Call the Cloud Control API over PrivateLink - Cloud Control API

You can call the Cloud Control API over PrivateLink connections to access cloud services. This helps you avoid potential security risks from Internet access.

Overview

What is PrivateLink?

PrivateLink is a service that creates private connections between virtual private clouds (VPCs) and other Alibaba Cloud services. These connections avoid Internet access and improves security and stability.

Scenarios

If your application runs in an Alibaba Cloud production environment and needs to call the Cloud Control API, you can use PrivateLink for calls over the internal network. This solution is suitable for the following use cases:

High security and compliance requirements: Your enterprise's security policies prohibit or restrict Internet access.
Cost optimization: You want to reduce data transfer costs and lower the total cost of ownership (TCO).
Cross-region deployment: You need to deploy applications in multiple regions and require a unified network architecture.

Benefits

Benefit	Description
Low latency	Intranet access reduces network latency by 30% to 50% compared to Internet access.
High stability	It provides consistent performance by avoiding Internet volatility.
Security isolation	Traffic does not traverse the Internet.

Prerequisites

Permission requirements

You must have the following permissions to configure a PrivateLink endpoint:

AliyunVPCFullAccess: Provides full access to VPC.
AliyunPrivateLinkFullAccess: Provides full access to PrivateLink.

VPC region requirements

The supported VPC region depends on the deployment region of the Cloud Control API service that you want to use:

Cloud Control API service	Public domain name	Supported VPC region
In China	cloudcontrol.aliyuncs.com	China (Zhangjiakou) (region ID: cn-zhangjiakou)
Outside China	cloudcontrol.ap-southeast-1.aliyuncs.com	Singapore (region ID: ap-southeast-1)

Resource checklist

A VPC in the target region.
At least one available vSwitch in the VPC.
The vSwitch must have a sufficient number of available IP addresses.

Service region details

The Cloud Control API service is available in the following regions. You can choose a region as needed.

In China (cn-zhangjiakou)

Endpoint service: com.aliyuncs.privatelink.cn-zhangjiakou.cloudcontrol-api
Public domain name: cloudcontrol.aliyuncs.com
Private domain name: cloudcontrol.vpc-proxy.aliyuncs.com

Outside China (ap-southeast-1)

Endpoint service: com.aliyuncs.privatelink.ap-southeast-1.cloudcontrol
Public domain name: cloudcontrol.ap-southeast-1.aliyuncs.com
Private domain name: cloudcontrol-vpc.ap-southeast-1.aliyuncs.com

Important

After you configure a PrivateLink connection, you must change the public domain name of the Cloud Control API in your application code to the corresponding private domain name.

Procedure

Same-region configuration

If your application is deployed in cn-zhangjiakou or ap-southeast-1, you can create an endpoint directly in the same region.

Step 1: Log on to the console

Log on to the VPC console.
In the left-side navigation pane, click Endpoints.
On the Interface Endpoint tab, click Create Endpoint.

Step 2: Select a region

From the Region drop-down list, select one of the following regions:

If you want to use the Cloud Control API service in China, select China (Zhangjiakou).
If you want to use the Cloud Control API service outside China, select Singapore.

Step 3: Configure basic information

Parameter	Description	Example
Endpoint Name	Enter a name for the endpoint. Use a descriptive name.	`ep-cloudcontrol-prod`
Endpoint Type	Select Interface Endpoint.	Interface Endpoint
Endpoint Service	Select Alibaba Cloud Service.	Alibaba Cloud Service

Step 4: Select an endpoint service

In the endpoint service search box, enter the name of the target service:
- To use the Cloud Control API service in China: com.aliyuncs.privatelink.cn-zhangjiakou.cloudcontrol-api
- To use the Cloud Control API service outside China: com.aliyuncs.privatelink.ap-southeast-1.cloudcontrol
The search returns a unique endpoint service. Select the service.

Step 5: Enable a custom domain name

Select Enable Custom Domain Name. The system automatically assigns a private domain name. No manual entry is required.

