All Products
Search

This Product

    PrivateLink:Share your services

    Document Center

    PrivateLink:Share your services

    Last Updated:Dec 09, 2025

    As a service provider, you can create an endpoint service to share with specified users. This simplifies your network architecture and avoids exposing services to the public network.

    • Secure private access: All service traffic is transmitted over a private network. This avoids exposing data to the Internet and mitigates security risks.

    • Simplified network architecture: PrivateLink creates an elastic network interface (ENI) in the service consumer's virtual private cloud (VPC) to serve as a local access entry point. The service consumer can access the service as if it were any other resource within the VPC. This eliminates the need for VPC peering connections or Cloud Enterprise Network (CEN) instances, which greatly simplifies the network architecture and resolves IP address conflicts.

    How it works

    • Service provider: Deploys a Server Load Balancer (SLB) instance, such as a Network Load Balancer (NLB), Application Load Balancer (ALB), or Classic Load Balancer (CLB) instance, in the region where the service is provided. Then, the service provider configures an endpoint service for consumers to use.

    • Service consumer: Creates an interface endpoint in their VPC by specifying the endpoint service name to access the corresponding service over a private network. After a network connection is established between other VPCs or data centers and the consumer's VPC, they can access the endpoint service through the interface endpoint in the VPC. For more information, see Other VPCs and data centers.

    Service providers and service consumers must be Alibaba Cloud users. Currently, endpoints and endpoint services of PrivateLink must be deployed in the same region.
    image

    Share your services

    A service provider must deploy an SLB instance, add backend servers for the service, and configure an endpoint service in the service region.

    Supported service resources: public or private NLB instances, public or private ALB instances, and pay-as-you-go private CLB instances.

    Ensure that service resources are configured and the required backend services are deployed.

    Console

    Configure an endpoint service as a service provider

    1. Go to the Create Endpoint Service page in the PrivateLink console.

      • Region: Select the region where you want to provide the service.

      • EPS Resource Type: Select a resource type based on your configured service resources. To ensure high availability, add service resources from multiple zones.

      • Automatically Accept Endpoint Connections: Specify whether to automatically accept connection requests when users create interface endpoints to access the service. Modifying this option after creation does not affect existing connections.

        • Yes: When a service consumer creates an interface endpoint to connect to the service, the connection is automatically established.

        • No: The service provider must confirm whether to allow the service consumer to connect.

      • Zone Affinity: If service consumers are not sensitive to service latency, select No. If you select Yes and the service consumer enables zone affinity, the system prioritizes the IP address of the ENI in the corresponding endpoint zone when the service is accessed from the same zone as the interface endpoint. This enables nearest access.

      • IP Version: Supports IPv4 and Dual-stack. You can select Dual-stack if all service resources added to the endpoint service support dual-stack.

        CLB does not support dual-stack.

      • Payer: Select the payer for the PrivateLink connection. The default is the service consumer. This setting cannot be changed after it is configured.

    2. After the endpoint service is created, the service provider must configure a service whitelist to allow users from other accounts to initiate connection requests to the endpoint service.

      On the details page of the target endpoint service, go to the Service Whitelist tab. Click Add To Whitelist to define the scope of users who can access the service.

      • Configure *: All users can initiate connection requests to the endpoint service.

      • Configure account UIDs: Only the specified users can initiate connection requests to the endpoint service.

    Access an endpoint service as a service consumer

    1. Go to the Endpoint - Create Endpoint page.

    2. Configure the interface endpoint:

      • Region: Select the region where you want to create the interface endpoint. This region must be the same as the region of the endpoint service. PrivateLink currently supports only intra-region connections.

      • Endpoint: Select Other Endpoint Services and enter the endpoint service name for authentication. Access is granted after the service name is validated.

      • VPC and Zone And VSwitch:

        • Select a zone from the zones where the endpoint service is available. This zone must correspond to a zone where the service resource is located. For high availability, select vSwitches in at least two zones.

        • You can assign a specific IP address from within the vSwitch to the ENI of the endpoint zone. If you do not specify an IP address, the system assigns one by default.

          Do not assign a system reserved IP address of the vSwitch to the ENI.

      • Security Group: Associate a security group with the interface endpoint to manage inbound traffic for the ENIs in all endpoint zones.

      • IP Version: If the endpoint service supports dual-stack, you can select Dual-stack. This allows clients to access the service using both IPv4 and IPv6 addresses. Otherwise, you can only select IPv4.

