This topic describes endpoints and shows you how to configure and use endpoints in Identity as a Service (IDaaS).
Overview
Endpoints are the carriers for IDaaS Employee Identity and Access Management (EIAM) instances to access networks. Endpoints in IDaaS are divided into dedicated endpoints and shared endpoints. You can use the shared endpoint free of charge, but you need to purchase a dedicated endpoint before you can use the dedicated endpoint. For more information, see the Billing of dedicated endpoints section of the "Billing" topic.
Dedicated endpoint
A dedicated endpoint is an exclusive endpoint for an EIAM instance. An EIAM instance with a dedicated endpoint holds an elastic network interface (ENI) of a virtual private cloud (VPC). You can configure security group rules or network settings based on the ENI. This way, the EIAM instance can access a dedicated private network or access the Internet over a dedicated public IP address.
Access a dedicated private network
After an EIAM instance connects to your Alibaba Cloud VPC over a private network, you can synchronize the data of Active Directory (AD), Lightweight Directory Access Protocol (LDAP), and applications without enabling public ports. You can also enable the AD authentication and LDAP authentication features without enabling public ports.
The following sections describe how to enable access to a VPC over a dedicated private network for an EIAM instance in different scenarios. An AD domain server is used in each example.
Scenario in which the AD domain server and ENI belong to one Alibaba Cloud VPC
If your AD domain server and the ENI of your EIAM instance belong to the same Alibaba Cloud VPC, you need to use the following network access control list (ACL) configurations:
Add the IP address of the ENI to the whitelist of the security group to which the AD domain server belongs.
Scenario in which the AD domain server and ENI belong to different Alibaba Cloud VPCs
If your AD domain server and the ENI of your EIAM instance belong to different Alibaba Cloud VPCs, you can use the following ACL configurations:
Connect the two Alibaba Cloud VPCs involved by using Cloud Enterprise Network (CEN).
Add the IP address of the ENI to the whitelist of the security group to which the AD domain server belongs.
The AD domain server belongs to an on-premises data center or another cloud service provider
If the AD domain server belongs to an on-premises data center or another cloud service provider, you need to use the following network ACL configurations:
Connect the Alibaba Cloud VPC to the data center or cloud service provider to which the AD domain server belongs by using a leased line, such as a VPN.
Add the IP address of the ENI to the whitelist of the firewall in which the AD domain server resides.
Access the Internet over a dedicated public IP address
After an EIAM instance connects to your Alibaba Cloud VPC over a private network, you can associate an Elastic IP Address (EIP) with the ENI of the EIAM instance or associate an Internet NAT gateway with your Alibaba Cloud VPC. This way, the EIAM instance can use the public IP address to access the Internet. You can specify the public IP address as the trusted IP address of WeCom to meet the requirements of WeCom.
Shared endpoint
The shared endpoint is the default endpoint for an EIAM instance to access the Internet. All EIAM instances can use the shared endpoint. You can use the shared endpoint to access only the Internet.
Comparison of the two endpoint types
The following table describes the comparison between the two endpoint types.
Item | Dedicated endpoint | Shared endpoint |
Access to a private network over a dedicated IP address | Supported | Not supported |
Access to the Internet over a dedicated IP address | Supported | Not supported |
Access to the Internet over a public IP address | Not supported | Supported |
Owner of the network endpoint resources, such as ENIs and security groups | Your Alibaba Cloud account | IDaaS team |
Available by default | No | Yes |
Free | No | Yes |
Supported modules of endpoints
The following table describes the supported modules of endpoints. By default, each module uses the shared endpoint. You can change to a dedicated endpoint based on your business requirements.
Module | Access to a private network over a dedicated endpoint | Access to the Internet over a dedicated endpoint | Access to the Internet over the shared endpoint |
DingTalk inbound identity provider (IdP) | Not supported | Not supported | Supported |
DingTalk outbound IdP | Not supported | Not supported | Supported |
AD inbound IdP | Supported | Supported | Supported |
LDAP inbound IdP | Supported | Supported | Supported |
WeCom inbound IdP | Not supported | Supported | Not supported |
Applications of Marketplace | Not supported | Not supported | Supported |
Security Assertion Markup Language (SAML) applications | Not supported | Not supported | Supported |
OpenID Connect (OIDC) applications | Not supported | Not supported | Supported |
Self-developed applications | Not supported | Not supported | Supported |
Create a dedicated endpoint
Log on to the IDaaS console. In the left-side navigation pane, click EIAM. On the EIAM page, find the instance that you want to manage and click the instance name. On the page that appears, click Branding in the left-side navigation pane. On the Branding page, click the Network Access Endpoint tab. Then, the configuration tab appears.
