create an interface endpoint

    Parameter

    Description

    Region

    Select the region where you want to create an interface endpoint.

    Endpoint Name

    Enter a name for the interface endpoint.

    Endpoint Type

    Select Interface Endpoint.

    Endpoints Service

    You can associate the interface endpoint with an endpoint service by using one of the following three methods:

    • Click Alibaba Cloud Service and enter the name of an endpoint service.

    • Click Other Endpoint Services, enter the name of an endpoint service, and then click Verify to verify the validity of the service.

      Note

      The service can pass the validity verification only after the service provider adds the service consumer to the whitelist of the service. For more information, see Manage account IDs in the whitelist of an endpoint service.

    • Click Select Service and select or enter the name or ID of an endpoint service.

    VPC

    Select the VPC where you want to create the interface endpoint.

    Security Groups

    Select the security group that you want to associate with the elastic network interface (ENI) of the endpoint. The security group is used to control data transfer from the VPC to the endpoint ENI.

    Endpoint ENIs serve as ingresses for VPC to access endpoint services.

    Note

    By default, you can add an endpoint to up to five security groups.

    Zone and vSwitch

    Select the zone of the endpoint service and select a vSwitch in the zone. The system automatically creates an endpoint ENI in the vSwitch.

    • You can select one zone of the endpoint service.

      1. Click the image.png icon in the Zone and vSwitch section.

      2. In the message that appears, click OK.

    • You can select multiple zones of the endpoint service. By default, you must select two zones and one vSwitch in each zone. If you want to select more zones, click Add vSwitch.

    Note

    You can select multiple zones to ensure that a failover can be quickly performed if one of the zones is down. This ensures high service availability and stability and prevents service interruptions or data loss.

    Resource Group

    Select the resource group to which the endpoint belongs.

    Tag

    Select or enter a tag key and a tag value.

    Description

    Enter a description for the interface endpoint.

    Access Policies

    Select an access policy.

    • Default Policy: The full access policy is used by default.

    • Custom Policy: You can enter a custom access policy.

    Note

    This parameter is required only if you set Endpoints Service to Alibaba Cloud Service. Alibaba Cloud ActionTrail supports access policies.

    Note:

    When you create an endpoint for the first time, the system automatically creates a service-linked role for the endpoint. The role allows the endpoint to access other resources. For more information, see Service linked role.

    Create a reverse endpoint

    Parameter

    Description

    Region

    Select the region where you want to create a reverse endpoint.

    Endpoint Name

    Enter a name for the reverse endpoint.

    Endpoint Type

    Select Reverse Endpoint.

    Endpoints Service

    You can associate an endpoint with an endpoint service by using one of the following methods:

    • Click Other Endpoint Services, enter the name of an endpoint service, and then click Verify to verify the validity of the service.

      Note

      The service can pass the validity verification only after the service provider adds the service consumer to the whitelist of the service. For more information, see Manage account IDs in the whitelist of an endpoint service.

    • Click Select Service and select or enter the name or ID of an endpoint service.

    Note

    You can associate an endpoint with only one endpoint service.

    VPC

    Select the VPC where you want to create the reverse endpoint.

    Security Groups

    Select the security group that you want to associate with the endpoint ENI. The security group is used to control data transfer from the VPC to the endpoint ENI. Endpoint ENIs serve as ingresses for VPC to access endpoint services.

    Important

    The security group rules of reverse endpoints must allow all inbound traffic.

    Zone and vSwitch

    Select the zone of the endpoint service and select a vSwitch in the zone. The system automatically creates an endpoint ENI in the vSwitch.

    • You can select one zone of the endpoint service.

      1. Click the image.png icon in the Zone and vSwitch section.

      2. In the message that appears, click OK.

    • You can select multiple zones of the endpoint service. By default, you must select two zones and one vSwitch in each zone. If you want to select more zones, click Add vSwitch.

    Note

    You can select multiple zones to ensure that a failover can be quickly performed if one of the zones is down. This ensures high service availability and stability and prevents service interruptions or data loss.

    Resource Group

    Select the resource group to which the endpoint belongs.

    Tag

    Select or enter a tag key and a tag value.

    Description

    Enter a description for the reverse endpoint.

    Note:

    When you create an endpoint for the first time, the system automatically creates a service-linked role for the endpoint. The role allows the endpoint to access other resources. For more information, see Service linked role.

View the policy of an interface endpoint

If the endpoint service connected to an interface endpoint is an Alibaba Cloud service or a private endpoint service that is not provided by Alibaba Cloud, you can use one of the following methods to view the policy of the interface endpoint after you create the interface endpoint:

  1. Log on to the endpoint console.
  2. In the top navigation bar, select the region where the interface endpoint is deployed.