      • Zone Affinity: If the endpoint service supports zone affinity, the service consumer can enable or disable it. When enabled:

        • If the service consumer accesses the service from the same zone as the interface endpoint using the endpoint domain name, the system prioritizes the IP address of the ENI in the corresponding endpoint zone. This enables nearest access.

        • If the service is accessed from a zone different from the interface endpoint's zone, the system returns the IP addresses of ENIs from all endpoint zones. Traffic is then routed to a random zone.

    3. After creation, run the following commands from an ECS instance in the same VPC to test the connection.

      ping <IP address of the endpoint ENI in the zone>
# You can find the private IP address of the ENI on the Zones and ENIs tab of the instance details page.
# For HTTP/HTTPS services, we recommend that you directly access the service port.
curl -sI https://<endpoint domain name>
# You can find the endpoint domain name on the instance list page.

    API

    Configure the access scope of a service

    By combining the service whitelist and the setting for automatically accepting endpoint connections, service providers can precisely control which service consumers can access the endpoint service. For example:

    • A small number of trusted users: Add the users' account UIDs to the whitelist and enable automatic acceptance of endpoint connections.

    • A broader range of users: Add * to the whitelist and disable automatic acceptance of endpoint connections. The service provider must approve each endpoint connection request.

    Configure a service whitelist

    After an endpoint service is created, the system automatically adds the service provider's Alibaba Cloud account to the service whitelist. The service provider must manually configure the service whitelist to allow users from other accounts to initiate connection requests to the endpoint service.

    1. During a phased release of the service, the service provider can add the Alibaba Cloud account UIDs of target users one by one to gradually grant access permissions. After the phased release is complete, you can add a * entry to open the service to all users, as needed.

    2. If the service is intended for specific users long-term, you can choose to configure only the specified account UIDs.

    Console

    On the details page of the target endpoint service, go to the Service Whitelist tab. Click Add To Whitelist to define the scope of users who can access the service.

    • Configure *: All users can initiate connection requests to the endpoint service.

    • Configure account UIDs: Only the specified users can initiate connection requests to the endpoint service.

    API

    Automatically accept endpoint connections

    A service consumer can use the corresponding interface endpoint to access the endpoint service over a private network only after the service provider accepts the endpoint connection.

    Console

    • When you create an endpoint service, set Automatically Accept Endpoint Connections:

      • Yes: The connection is automatically established.

      • No: The service provider must go to the Endpoint Connections tab of the target endpoint service and select Allow or Deny in the Actions column for the target interface endpoint to manage the connection request.

    • After creation, you can go to the Basic Information tab of the target endpoint service to Enable or Disable automatic acceptance of endpoint connections. Modifying this option after creation does not affect existing connections.

    API

    Ensure high availability for service access

    1. The service provider configures service resources in multiple zones for the endpoint service.

      • If the service resources are NLB or ALB instances, add NLB or ALB instances from multiple zones.

      • If the service resource is a CLB instance, add multiple CLB instances with different primary zones.

    2. The service consumer selects vSwitches in at least two zones when creating an interface endpoint.

    3. The service consumer uses the endpoint domain name to access the service. Alibaba Cloud provides fully managed availability probing to ensure rapid switchover to other zones if a fault occurs:

      • The availability of the ENI IP addresses in different endpoint zones is probed in real time. If an anomaly is detected, the corresponding DNS record is deleted to prevent service interruptions or data loss due to a zone failure.

      • After the fault is resolved, the corresponding DNS record is automatically restored.

    Console

    Configure multi-zone service resources for an endpoint service as a service provider

    • When you create an endpoint service, select service resources from multiple zones.

    • After creation, click the ID of the target endpoint service. On the Basic Information tab, click Add Service Resource and select the resource instances to add.

    Configure multiple zones for an interface endpoint as a service consumer

    • When you create an interface endpoint, select vSwitches from at least two zones.

    • After creation, click the ID of the target interface endpoint. On the Zones And ENIs tab, click Add Zone.

    To ensure high availability, you must use the endpoint domain name to access the service. You can find the Endpoint Domain Name on the Interface Endpoints page.

