You can specify an Elastic Compute Service (ECS) instance or a Server Load Balancer (SLB) instance as an endpoint for a Global Accelerator (GA) instance. In this case, if your GA instance does not have the service-linked role AliyunServiceRoleForGaVpcEndpoint, the system automatically creates the service-linked role.

Overview

AliyunServiceRoleForGaVpcEndpoint is a service-linked role of GA. If you want to specify an ECS instance or an SLB instance as an endpoint, make sure that your GA instance has the service-linked role AliyunServiceRoleForGaVpcEndpoint.
Note A service-linked role is a Resource Access Management (RAM) role that is associated with an Alibaba Cloud service. In some scenarios, to use a feature of a cloud service, you must obtain the permissions to access other cloud services. Service-linked roles simplify the authorization process and avoid risks caused by user errors. For more information, see Service-linked roles.

Permissions required to create the service-linked role

By default, an Alibaba Cloud account is authorized to create the service-linked role AliyunServiceRoleForGaVpcEndpoint. RAM users must be granted the following permissions to create the service-linked role:
{
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "vpcendpoint.ga.aliyuncs.com"
        }
      }
}
You can authorize a RAM user to create the service-linked role by using one of the following methods:
  • Attach the administrator permission policy AliyunGlobalAccelerationFullAccess to the RAM user. For more information, see Grant permissions to a RAM role.
    Note The permissions required to create the service-linked role AliyunServiceRoleForGaVpcEndpoint are included in the administrator permission policy AliyunGlobalAccelerationFullAccess. You can attach the administrator permission policy to a RAM user. This way, the RAM user can create the service-linked role AliyunServiceRoleForGaVpcEndpoint.
  • Add a custom permission policy and attach the permission policy to the RAM user. The following code block shows the content of the custom permission policy:
    {
          "Action": "ram:CreateServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "vpcendpoint.ga.aliyuncs.com"
            }
          }
    }

    For more information, see Create a custom policy and Grant permissions to a RAM role.

Create the service-linked role

When you specify an ECS instance or an SLB instance as an endpoint for a GA instance, the system checks whether the GA instance has the service-linked role AliyunServiceRoleForGaVpcEndpoint. In this case, the following rules apply to the GA instance:
  • If the GA instance does not have the service-linked role AliyunServiceRoleForGaVpcEndpoint, the system automatically creates the service-linked role and attaches the permission policy AliyunServiceRoleForGaVpcEndpoint to the service-linked role. This allows GA to access ECS and SLB. The following code block shows the content of the permission policy:
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Resource": "*",
          "Action": [
            "ecs:CreateNetworkInterface",
            "ecs:DeleteNetworkInterface",
            "ecs:DescribeNetworkInterfaces",
            "ecs:ModifyNetworkInterfaceAttribute",
            "ecs:DescribeSecurityGroups",
            "ecs:CreateSecurityGroup",
            "ecs:AuthorizeSecurityGroup",
            "ecs:AuthorizeSecurityGroupEgress",
            "ecs:RevokeSecurityGroup",
            "ecs:RevokeSecurityGroupEgress",
            "ecs:JoinSecurityGroup",
            "ecs:LeaveSecurityGroup",
            "ecs:DeleteSecurityGroup",
            "ecs:DescribeSecurityGroupAttribute",
            "ecs:DescribeSecurityGroups",
            "ecs:DescribeSecurityGroupReferences",
            "ecs:ModifySecurityGroupAttribute",
            "ecs:ModifySecurityGroupEgressRule",
            "ecs:ModifySecurityGroupPolicy",
            "ecs:ModifySecurityGroupRule",
            "vpc:DescribeVSwitches"
          ]
        },
        {
          "Action": "ram:DeleteServiceLinkedRole",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "ram:ServiceName": "vpcendpoint.ga.aliyuncs.com"
            }
          }
        }
      ]
    }
  • If the GA instance has the service-linked role AliyunServiceRoleForGaVpcEndpoint, the system does not create the service-linked role again.

Delete the service-linked role

The system does not automatically delete the service-linked role AliyunServiceRoleForGaVpcEndpoint. To delete the service-linked role, you must first delete the ECS instance or SLB instance that serves as an endpoint. For more information, see the following topics: