Configure VPC access for a service - Compute Nest - Alibaba Cloud Documentation Center

Compute Nest allows you to establish private connections for secure and stable data transmission between virtual private clouds (VPCs) and services hosted on Alibaba Cloud. The private connections can be flexibly configured to meet the requirements in different scenarios. This topic describes how to configure VPC access for a service.

Background information

VPC access has the following benefits:
- Communication over VPCs: Data is transmitted over VPCs instead of the Internet. This prevents potential security risks.
- Enhanced security: You can add security group rules to the elastic network interfaces (ENIs) used for service access in VPCs. This enhances the access security.
- Low latency and high quality: The Alibaba Cloud network provides low-latency and high-availability connections.
- Cross-zone and cross-region access: Compute Nest supports connections over VPCs. You can access services in the same zone, across zones, or across regions over VPCs.
- Simplified access: Server Load Balancer (SLB) instances or IP addresses of service nodes can be used as static or dynamic resources to support VPC access. This way, customers can access services over VPCs in a more flexible manner.
- Ease of management: Flexible cross-account and cross-VPC access simplifies complex routing and security configurations.
Customers can access fully managed services in Compute Nest over VPCs. After a customer creates a service instance, the customer can obtain the domain name of the software provided by the service provider. The customer can then access the domain name to use the software. Take note of the following items about domain names:
- If the VPC access feature is not enabled for a fully managed service provided by a service provider, customers can only access the public domain name of the service instance over the Internet.
- If the VPC access feature is enabled for a fully managed service provided by a service provider, customers can obtain the internal domain name of the service instance and access the internal domain name over a VPC. In this case, the service provider shares the services in the VPC of the service provider with the VPC of the customer. This implements access across VPCs.

Configure parameters for VPC access

When you create a service as a service provider in the Compute Nest console, you can configure parameters in the Network Settings section to configure VPC access.

The following table describes the parameters that are used to configure VPC access for a fully managed service in Compute Nest.

Parameter	Description
VPC Access	Specifies whether to enable the VPC access feature.
Connection Mode	The connection mode for VPC access. Valid values: PrivateLink and VPC Peering. You can select a connection mode based on your business requirements. PrivateLink: You can connect VPCs in the same zone. For more information, see What is PrivateLink? In PrivateLink mode, you can select an SLB instance or an endpoint service as an access resource. If you want to select an SLB instance, you must select the SLB instance specified in the `Resources` section of the template as the access resource. If you want to select an endpoint service, you must select the endpoint service specified in the `Outputs` section of the template as the access resource. You can configure only one endpoint service in each region. If you want to deploy Compute Nest services in multiple regions, you must configure one endpoint service in each region. For more information about how to create an endpoint service, see Create and manage endpoint services. VPC Peering: This connection mode is available only if a new VPC is created. You must define the parameters for creating a VPC in the service template. When a customer creates a service instance, the customer needs to only specify the VPC to be connected to the new VPC over a VPC peering connection.
Select Payer Note This parameter is available if you select an SLB instance as the access resource in PrivateLink mode.	The payer of the SLB instance. By default, the feature that is used to specify the service provider as the payer is unavailable. To use this feature, log on to the Quota Center console. In the left-side navigation pane, choose Products > Privileges. On the Products with Privileges page, click PrivateLink in the Networking section. On the Privileges page, enter privatelink_whitelist/epsvc_payer_mode to search for the quota, and click Apply in the Actions column.
Custom Domain Name	Optional. The custom domain name. If you specify this parameter, your customer can use the recommended custom domain name to access your service in a VPC when the customer creates a service instance. If you do not specify this parameter, no custom domain names are recommended for customers.

Manage VPC connections for Compute Nest service instances

On the details page of a service instance, click the Network Settings tab. You can view the VPC connection configurations.

Basic information: the basic information about the endpoint service. You can click the ID of the endpoint service to go to the PrivateLink console. You can create or delete service resources, manage endpoint connections, add account IDs in the service whitelist, and view monitoring data in the PrivateLink console. For more information, see Manage account IDs in the whitelist of an endpoint service.
Zone and elastic IP address (EIP): the information about the customer-side vSwitch that is specified when the customer creates a VPC connection.
Security group: the information about the customer-side security group that is specified when the customer creates a VPC connection.