    API

    Endpoint service configuration

    Endpoint configuration

    Allocate service resources

    To prevent high service resource loads from affecting your services, add multiple service resources to each zone of an endpoint service. This setup distributes traffic by allowing different endpoint connections to use different service resources. If a service resource fails, the endpoint connection automatically switches over to another available service resource in the same zone.

    If the service resource is a Classic Load Balancer (CLB), you can directly replace the service resources of a zone without disconnecting the endpoint connection.
    The features for replacing zone service resources and manually allocating service resources are disabled by default. To enable them, go to the Quota Center console and apply for the privatelink_whitelist/svc_res_mgt_uat quota.

    1. Service resource allocation method: Set to automatic or manual. Ensure that each zone has at least one service resource that can be automatically allocated.

    2. Allocate service resources for endpoint zone connections:

      • When the service provider automatically accepts endpoint connections:

        • PrivateLink automatically allocates a service resource from the same zone to the endpoint zone. The allocation is based on the bandwidth of the service resources and the number of endpoint connections to them. The allocated service resource must be configured for automatic allocation.

        • If the automatically allocated resource cannot meet connection requirements, first disconnect the endpoint zone connection, then manually allocate a service resource. After the adjustment, allow the connection again.

      • When the service provider manually accepts endpoint connections:

        • Manually allocate a service resource before allowing the connection. If you do not manually allocate a resource, you can select Allow Connection And Automatically Allocate Service Resource when you allow the endpoint connection.

        • If the automatically allocated resource cannot meet connection requirements, first disconnect the endpoint zone connection, then manually allocate a service resource. After the adjustment, allow the connection again.

    Add/Remove Service Resources

    Console

    Add a service resource

    1. Go to the Endpoint Services page, and click the ID of the target endpoint service to go to its details page.

    2. On the Basic Information tab, in the Service Resources section, click Add Service Resource. Select a zone and a specific service resource.

    Remove a service resource

    On the Basic Information tab of the target endpoint service, in the Service Resources section, find the target service resource and click Delete in the Actions column. This removes the resource from the endpoint service but does not delete the resource instance.

    You cannot directly remove a service resource that is associated with an endpoint zone. First, disconnect the endpoint connection.

    API

    Set the allocation method for a specific service resource

    Console

    On the details page of the target endpoint service, go to the Basic Information tab. In the Service Resources section, toggle the switch in the Automatic Allocation column for the target service resource to specify whether it can be automatically allocated to endpoint connections.

    • Ensure that each zone contains at least one service resource that can be automatically allocated.

    • Changing the Automatic Allocation setting for a service resource does not affect existing endpoint connections.

    API

    Call UpdateVpcEndpointServiceResourceAttribute and modify the AutoAllocatedEnabled parameter to set the allocation method for the service resource.

    Allocate a service resource to an endpoint zone connection

    Console

    1. On the details page of the target endpoint service, go to the Endpoint Connections tab and disconnect the endpoint connection in one of the following ways:

      • Disconnect connections in all zones: Find the target endpoint and click Reject in the Actions column. This action makes the service unavailable. Proceed with caution.

      • Disconnect the connection in a specific zone: Click the icon icon next to the target endpoint, find the target zone, and click Disconnect Service Resource in the Actions column. This action may interrupt service traffic. Evaluate the impact before you proceed.

    2. Adjust the service resource allocation method:

      • Automatically allocate a resource: Click the icon icon next to the target endpoint, find the target zone, and click Allocate Service Resource in the Actions column. Select Automatic Allocation, and then click Connect Service Resource.

        If the endpoint zone already has a specified service resource, selecting Automatic Allocation clears the specified service resource.

      • Manually allocate a resource: Click the icon icon next to the target endpoint, find the target zone, and click Allocate Service Resource in the Actions column. Click Manual Allocation, select a created service resource, and then click Connect Service Resource.

    API

    1. Call DisableVpcEndpointZoneConnection to disconnect an endpoint zone connection.

    2. Call UpdateVpcEndpointZoneConnectionResourceAttribute to allocate a service resource to an endpoint zone:

      1. Set ResourceAllocateMode to Auto to automatically allocate a service resource.

      2. Set ResourceAllocateMode to Manual and specify the ResourceId to manually allocate a service resource.

    3. Call EnableVpcEndpointZoneConnection to allow an endpoint zone connection.

    Replace the service resources of a zone

    If the service resource is a CLB, you can directly replace the service resources in a zone without disconnecting the endpoint connection.

    Console

    1. On the details page of the target endpoint service, go to the Basic Information tab. In the Service Resources section, disable Automatic Allocation for the target service resource.

    2. Replace the service resource for the target endpoint connection in one of the following two ways:

      • On the Basic Information tab of the endpoint service details page, in the Service Resources section, find the target service resource and click Replace Resource in the Actions column. Select the new service resource and the target endpoint connection whose service resource you want to replace.

      • On the Endpoint Connections tab of the endpoint service details page, click the icon icon next to the target endpoint. Find the target zone and click Replace Service Resource in the Actions column.

    3. Select a migration method. Smooth migration is recommended. Forcible migration may interrupt service traffic. Evaluate the impact before you proceed.

      • Smooth Migration:

        • The system first creates a new elastic network interface (ENI) for the endpoint zone, connects the new ENI to the new service resource, and adds the IP address of the new ENI to the DNS record.

        • The system automatically removes the IP address of the old ENI from the DNS record.

        • You must determine when all existing connections are terminated. Then, in the Actions column of the target zone, click Disconnect Old Service Resource. After the disconnection, the old ENI is permanently deleted.

      • Forcible Migration: After the migration is complete, the original service resource is directly removed from the endpoint service. Forcible migration interrupts all service connections that depend on the resource and may interrupt service traffic. Evaluate the impact before you proceed.

    API

    Call UpdateVpcEndpointZoneConnectionResourceAttribute to replace the service resource for an endpoint zone connection.

    Modify the bandwidth of an endpoint connection

    Set bandwidth throttling for endpoint connections to precisely control traffic. This prevents backend service resources from being overloaded. The elastic network interfaces (ENIs) in each endpoint zone automatically inherit the bandwidth limit of the endpoint connection.

    • Default bandwidth limit: For all interface endpoints connected to an endpoint service, the service provides a default bandwidth limit when the endpoint connection is active.

      • When the service resource is a Classic Load Balancer (CLB):

        • The default bandwidth for an endpoint connection is 3072 Mbps. The value range is 100 Mbps to 10240 Mbps.

        • This limit can be adjusted. The change does not affect traffic on established endpoint connections. It only applies to new endpoint connections.

      • When the service resources are Network Load Balancer (NLB) and Application Load Balancer (ALB), the default bandwidth limit is not supported.

    • Set a bandwidth limit for a specific endpoint connection: Configure an appropriate bandwidth limit to prevent service resources from being overloaded. After you set this limit, the default bandwidth limit no longer applies to the corresponding endpoint connection.

      • Enable bandwidth throttling:

        • If the endpoint service automatically accepts endpoint connections, enable bandwidth throttling after the connection is established.

        • If the endpoint service requires you to manually accept endpoint connections, enable bandwidth throttling when you accept the connection.

      • Bandwidth limit ranges for different service resources:

        • NLB and ALB: The minimum limit is 100 Mbps and the maximum limit is 25 Gbps.

        • CLB: The minimum limit is 100 Mbps and the maximum limit is 10240 Mbps.

    Console

    • Modify the default limit: On the details page of the target endpoint service, on the Basic Information tab, click Modify to the right of Default Bandwidth Limit.

    • Modify the bandwidth for a specific endpoint connection: On the details page of the target endpoint service, on the Endpoint Connections tab, find the target endpoint and in the Actions column, enable, modify, or disable bandwidth throttling.

    API

    Stop an endpoint service

    A service provider can delete an endpoint service to stop offering it. Deleting the service permanently breaks all associated endpoint connections. This action is irreversible. Proceed with caution.

    Console

    1. Before deleting the service, reject or disconnect all connected interface endpoints and remove all service resources.

    2. Click Delete in the Actions column of the target endpoint service.

    API

    1. Call DisableVpcEndpointZoneConnection to disconnect the endpoint zone connection.

    2. Call DetachResourceFromVpcEndpointService to remove the service resources from the endpoint service.

    3. Call DeleteVpcEndpointService to delete the endpoint service.

    FAQ

    • Why can't service consumers find the endpoint service?

      Ensure that the service consumer's Alibaba Cloud account ID is added to the service whitelist. Only users on the whitelist can find and connect to the service.

    • Why is the connection status always Disconnected?

      This issue may occur if the Automatically Accept Endpoint Connections option is disabled for the endpoint service. If this is the case, go to the Endpoint Connections tab and manually Allow the connection request.