As a service provider, you can create an endpoint service to share your services with specified users. This simplifies your network architecture and avoids public internet exposure.
Secure private access: All service traffic travels over a private network, which prevents data exposure to the internet and mitigates security risks.
Simplified network architecture: PrivateLink creates an elastic network interface in the service consumer's Virtual Private Cloud (VPC) that acts as a local access point to your service. The service consumer can access the service just like any other resource within their VPC. This eliminates the need for VPC peering connections or Cloud Enterprise Network (CEN) connections and resolves IP address conflicts.
How it works
Service provider: Deploys a load balancer, such as a Network Load Balancer (NLB), Application Load Balancer (ALB), or Classic Load Balancer (CLB), in the region where the service is hosted. The provider then creates an endpoint service. To allow cross-region access, the provider can configure supported regions for the service.
Service consumer: Creates an interface endpoint in their VPC by specifying the endpoint service name. This allows them to access the corresponding service over a private connection.
If the service provider has enabled cross-region access: The service consumer can create an interface endpoint in any supported region to access the service.
If the service provider has not enabled cross-region access: The interface endpoint and the endpoint service must be in the same region. After connecting other VPCs and on-premises data centers to the VPC, they can access the endpoint service through the interface endpoint.
Both the service provider and the service consumer must be Alibaba Cloud users.
Share your services
Share services in the same region
As a service provider, you must deploy a load balancer instance with its backend servers in the service's region, and then create an endpoint service.
Supported service resources: public or private NLB instances, public or private ALB instances, and pay-as-you-go private CLB instances.
Ensure that your service resources are configured and your backend services are deployed.
Console
Configure an endpoint service
Go to the Create Endpoint Service page in the PrivateLink console.
Region: Select the region where you want to provide the service.
Service Resource Type: Select the type of service resource. To ensure high availability, we recommend that you add Service Resource from multiple availability zones.
Automatically Accept Endpoint Connections: Choose whether to automatically accept connection requests when a service consumer creates an interface endpoint to access your service. Changing this option after creation does not affect existing connections.
Yes: When a service consumer creates an interface endpoint to connect to the service, the connection is automatically established.
No: You must manually approve or deny each connection request from a service consumer.
Enable Zone Affinity: If you select Yes and the service consumer also enables zone affinity, traffic from an interface endpoint in a specific availability zone is preferentially routed to the elastic network interface in the same availability zone when the service is accessed by using the endpoint domain name. This provides low-latency, in-zone access.
IP Version: Supports IPv4 and Dual-stack. You can select Dual-stack if all service resources added to the endpoint service support dual-stack.
CLB does not support dual-stack.
Service Payer: Select the party that pays for the PrivateLink connection. By default, the service consumer is the payer. This setting cannot be changed once confirmed.
After you create the endpoint service, you must configure the service whitelist to allow other accounts to initiate connection requests.
On the details page of the target endpoint service, go to the Service Whitelist tab and click Add to Whitelist to define which users can access the service.
Enter
*: All users can initiate connection requests to the endpoint service.Enter an Account UID: Only the specified user can initiate connection requests to the endpoint service.
Access an endpoint service
Go to the Endpoints - Create Endpoint page.
Configure the interface endpoint:
Region: Select the region where you want to create the interface endpoint. This region must be the same as the region where the endpoint service is located.
Type: Select Other Endpoint Services, and then verify the connection by using the endpoint service name. After successful verification, you can access the service.
Network Settings:
The availability zone must be selected from the availability zones where the endpoint service is available, which are the same as the service resource availability zones. To ensure high availability, we recommend that you select vSwitches in at least two availability zones.
You can assign a specific IP address within the vSwitch to the elastic network interface in the endpoint availability zone. If you do not specify an IP address, the system automatically assigns one. You cannot assign system-reserved IP addresses of the vSwitch to an elastic network interface.
IP Version: If the endpoint service supports dual-stack, you can select Dual-stack. This allows clients to use both IPv4 and IPv6 addresses to access the service. Otherwise, only IPv4 is supported.
Security Group: Associate a security group with the interface endpoint to control inbound traffic for the elastic network interfaces in all endpoint availability zones.
Enable Zone Affinity: If the endpoint service supports zone affinity, the service consumer can enable or disable it.
When enabled, if the service consumer accesses the service by using the endpoint domain name from the same availability zone as the interface endpoint, Alibaba Cloud DNS preferentially returns the IP address of the elastic network interface in that availability zone. This provides low-latency, in-zone access.
If access originates from a different availability zone, or if zone affinity is disabled, Alibaba Cloud DNS returns the IP addresses of available elastic network interfaces from all endpoint availability zones.
After creating the endpoint, you can run the following commands from an ECS instance in the same VPC to test connectivity.
ping <IP address of the elastic network interface in the endpoint availability zone> # You can find the private IP address of the elastic network interface on the Zones and ENIs tab of the instance details page. # For HTTP/HTTPS services, we recommend directly accessing the service port. curl -sI https://<endpoint domain name> # You can find the endpoint domain name on the instance list page.
API
The service provider calls CreateVpcEndpointService to create an endpoint service.
The service consumer calls CreateVpcEndpoint to create an endpoint.
Share services across regions
A service provider can configure multiple supported regions for an endpoint service. This allows a service consumer to create an interface endpoint in any of the supported regions to connect to the service across regions. For more information, see Regions and availability zones that support cross-region PrivateLink connections.
Service resources:
Supported resources include public or private NLB instances and upgraded public or private ALB instances.
To ensure high availability, the service resources for the endpoint service must be deployed in at least two availability zones before you can share the service across regions.
Supported regions:
Select supported regions to enable cross-region access to the service.
After creating an endpoint service, the service provider can adjust the remote access regions.
If a service provider removes a region from the list of remote access regions, service consumers can no longer create new endpoints in that region. However, access from existing endpoints is unaffected.
The service's home region must always be accessible and cannot be removed from the list of supported regions.
Cross-region connections:
The number of availability zones for the endpoint and the endpoint service do not need to match. To ensure high availability, we recommend that service consumers create endpoints in at least two availability zones.
Service consumers can access the service by using the endpoint domain name or the endpoint zone domain name. All requests sent to the endpoint are forwarded to the backend service resources over the PrivateLink connection. We recommend that service consumers use the endpoint domain name to access the service. This ensures that the application can leverage PrivateLink's fully managed availability monitoring for rapid failover to other availability zones during an availability zone failure.
Console
Configure an endpoint service
Go to the Create Endpoint Service page in the PrivateLink console.
Region: Select the region where the service resources are deployed.
Service Resource Type: In this example, select NLB. To ensure high availability, we recommend that you add Service Resource from multiple availability zones.
Supported Regions: Select the regions from which service consumers are allowed to connect to the service.
For other configurations, see Share a service within the same region.
After you create the endpoint service, you must configure the service whitelist to allow other accounts to initiate connection requests.
Access an endpoint service
Go to the Endpoints - Create Endpoint page.
Configure the interface endpoint:
Region: Select the region where you want to create the interface endpoint.
Type: Select Other Endpoint Services.
Service Settings: Select Enable inter-region endpoint. After selecting a region, verify the connection by using the endpoint service name. A connection can be established after successful verification.
Inter-Region Bandwidth Configuration:
Billing Method: Billed by CDT. Cross-region traffic fees are billed by Cloud Data Transfer (CDT). For complete billing details, see Cross-region PrivateLink connections.
Bandwidth:
For connections between regions in the Chinese mainland, the default maximum cross-region bandwidth is 1,000 Mbps. You can adjust this value by requesting the quota
pvl_quota_cross_region_ep_max_bandwidth_payg_china.For connections between regions outside the Chinese mainland, the default maximum cross-region bandwidth is 100 Mbps. You can adjust this value by requesting the quota
pvl_quota_cross_region_ep_max_bandwidth_payg_oversea.
Network Settings: To ensure high availability, we recommend that you select vSwitches in at least two availability zones.
For other configurations, see Access an endpoint service (service consumer).
Modify remote access regions
Click the ID of the target endpoint service to go to its details page.
On the Remote Access Regions tab, click Modify Region to add or remove supported regions for the service.
API
The service provider calls CreateVpcEndpointService to create an endpoint service.
The service consumer calls CreateVpcEndpoint to create an endpoint.
Control service access
By combining the service whitelist and the automatic connection acceptance setting, service providers can precisely control which service consumers can access the endpoint service. For example:
For a small set of trusted users: Add their account UIDs to the whitelist and enable automatic acceptance of endpoint connections.
For a broader range of users: Add
*to the allowlist and set the automatic acceptance of endpoint connections to No. The service provider must then manually approve each endpoint connection request initiated by users.
Configure the service whitelist
After an endpoint service is created, the service provider's Alibaba Cloud account is automatically added to the service whitelist. The service provider must manually configure the service whitelist to allow users from other accounts to initiate connection requests.
We recommend that during the grayscale release phase of your service, you add the Alibaba Cloud account UIDs of target users one by one to gradually grant them service access. After the grayscale release is complete, you can consider adding a
*configuration to make the service available to all users based on your business needs.If the service is intended for long-term use by specific users only, you can choose to configure only the specified account UIDs.
Console
On the details page of the target endpoint service, go to the Service Whitelist tab and click Add to Whitelist to define which users can access the service.
Set to
*: All users can send connection requests to the endpoint service.Enter an Account UID: Only the specified user can initiate connection requests to the endpoint service.
API
Call AddUserToVpcEndpointService to add an account to the service whitelist.
Call RemoveUserFromVpcEndpointService to remove an account from the service whitelist.
Configure automatic connection acceptance
A service consumer can access the endpoint service over a private network only after the service provider accepts the endpoint connection request.
Console
When you create an endpoint service, set Automatically Accept Endpoint Connections:
Yes: The connection is automatically established.
No: Go to the Endpoint Connections tab of the target endpoint service and select Allow or Deny in the Actions column for each connection request.
After the endpoint service is created, you can go to the Basic Information tab to Enable or Disable automatic acceptance of endpoint connections. Modifying this option after creation does not affect existing connections.
API
When you call CreateVpcEndpointService and UpdateVpcEndpointServiceAttribute, set the
AutoAcceptEnabledparameter to specify whether to automatically accept endpoint connections.If you set
AutoAcceptEnabledtofalse, you must call EnableVpcEndpointConnection or DisableVpcEndpointConnection to allow or deny endpoint connection requests.
Ensure high availability
The service provider configures service resources in multiple availability zones for the endpoint service.
If the service resources are NLB or ALB instances, add instances from multiple availability zones.
If the service resource is a CLB instance, add multiple CLB instances with different primary availability zones.
The service consumer selects vSwitches from at least two availability zones when creating an interface endpoint.
The service consumer uses the endpoint domain name to access the service. Alibaba Cloud provides fully managed availability monitoring to ensure rapid failover to other availability zones if a fault occurs:
The availability of elastic network interface IP addresses in different endpoint availability zones is monitored in real time. If an anomaly is detected, the corresponding DNS record is removed to prevent service interruptions or data loss.
After the fault is resolved, the corresponding DNS record is automatically restored.
Console
Configure multi-zone service resources
When you create an endpoint service, select service resources from multiple availability zones.
After creation, click the endpoint service ID. On the Basic Information tab, click Add Service Resource and select the resource instances to add.
Configure multi-zone interface endpoints
When you create an interface endpoint, select vSwitches from at least two availability zones.
After creation, click the interface endpoint ID. On the Zone and ENI tab, click Add Zone.
To ensure high availability, use the endpoint domain name to access the service. You can find the Endpoint Domain on the Interface Endpoints page.
API
Endpoint service configuration
Call AttachResourceToVpcEndpointService to add a service resource to an endpoint service.
Call DetachResourceFromVpcEndpointService to remove a service resource from an endpoint service.
Endpoint configuration
Call AddZoneToVpcEndpoint to add an availability zone to an endpoint.
Call RemoveZoneFromVpcEndpoint to remove an availability zone from an endpoint.
Allocate service resources
To prevent resource overload and ensure business continuity, you can add multiple service resources to each availability zone of an endpoint service. This allows different endpoint connections to use different service resources, which helps distribute traffic. If a resource fails, the connection automatically fails over to another available resource in the same availability zone.
If the service resource is a CLB instance, you can directly replace the service resources of an availability zone without disconnecting the endpoint connection.
The features to replace service resources in an availability zone and manually allocate service resources are disabled by default. To enable them, go to the Quota Center console and apply for the privatelink_whitelist/svc_res_mgt_uat quota.Cross-region endpoint connections do not support the manual allocation of service resources.
Service resources can be allocated automatically or manually. Ensure that each availability zone has at least one service resource available for automatic allocation.
Allocate service resources to endpoint connections in an availability zone:
When the service provider automatically accepts endpoint connections:
PrivateLink automatically allocates a service resource from the same availability zone as the endpoint connection. This allocation is based on the service resource's bandwidth and its current number of endpoint connections. Only service resources configured for automatic allocation are used.
If an automatically allocated resource does not meet the connection requirements, disconnect the endpoint connection for the availability zone and manually allocate a service resource. After the changes are complete, allow the connection again.
When the service provider manually accepts endpoint connections:
You can manually allocate a service resource and then allow the connection. If you do not manually allocate a resource, you can select the Allow connections and automatically allocate service resources. checkbox when you allow the endpoint connection.
If an automatically allocated resource does not meet the connection requirements, disconnect the endpoint connection for the availability zone and manually allocate a service resource. After the changes are complete, allow the connection again.
Add or remove service resources
Console
Add a service resource
Go to the Endpoint Services page. Click the ID of the target endpoint service to open the details page.
On the Basic Information tab, in the Service Resource section, click Add Service Resource. Select an availability zone and a service resource.
Remove a service resource
On the Basic Information tab, in the Service Resource section, click Delete in the Actions column for the target service resource. This action removes the resource from the endpoint service but does not delete the resource instance.
You cannot delete a service resource if it is associated with an endpoint availability zone. You must disconnect the endpoint connection first.
API
Call AttachResourceToVpcEndpointService to add a service resource to an endpoint service.
Call DetachResourceFromVpcEndpointService to remove a service resource from an endpoint service.
Configure the allocation method for a service resource
Console
On the Basic Information tab of the target endpoint service details page, in the Service Resource section, toggle the switch in the Automatic Allocation column for the target service resource. This setting determines whether the service resource is automatically allocated to endpoint connections.
Ensure that each availability zone contains at least one service resource that can be automatically allocated.
Changing the Automatic Allocation setting for a service resource does not affect existing endpoint connections.
API
Call UpdateVpcEndpointServiceResourceAttribute and set the AutoAllocatedEnabled parameter to configure the service resource allocation method.
Allocate service resources to an endpoint connection in an availability zone
Console
On the Endpoint Connections tab of the target endpoint service details page, disconnect the endpoint connection in one of the following ways:
To disconnect connections in all availability zones: In the Actions column of the target endpoint, click Deny. This action makes the service unavailable. Proceed with caution.
To disconnect the connection in a specific availability zone: Click the
icon next to the target endpoint. In the Actions column for the target availability zone, click Disconnect from Service Resource. This action may interrupt service traffic. Evaluate the impact carefully.
Change the service resource allocation method:
Automatic allocation: Click the
icon next to the target endpoint. In the Actions column for the target availability zone, select Allocate Service Resource. Select Automatic Allocation, and then connect the service resource.If a service resource is already specified for the endpoint availability zone, selecting Automatic Allocation clears the specified service resource.
Manual allocation: Click the
icon next to the target endpoint. In the Actions column for the target availability zone, select Allocate Service Resource. Click Manual Allocation, select a created service resource, and then connect the service resource.
API
Call DisableVpcEndpointZoneConnection to disconnect the endpoint connection in the availability zone.
Call UpdateVpcEndpointZoneConnectionResourceAttribute to allocate a service resource to the endpoint connection in the availability zone:
Set
ResourceAllocateModetoAutoto automatically allocate the service resource.Set
ResourceAllocateModetoManualand specifyResourceIdto manually allocate the service resource.
Call EnableVpcEndpointZoneConnection to allow the endpoint connection in the availability zone.
Replace service resources in an availability zone
You can replace service resources in an availability zone without disconnecting the endpoint connection only when the service resource is a Classic Load Balancer (CLB).
Console
On the details page of the target endpoint service, go to the Basic Information tab. In the Service Resource section, disable Automatic Allocation for the target service resource.
Choose one of the following two methods to replace the service resource for the target endpoint connection:
On the details page of the target endpoint service, go to the Basic Information tab. In the Service Resource section, find the target service resource and click Replace Resource in the Actions column. Select the new service resource and the target endpoint connection.
On the details page of the target endpoint service, go to the Endpoint Connections tab. Click the
icon next to the target endpoint. In the Replace Service Resource column for the target availability zone, click Replace Service Resource.
For the migration method, choose smooth migration. Forcible migration can interrupt service traffic, so evaluate the impact carefully.
Smooth Migration:
The system creates an elastic network interface (ENI) in the endpoint availability zone. The system then connects the new ENI to the new service resource and adds the IP address of the new ENI to the DNS resolution.
The system automatically removes the IP address of the old ENI from the DNS resolution.
You must determine when all existing services are removed. Then, in the Actions column for the target availability zone, click to disconnect the old service resource. After you disconnect it, the old ENI is permanently deleted.
Forcible Migration: After the migration is complete, the original service resource is immediately removed from the endpoint service. Forcible migration interrupts all service connections that rely on the resource. This can disrupt service traffic, so evaluate the impact carefully.
API
Call the UpdateVpcEndpointZoneConnectionResourceAttribute operation to replace the service resource for an endpoint connection in an availability zone.
Modify endpoint connection bandwidth
You can configure bandwidth throttling for endpoint connections to precisely control traffic and prevent backend service resource overload. The elastic network interfaces in each endpoint availability zone automatically inherit the bandwidth limit of the endpoint connection.
Default connection bandwidth limit: A default bandwidth limit is applied to all interface endpoints connected to the endpoint service when an endpoint connection enters the Connected state.
If the service resource is a CLB instance:
The default bandwidth for an endpoint connection is 3,072 Mbps. The value ranges from 100 to 10,240 Mbps.
You can modify the bandwidth. Changes do not affect existing connections and apply only to new ones.
If the service resources are NLB, ALB, or GWLB instances, the default connection bandwidth limit is not supported.
Set a bandwidth limit for a specific endpoint connection: You can configure an appropriate bandwidth limit to prevent service resource overload. After you set a specific limit, the default connection bandwidth limit no longer applies to that endpoint connection.
Enable bandwidth throttling:
If the endpoint service is configured to automatically accept endpoint connections, you can enable bandwidth throttling after the connection is established.
If the endpoint service requires manual acceptance of endpoint connections, you can enable bandwidth throttling when you accept the connection request.
Bandwidth limit ranges for different service resources:
NLB: 100 Mbps to 50 Gbps.
ALB and GWLB: 100 Mbps to 25 Gbps.
CLB: 100 Mbps to 10,240 Mbps.
Console
Modify the default bandwidth limit: On the details page of the target endpoint service, on the Basic Information tab, click Modify next to Default Bandwidth Limit.
Adjust the bandwidth for a specific endpoint connection: On the details page of the target endpoint service, on the Endpoint Connections tab, find the target endpoint and in the Actions column, enable, modify, or disable bandwidth throttling.
API
Call UpdateVpcEndpointServiceAttribute and configure the
Bandwidthparameter to modify the bandwidth of the endpoint service.Call UpdateVpcEndpointConnectionAttribute and configure the
Bandwidthparameter to modify the bandwidth of the endpoint connection.
Delete an endpoint service
If you no longer want to provide a service, you can delete its endpoint service. This action is irreversible and permanently terminates all associated endpoint connections. Proceed with caution.
Console
Before you delete the service, you must reject and disconnect all connected interface endpoints.
Click Delete in the Actions column of the target endpoint service.
API
Call DisableVpcEndpointZoneConnection to disconnect the endpoint zone connection.
Call DetachResourceFromVpcEndpointService to remove the service resources from the endpoint service.
Call DeleteVpcEndpointService to delete the endpoint service.
FAQ
Why can't service consumers find the endpoint service I created?
Ensure the consumer's Alibaba Cloud account ID is in the service whitelist. Only users on the whitelist can find and connect to the service.
Why is the connection status always Disconnected?
Check whether Endpoint Connections is disabled for the endpoint service. If it is, you must go to the Endpoint Connections tab and manually Allow the connection request.