Step 1: Create the AliyunServiceRoleFroEiam service-linked role
Before you go to the Network Access Endpoint tab or create a dedicated endpoint, you must create the AliyunServiceRoleFroEiam service-linked role for IDaaS. For more information about how to create the AliyunServiceRoleFroEiam service-linked role, see Service-linked role for IDaaS EIAM instances. Only Alibaba Cloud accounts or Resource Access Management (RAM) users to which the AliyunIDaaSEiamFullAccess policy is attached can create the AliyunServiceRoleFroEiam service-linked role.
Step 2: Upgrade or scale up the EIAM instance
You can create a dedicated endpoint only if the remaining dedicated endpoint quota of the instance is sufficient. If the remaining dedicated endpoint quota is insufficient, you need to purchase a dedicated endpoint quota before you can create a dedicated endpoint.
If your EIAM instance is an instance of Free Edition or Trial Edition, upgrade the instance and increase the number of dedicated endpoints on the buy page.
If your EIAM instance is an instance of Enterprise Edition, scale up the instance and increase the number of dedicated endpoints on the buy page. For more information, see the "Upgrade an instance" and "Change the specification of an instance" sections of the Manage instances topic.
Each EIAM instance supports only one dedicated endpoint.
Step 3: Select resources
On the Network Access Endpoint tab, click Add Dedicated Endpoint.
In the Add Dedicated Endpoint dialog box, configure the following required parameters.
After you create a dedicated endpoint, you cannot modify the parameter settings of the dedicated endpoint, such as region, VPC, and vSwitch. Proceed with caution.
Display Name: the display name of the dedicated endpoint. The name is used only for display in the IDaaS console.
Select Region: the region of the VPC to which you want to connect.
Select VPC: the VPC in the selected region. If you want to access a service, such as AD, LDAP, or an application over a private network, select a VPC in which the service resides or a VPC that can access the service.
Select vSwitch: the one or more vSwitches that you want to use in the VPC. The number of available IP addresses for each selected vSwitch must be greater than two. You cannot use the 33 CIDR block. You can select up to two vSwitches.
We recommend that you select two vSwitches in different zones to improve the disaster recovery capability.
After you configure the preceding parameters, click OK and wait until the dedicated endpoint is added.
You need to configure one of the following settings based on your business requirements before you can use the dedicated endpoint:
Private network access. For more information, see the Grant the private network access permissions section of this topic.
Internet access over a specific IP address. For more information, see the Configure a dedicated public outbound IP address section of this topic.
Grant the private network access permissions
On the Branding page, click the Network Access Endpoint tab. On the Network Access Endpoint tab, find the dedicated endpoint to which you want to grant the private network access permissions. Then, click Authorize Private Network Access.
Step 1: Obtain the access rules
In the Authorize Private Network Access dialog box, click the Copy icon next to Authorization Object. This parameter aggregates all the dedicated private outbound IP addresses of the dedicated endpoint.
Step 2: Configure access rules for a security group
Click Add. Then, the Security Groups page of the Elastic Compute Service (ECS) console appears. On this page, find the security group to which your server belongs and click it.
An AD domain server is used in this example. You need to select the security group to which the AD domain server belongs rather than the security group that is created by EIAM. For more information about the supported configuration methods, see the Access a dedicated private network section of this topic.
On the page that appears, click the Inbound tab in the Access Rule section. Then, click Add Rule.
Configure the following parameters and save the configurations:
Action: the authorization policy. Set this parameter to Allow.
Priority: the priority of the policy. Enter 1 in the Priority field.
Protocol Type: the type of the protocol. Select Custom TCP.
Port Range: the range of the ports to use. If you want to connect to AD or LDAP, we recommend that you enter 389 or 636 in the field.
Authorization Object: the private IP address that you copied in the previous step.
Step 3: Switch to the created dedicated endpoint
An AD domain server is used in this example. Go to the IdPs page. Click Modify to modify the basic configurations.
In the Basic Configurations dialog box, select Dedicated Network Access Endpoint as Network Access Endpoint in the Network Configurations section. Then, select the dedicated endpoint for which you have configured access rules from the drop-down list.
Click OK. Then, the system verifies instance. The system connects to the AD domain server by using the dedicated private outbound IP addresses, which correspond to a primary ENI and a secondary ENI, of the dedicated endpoint. A maximum of two ENIs are allowed. If both ENIs can access the AD domain server, the verification is successful, and the configured dedicated endpoint is used as the network endpoint. If one of the ENIs fails to access the AD domain server, the verification fails, and an error message appears.
After the instance passes the verification, you can use the dedicated endpoint to access other servers. We recommend that you verify the instance in a test environment.
After a paid instance is released upon expiration or unsubscribed, the dedicated endpoint involved immediately becomes unavailable, and IDaaS EIAM deletes the dedicated endpoint after one day. If you want to use the shared endpoint or another dedicated endpoint, you must switch to the required endpoint. We recommend that you modify the network access whitelist of your service before you delete the dedicated endpoint.