Cloud Control API service in China: cloudcontrol.vpc-proxy.aliyuncs.com
Cloud Control API service outside China: cloudcontrol-vpc.ap-southeast-1.aliyuncs.com

Step 6: Configure network settings

Parameter	Description	Best practices
VPC	Select the VPC where your application is located.	Make sure to select the correct VPC.
Zone and vSwitch	Select at least one vSwitch. Select multiple vSwitches for high availability (HA).	For production environments, select vSwitches in two or three different zones.
Security Groups	Select a security group to restrict access sources.	Set it to your application's security group.

Multi-zone configuration example:

Zone A:vsw-xxxxx 
Zone B:vsw-yyyyy

Step 7: Configure an endpoint policy

An endpoint policy controls which Alibaba Cloud accounts or Resource Access Management (RAM) users can access the service through the endpoint.

Note

Follow the principle of least privilege and grant access only to the necessary accounts.

Default endpoint policy (Allow all):

{
  "Version": "1", 
  "Statement": [
    {
      "Effect": "Allow", 
      "Principal":"*", 
      "Action":"*", 
      "Resource": "*"
    }
  ]
}

Recommended policy (allow only the current account):

{
  "Version": "1", 
  "Statement": [
    {
      "Effect": "Allow", 
      "Principal":{
        "Aliyun":[
          "acs:ram::YOUR_ACCOUNT_ID:root"
        ]
      }, 
      "Action":"*", 
      "Resource":"*"
    }
  ]
}

Step 8: Create an endpoint and verify its configurations

Click OK to create the endpoint.
The endpoint status changes to Active in 2 to 5 minutes.
The connection status changes to Connected.

Status descriptions:

Creating: The endpoint is being created.
Active: The endpoint is ready to use.
Abnormal: The creation failed or the connection is abnormal. Check your configuration.

Cross-region configuration

If your application is deployed in a region other than cn-zhangjiakou or ap-southeast-1, you must use Cloud Enterprise Network (CEN) to establish a cross-region connection.

Step 1: Create an endpoint in the destination region

Create an endpoint in cn-zhangjiakou or ap-southeast-1. For more information, see the "Same region configuration" section in this topic.
Take note of the ID of the VPC where the endpoint is located.

Step 2: Create a CEN instance to connect the regions

For more information about how to configure CEN, see Connect VPCs in different regions.

Verification and testing

Verify connectivity

Log on to the ECS instance or container where your application is deployed and run the following command to verify connectivity:

Cloud Control API service in China:

curl -v cloudcontrol.vpc-proxy.aliyuncs.com

Cloud Control API service outside China:

curl -v cloudcontrol-vpc.ap-southeast-1.aliyuncs.com

Successful verification:

The request is successful if the returned HTTP header contains x-acs-request-id. The following code provides an example of the output:

< HTTP/1.1 401 Unauthorized
< date:Thu, 09 Oct 2025 10:30:00 GMT
<content-type:application/json
<x-acs-request-id:23C12345-1234-1234-1234-123456789ABC
<x-acs-trace-id:0b12345678901234567890123456789a
...

Note

The API is expected to return a 401 status code because the request does not include identity credentials.

The purpose of this test is to confirm that the request is properly handled by Alibaba Cloud API Gateway or a service. To do this, verify that the response header contains an Alibaba Cloud-specific field, such as x-acs-request-id.

Application integration example

Java example

import com.aliyun.cloudcontrol20220830.Client;
import com.aliyun.teaopenapi.models.Config;

public class PrivateLinkExample {
    public static void main(String[] args) throws Exception {
        // Configure the client.
        Config config = new Config()
            .setAccessKeyId("<YOUR-ACCESS-KEY-ID>")
            .setAccessKeySecret("<YOUR-ACCESS-KEY-SECRET>")
            // Use the private domain name.
            . setEndpoint("cloudcontrol.vpc-proxy.aliyuncs.com") // For Cloud Control API service in China
            . setHost("cloudcontrol.aliyuncs.com") // For Cloud Control API service in China
            // .setEndpoint("cloudcontrol-vpc.ap-southeast-1.aliyuncs.com") // For Cloud Control API service Outside China
            .setProtocol("https");
        
        Client client = new Client(config);
        
        // Use the client object for API calls
        try {
            var response = client.listResources(...);
            System.out.println("Request successful: " + response.getBody().getRequestId());
        } catch (Exception e) {
            System.err.println("Request failed: " + e.getMessage());
        }
    }
}