All Products
Search

This Product

    :Endpoints

    Document Center

    :Endpoints

    Last Updated:Jul 11, 2025

    This topic describes endpoints and how to configure and use endpoints in Identity as a Service (IDaaS).

    Introduction

    Network Access Endpoints are the carriers for IDaaS EIAM instances to access networks. Endpoints are classified into dedicated endpoints and shared endpoints. Dedicated endpoints require purchase before use (Billing of dedicated endpoints), while shared endpoints can be used free of charge.

    1. Dedicated endpoint

      A dedicated endpoint is an exclusive endpoint for an EIAM instance. The dedicated endpoint of an EIAM instance is an elastic network interface (ENI) of a virtual private cloud (VPC). You can configure security group rules or network settings for the ENI. This way, the EIAM instance can access a private network or access the Internet by using the dedicated endpoint.

      1. Access to a private network over a dedicated endpoint

        After an EIAM instance connects to your Alibaba Cloud VPC over a private network, you can synchronize the data of Active Directory (AD) domains, Lightweight Directory Access Protocol (LDAP) servers, and applications, and enable the AD authentication and LDAP authentication features, without the need to enable Internet-facing ports. The following sections describe network access in different scenarios. In the following examples, an AD domain server is used.

        AD domain server and ENI in the same Alibaba Cloud VPC

        If your AD domain server and the ENI of your EIAM instance belong to the same Alibaba Cloud VPC, you must implement access control by using the following method:

        Configure the security group to which the AD domain server belongs to allow access from the IP address of the ENI.

        AD domain server and ENI in different Alibaba Cloud VPCs

        If your AD domain server and the ENI of your EIAM instance belong to different Alibaba Cloud VPCs, you must implement access control by using the following methods:

        • Connect the two Alibaba Cloud VPCs by using a Cloud Enterprise Network (CEN) instance.

        • Configure the security group to which the AD domain server belongs to allow access from the IP address of the ENI.

        AD domain server in an on-premises data center or a third-party cloud

        If the AD domain server belongs to a data center or a third-party cloud service platform, you must implement access control by using the following methods:

        • Connect the Alibaba Cloud VPC to the data center or third-party cloud where the AD domain server is located through a leased line (such as VPN).

        • Configure the firewall of the AD domain server to allow access from the IP address of the ENI.

      2. Access to the Internet over a dedicated endpoint

        After an EIAM instance connects to your Alibaba Cloud VPC over a private network, you can associate an Elastic IP Address (EIP) with the ENI of the EIAM instance or associate an Internet NAT gateway with your Alibaba Cloud VPC. This way, the EIAM instance can use a public IP address to access the Internet. You can specify the public IP address as the trusted IP address in WeCom to meet your requirements for WeCom access.

    2. Shared endpoint

      A shared endpoint is the default endpoint that an EIAM instance uses to access the Internet. All EIAM instances can use the shared endpoint. You can use a shared endpoint to access only the Internet.

      1. Comparison between the two endpoints

        The following table describes the two endpoint types.

        Item

        Dedicated endpoint

        Shared endpoint

        Access to a private network over a dedicated IP address

        Supported

        Not supported

        Access to the Internet over a dedicated IP address

        Supported

        Not supported

        Access to the Internet over a shared IP address

        Not supported

        Supported

        Owner of the endpoint resources, such as ENIs and security groups

        Your Alibaba Cloud account

        The IDaaS team

        Available by default

        No

        Yes

        Free of charge

        No

        Yes

      2. Network endpoint support

        The following table describes the supported modules of endpoints. By default, each module uses a shared endpoint. You can switch to a dedicated endpoint based on your business requirements.

        Module

        Dedicated endpoint - Access to a private network

        Dedicated endpoint - Access to the Internet

        Shared endpoint - Access to the Internet

        DingTalk inbound identity provider (IdP)

        Not supported

        Not supported

        Supported

        DingTalk outbound IdP

        Not supported

        Not supported

        Supported

        AD inbound IdP

        Supported

        Supported

        Supported

        LDAP inbound IdP

        Supported

        Supported

        Supported

        WeCom inbound IdP

        Not supported

        Supported

        Not supported

        Marketplace application

        Not supported

        Not supported

        Supported

        Security Assertion Markup Language (SAML) application

        Not supported

        Not supported

        Supported

        OpenID Connect (OIDC) application

        Not supported

        Not supported

        Supported

        Self-developed application

        Not supported

        Not supported

        Supported

    Add a dedicated endpoint

    In Personalization > Network Endpoint, you can access the network endpoint management page.

    1. Create a service-linked role (SLR)

      When you access the Endpoints page or add a dedicated endpoint, if a service-linked role does not exist, you need to create an IDaaS EIAM service-linked role. Only Resource Access Management (RAM) users to which the AliyunIDaaSEiamFullAccess policy is attached or Alibaba Cloud accounts can create the service-linked role.

    2. Upgrade or scale up the instance

      You can create a dedicated endpoint only if the remaining dedicated endpoint quota of the instance is sufficient. If the remaining dedicated endpoint quota is insufficient, you must purchase a quota to create a dedicated endpoint.

      1. For free or trial instances, upgrade the instance and purchase dedicated endpoints on the purchase page.

      2. For Enterprise instances, scale up the instance and purchase dedicated endpoints on the purchase page.

      Note

      Each EIAM instance supports only one dedicated endpoint.