Configure a dedicated public outbound IP address
You can configure a dedicated public outbound IP address by using one of the following methods. This way, the EIAM instance can access the Internet over a specific IP address. Select one of the following methods based on your business requirements. You can specify the public IP address as the trusted IP address of WeCom to complete the verification for WeCom.
Method 1: Use an EIP
Starting from April 1, 2024, you cannot manually associate an EIP with or disassociate an EIP from an ENI that is associated with a dedicated endpoint due to the changes to ENI service logic. We recommend that you configure a dedicated public outbound IP address by using an Internet NAT gateway and disassociate the EIP from your dedicated endpoint at the earliest opportunity. If you do not disassociate the EIP from your dedicated endpoint at the earliest opportunity, you can use the dedicated endpoint to access the Internet by using the EIP. In this case, if you want to disassociate the EIP from your dedicated endpoint, you must delete the dedicated endpoint.
On the Network Access Endpoint tab of the Branding page, find the dedicated endpoint that you want to manage and view the VPC region. Confirm the ENI ID.
Go to the Elastic IP Addresses page. Select an EIP that resides in the same region of the VPC. Click Associate with Resource in the Actions column to start the association. If no resources are available, create an EIP in advance.
In the Associate EIP with Resource dialog box, set the Instance Type to Secondary ENI. Select an ENI that is associated with the dedicated endpoint. Then, click OK. We recommend that you associate one EIP with one ENI.
After the association is successful, you can use the dedicated endpoint to access the Internet. On the Network Access Endpoint tab of the Branding page, you can click Dedicated Public Outbound IP Address to view the dedicated public IP address.
Method 2: Use an Internet NAT gateway
On the Branding page, click the Network Access Endpoint tab. On the Network Access Endpoint tab, find the dedicated endpoint that you want to use to access the Internet.
On the Internet NAT Gateway page, select an Internet NAT gateway that resides in the same region as the dedicated network. Click Associate Now to associate the Internet NAT gateway with an EIP. If no Internet NAT gateways are available, create one in advance.
You can select an existing EIP or purchase a new EIP.
After the association is successful, you can use the dedicated endpoint to access the Internet. On the Network Access Endpoint tab of the Branding page, you can click Dedicated Public Outbound IP Address to view the dedicated public IP address.
Switch to the created dedicated endpoint
An AD domain server is used in this example. Go to the IdPs page. Click Modify to modify the basic configurations.
In the Basic Configurations dialog box, select Dedicated Network Endpoint as Network Endpoint in the Network Configurations section. Then, select the dedicated endpoint for which you have configured a dedicated public outbound IP address from the drop-down list.
Click OK. Then, the system verifies the instance. The system connects to the AD domain server by using the dedicated public outbound IP addresses of the dedicated endpoint, which are the public IP addresses of the ENI and Internet NAT gateway. A maximum of two ENIs are allowed. If both ENIs can access the AD domain server, the verification is successful, and the configured dedicated endpoint is used as the network endpoint. If one of the ENIs fails to access the AD domain server, the verification fails, and an error message appears.
You can click View next to Dedicated Public Outbound IP to view the gateway IP address in use.
After the instance passes the verification, you can use the dedicated endpoint to access other servers. We recommend that you verify the instance in a test environment.
After a paid instance is released upon expiration or unsubscribed, the dedicated endpoint involved immediately becomes unavailable, and IDaaS EIAM deletes the dedicated endpoint after one day. If you want to use the shared endpoint or another dedicated endpoint, you must switch to the required endpoint. We recommend that you modify the network access whitelist of your service before you delete the dedicated endpoint.
Modify a dedicated endpoint
You can modify only the display name of a dedicated endpoint. If you want to modify other settings, you must delete the dedicated endpoint and create another dedicated endpoint with the required settings.
Delete a dedicated endpoint
A dedicated endpoint can be deleted in one of the following ways:
If no modules, such as IdPs and applications, in an instance use the dedicated endpoint, an administrator can manually delete the dedicated endpoint.
If a paid instance is released upon expiration or unsubscribed, IDaaS automatically deletes the dedicated endpoint.
When a dedicated endpoint is deleted, IDaaS releases the following resources created by IDaaS within your account:
ENIs
Managed security groups
After a dedicated endpoint is deleted, resources and data of the dedicated endpoint cannot be restored. The dedicated endpoint is unavailable after it is deleted. If you want to delete the AliyunServiceRoleForEiam service-linked role, you must delete all EIAM instances.
After you delete a dedicated endpoint, if you want to use the shared endpoint or another dedicated endpoint, you must switch to the required endpoint on the IdPs or Applications page. We recommend that you modify the network access whitelist of your service before you delete the dedicated endpoint.