  3. On the Interface Endpoint tab of the Endpoints page, click the ID of the desired endpoint.

  4. On the details page of the endpoint, click the Access Policies tab to view the policy details.

Modify the policy of an interface endpoint

If the endpoint service connected to an interface endpoint is an Alibaba Cloud service or a private endpoint service that is not provided by Alibaba Cloud, you can modify the policy of the interface endpoint after you create the interface endpoint.

  1. Log on to the endpoint console.
  2. In the top navigation bar, select a region.

  3. On the Interface Endpoint tab of the Endpoints page, click the ID of the desired endpoint.

  4. On the details page of the endpoint, click the Access Policies tab.

  5. Click Modify Access Policy. In the dialog box that appears, modify the access policy and click OK.

View the domain name or IP address that can be used to access an endpoint service

After you create an interface endpoint, you can use the domain name of the endpoint, the domain name of the zone in which the endpoint is deployed, or the IP address of the zone to access the service resources of the endpoint service.

  1. Log on to the endpoint console.
  2. In the top navigation bar, select the region where you want to create an endpoint.

  3. On the Interface Endpoint tab of the Endpoints page, find the endpoint that you want to manage, and click the endpoint ID.

  4. On the details page of the endpoint that is used to access the endpoint service, you can view the following information: the domain name of the endpoint, the resource group, the domain name of the zone in which the endpoint is deployed, and the IP address of the zone.

    Note

    For a reverse endpoint, the details page of the endpoint does not display the domain name of the endpoint or the domain name of the zone in which the endpoint is deployed.

Modify the configurations of an endpoint

You can modify the name and description of an endpoint.

  1. Log on to the endpoint console.
  2. In the top navigation bar, select the region where you want to create an endpoint.

  3. On the Endpoints page, click the Interface Endpoint tab or the Reverse Endpoint tab, find the endpoint that you want to manage, and then click its instance ID.

    • To modify the name of an endpoint, perform the following steps:

      1. In the Basic Information section, click Edit next to Instance Name.

      2. In the dialog box that appears, enter a new name and click OK.

    • To modify the description of an endpoint, perform the following steps:

      1. In the Basic Information section, click Edit next to Description.

      2. In the dialog box that appears, enter a new description and click OK.

    For more information about how to modify the configurations of a gateway endpoint, see the More operations section of the Gateway endpoints topic.

Delete an endpoint

Before you delete an endpoint, you must delete the ENI that is associated with the endpoint. For more information, see Delete the ENI of an endpoint.

Warning

You can delete an endpoint that you no longer need. After you delete the endpoint, the VPC in which the endpoint is deployed cannot access the corresponding endpoint service over PrivateLink connections. Exercise caution when you perform this operation.

  1. Log on to the endpoint console.
  2. In the top navigation bar, select the region where you want to create an endpoint.

  3. On the Endpoints page, click the Interface Endpoint tab or the Reverse Endpoint tab, find the endpoint that you want to delete, and then click Delete in the Actions column.

  4. In the Delete Endpoint message, click OK.

(Optional) Add a tag to an endpoint

As the number of endpoints increases, it becomes more difficult for you to manage endpoints. You can use tags to group endpoints. This helps you efficiently search for and filter endpoints.

Tags are used to classify endpoints. Each tag consists of a key and a value. Take note of the following limits when you use tags:

  • The keys of tags that are added to the same endpoint must be unique.

  • You can add up to 20 tags to an endpoint.

  • When you create tags, you must add them to endpoints.

  • Tag information is not shared across regions.

    For example, tags created in the China (Hangzhou) region are not displayed in the China (Shanghai) region.

  • You can modify the key and value of a tag or delete a tag of an endpoint. If you delete an endpoint, the tags that are added to the instance are also deleted.

  1. Log on to the endpoint console.

  2. In the top navigation bar, select the region where you want to create an endpoint.

  3. Click Endpoints in the left-side navigation pane. On the Endpoints page, find the endpoint to which you want to add a tag, move the pointer over the 标签图标 icon in the Tags column, and then click Edit.

  4. In the Configure Tags dialog box, specify the key and value based on the following table and click OK.
    ParameterDescription
    Tag KeyThe key of the tag. You can select or enter a key.

    The key cannot exceed 64 characters in length, and cannot start with aliyun or acs:. The key cannot contain http:// or https://.

    Tag ValueThe value of the tag. You can select or enter a value.

    The value cannot exceed 128 characters in length, and cannot start with aliyun or acs:. The value cannot contain http:// or https://.

  5. Return to the Endpoints page and click Filter by Tag. In the filter section, search for an endpoint based on a tag key and a tag value.

References