    3. Select resources

      1. On the Endpoints page, click Add Dedicated Endpoint to start the process. In the Add Dedicated Endpoint dialog box, configure the following parameters.

        Important

        After you create a dedicated endpoint, you cannot modify the settings of the dedicated endpoint, such as the region, VPC, and vSwitch. Proceed with caution.

        • Display Name: the display name of the dedicated endpoint. The name is displayed only in the IDaaS console.

        • Select Region: the region of the VPC to which you want to connect.

        • Select VPC: the VPC in the selected region. If you want to access a service, such as an AD domain, an LDAP server, or an application, over a private network, select a VPC in which the service resides or a VPC over which you can access the service.

        • Select vSwitch: the vSwitches that you want to use in the VPC. The number of available IP addresses for each selected vSwitch must be greater than two. You cannot use the 33 CIDR block. You can select up to two vSwitches.

        Important

        We recommend that you select two vSwitches in different zones to improve the disaster recovery capability.

      2. After you configure the parameters, click OK and wait until the dedicated endpoint is created.

        You must configure one of the following features based on your business requirements before you can use the dedicated endpoint:

        1. If you want to access a private network over the dedicated endpoint, authorize private network access.

        2. If you want to access the Internet over the dedicated endpoint, configure a dedicated Internet egress IP address.

    Grant the private network access permissions

    1. On the Branding > Network Access Endpoint page, find the dedicated endpoint to which you want to grant the private network access permissions. Then, click Authorize Private Network Access.

    2. Obtain access rules. In the Authorize Private Network Access dialog box, copy the Authorization Object. The authorization object contains all the private IP addresses of the dedicated endpoint.

    3. Configure security group rules. Click Add to go to the Security Groups page of the Elastic Compute Service (ECS) > Security Groups console. On the Security Groups page, find and click the security group to which your server belongs to go to the details page of the security group.

      Note

      For example, if you want to access an AD domain server, you need to select the security group to which the AD domain server belongs (for different network planning methods, see Access to a private network over a dedicated endpoint), not the security group created by EIAM.

      1. Click Security Group ID/Name to enter Security Group. In Security Group Details > Inbound, click Add Rule.

      2. Configure the following parameters and save the configurations.

        • Action: Allow.

        • Priority: 1.

        • Protocol Type: Custom TCP.

        • Port Range: the range of the ports that you want to use. If you want to connect to an AD domain or LDAP server, we recommend that you enter 389 or 636.

        • Authorization Object: the private IP addresses that you copied in the previous step.

    Configure a dedicated public outbound IP address

    You can configure an Internet NAT gateway for an EIAM instance. This way, the EIAM instance can access the Internet by using a specific IP address. You can specify the IP address as the trusted IP address in WeCom to complete the verification for WeCom.

    1. View the region of the dedicated endpoint

      On the Branding > Network Access Endpoint page, find the dedicated endpoint that you want to use to access the Internet and view the VPC region.

    2. Associate an EIP

      1. In the Virtual Private Cloud - NAT Gateway console, select an Internet NAT gateway in the same region as the VPC and click Associate Now to associate an EIP with the NAT gateway.

        If no Internet NAT gateway is available, create one. For more information, see Create an Internet NAT gateway.

      2. You can select an existing EIP or purchase an EIP and then associate the NAT gateway with the EIP.

      3. After the EIP is associated with the NAT gateway, go to the NAT Gateway page and click Instance ID/Name.

        If no SNAT entry exists in the current instance, see Create and manage SNAT entries. After you create an SNAT entry, the dedicated endpoint can be used to access the Internet.

        Warning

        If no SNAT entry is configured, the dedicated endpoint cannot access the Internet.

      4. You can view the current dedicated public IP address in Branding > Network Access Endpoint page, under Dedicated Outbound Public IP Address.

    Switch to a dedicated endpoint

    1. Go to the IdPs page and click Modify to modify the basic configurations. The following example uses an AD domain server.

    2. Configure a dedicated endpoint. In Network Configuration > Network Access Endpoint.

      1. Select Dedicated Network Endpoint.

      2. Select an endpoint with a Dedicated Outbound Public IP Address from the drop-down list. The endpoint can be an ENI or an Internet NAT gateway.

    3. Submit for verification. After you click OK, the system immediately verifies the following items:

      1. Verification requirement: All associated ENIs (up to two) must be able to access the AD domain server.

      2. If the verification succeeds: The system automatically switches to the dedicated endpoint.

      3. If the verification fails: The system displays an error message. You must check the network connectivity.

    You can click the dedicated Internet egress IP address to view the gateway IP address that is used.

    Important

    After the instance passes the verification, you can use the dedicated endpoint to access other servers. We recommend that you verify the instance in a test environment. After a paid instance is released upon expiration or unsubscription, the dedicated endpoint immediately becomes unavailable and is deleted the next day. If you want to use the shared endpoint or another dedicated endpoint, you must switch to the required endpoint. Before the dedicated endpoint is deleted, we recommend that you modify the network access whitelist of your service.

    Modify a dedicated endpoint

    You can modify only the Display Name of a dedicated endpoint. If you want to modify other settings, you must delete the dedicated endpoint and create a dedicated endpoint based on your business requirements.