Access an NLB instance in another VPC - PrivateLink - Alibaba Cloud Documentation Center

If you want to allow a Network Load Balancer (NLB) instance in a virtual private cloud (VPC) to provide services for another VPC within the same Alibaba Cloud account, you can specify the NLB instance as a service resource in the VPC where the NLB instance is deployed and use PrivateLink to establish a network connection between the two VPCs.

Background information

VPCs are private networks that are isolated from each other in the cloud. You can use PrivateLink to establish a secure and stable private connection between a VPC and an Alibaba Cloud service. This simplifies the network architecture and prevents security risks over the Internet.

To establish a PrivateLink connection, you must create an endpoint service and an endpoint.

Endpoint service
An endpoint service can be accessed by using an endpoint in another VPC over a PrivateLink connection. Endpoint services are created and managed by service providers.
Endpoint
An endpoint can be associated with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services. Endpoints are created and managed by service consumers.

Entity	Description
Service provider	Creates and manages endpoint services.
Service consumer	Creates and manages endpoints.

NLB instances are next-generation Layer 4 load balancers developed by Alibaba Cloud for Internet of Everything (IoE) services. NLB instances feature ultra-high performance and automatic scaling. An NLB instance supports up to 100 million concurrent connections, which helps you handle highly concurrent requests. After you specify an NLB instance as a service resource of an endpoint service, the NLB instance can provide services across multiple zones. You do not need to configure an NLB instance for each zone. For more information, see What is NLB?

Scenarios

The following scenario is used as an example. Company A uses Alibaba Cloud Account A to create two VPCs in the China (Hangzhou) region. The VPCs are referred to as VPC 1 and VPC 2. In addition, the company creates two Elastic Compute Service (ECS) instances in each VPC. The ECS instances in VPC 1 are referred to as ECS 01 and ECS 02. The ECS instances in VPC 2 are referred to as ECS 03 and ECS 04. Different NGINX services are deployed on the ECS instances in VPC 2. Due to business growth, the ECS instances in VPC 1 require access to the services that are deployed on ECS instances in VPC 2 over a private network.

In this scenario, you need to create an NLB instance in VPC 2. Make sure that the NLB instance is deployed across Hangzhou Zone G and Hangzhou Zone K. Then, create a backend server group RS1 for the NLB instance and add ECS 03 and ECS 04 to the backend server group. Create an endpoint service and specify the NLB instance as the service resource of the endpoint service. Create an endpoint in VPC 1 and connect the endpoint to the endpoint service. If the status of the connection is normal, the ECS instances in VPC 1 can access the services that are deployed on the ECS instances in VPC 2.

Limits

The NLB instance that serves as the service resource must be an internal-facing NLB instance.
When you create an endpoint service, select a region that supports both PrivateLink and NLB instances. For more information about the regions that support PrivateLink and the regions that support NLB instances, see Regions and zones that support PrivateLink and Regions that support NLB.
A connection can be established between an endpoint and an endpoint service only if they are deployed in the same zone. The zones where endpoints are deployed must be a subset of the zones where the service resources of endpoint services are deployed. Therefore, we recommend that you select all zones or as many zones as possible in a region when you deploy the service resources of endpoint services. In this way, different endpoints can access the service resources.
PrivateLink does not support access to TCP/SSL listeners configured for NLB instances.

Prerequisites

VPC 1 and VPC 2 are created in the China (Hangzhou) region. Two vSwitches are created in VPC 1: one in Zone G and the other in Zone K. Another two vSwitches are created in VPC 2: one in Zone G and the other in Zone K. For more information, see the Step 1: Create a VPC and vSwitches section of the Create a VPC with an IPv4 CIDR block topic.
Two ECS instances (ECS 01 and ECS 02) are created in VPC 1 to send connection requests. ECS 01 is deployed in Zone G and ECS 02 is deployed in Zone K. Two ECS instances (ECS 03 and ECS 04) are created in VPC 2 to receive and process connection requests. ECS 03 is deployed in Zone G and ECS 04 is deployed in Zone K. Different NGINX services are deployed on ECS 03 and ECS 04.
- For more information about how to create an ECS instance, see Create an instance on the Custom Launch tab.
- The following example shows how to deploy and test services on ECS 03 and ECS 04:
  Service deployment on ECS 03
```
yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is ECS03." > index.html
```
  Service deployment on ECS 04
```
yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is ECS04." > index.html
```
A security group is created in VPC 1. You can configure security group rules based on your requirements for business and security. For more information, see Create a security group.
Note
ECS 03 and ECS 04 in VPC 2 use the default security group, which is created by the system when the ECS instances are created.

The following table describes how networks of the VPCs are planned in this example. Your service is not adversely affected if the CIDR blocks of your VPCs overlap with each other.

Item	VPC1	VPC2
Region	China (Hangzhou)	China (Hangzhou)
CIDR block	VPC: 10.0.0.0/8 vSwitch 1: 10.0.23.0/24 vSwitch 2: 10.0.24.0/24	VPC: 192.168.0.0/16 vSwitch 3: 192.168.2.0/24 vSwitch 4: 192.168.4.0/24
vSwitch zone	vSwitch 1: Zone G vSwitch 2: Zone K	vSwitch 3: Zone G vSwitch 4: Zone K
ECS instance IP address	ECS 01 in Zone G: 10.0.23.68 ECS 02 in Zone K: 10.0.24.227	ECS 03 in Zone G: 192.168.2.190 ECS 04 in Zone K: 192.168.4.20

Procedure

Step 1: Create an internal-facing NLB instance

Create an internal-facing NLB instance as an ingress of the service provider.

Log on to the NLB console, select the China (Hangzhou) region, and click Create NLB.
On the NLB (Pay-As-You-Go) International Site buy page, create an internal-facing NLB instance in VPC 2, and then click Buy Now.

Step 2: Create a backend server group for the NLB instance and add servers

Create a backend server group and add backend servers to receive client requests forwarded by the NLB instance.

Create a server group RS1 to route client requests to multiple backend servers.
1. Log on to the NLB console. On the Server Groups page, click Create Server Group.
2. In the Create Server Group dialog box, set the parameters shown in the following figure and click Create.
  For information about how to set other parameters, see Create and manage a server group.
Add ECS 03 and ECS 04 as backend servers of the server group RS1 to receive requests forwarded from the NLB instance.
1. On the Server Groups page, click the ID of the desired server group.
2. On the page that appears, click the Backend Servers tab, click Add Backend Server, and then select ECS 03 and ECS 04 as backend servers. Click Next.
3. Set the ports and weights of ECS 03 and ECS 04. In this example, port 80 and the default weight 100 are set for the instances. Then, click OK.

Step 3: Configure a listener

Configure a listener for the NLB instance. The listener is responsible for checking connection requests and then distributing client requests to backend servers based on the scheduling algorithm.

Click Create Listener in the Actions column of the desired NLB instance.
On the Configure Listener wizard page, select TCP for the Listener Protocol parameter, set the Listening Port parameter to 80, and then click Next.
On the Select Server Group wizard page, select the server group RS1 and click Next.
On the Configuration Review wizard page, confirm the configurations and click Submit.
In the NLB Configuration Wizard message, click OK to return to the Instances page.
If the health check status of the listener is Healthy, ECS 03 and ECS 04 can process requests that are forwarded by the NLB instance.

Step 4: Create an endpoint service

Create an endpoint service to establish PrivateLink connections.

Log on to the endpoint service console, select the China (Hangzhou) region, and then click Create Endpoint Service.
On the Create Endpoint Service page, add the NLB instance you created as a service resource, retain the default settings for other parameters, and then click OK.

Step 5: Create an endpoint

Create an endpoint in VPC 1 and associate it with the endpoint service.

Log on to the endpoint console, select the China (Hangzhou) region, and then click Create Endpoint.
On the Create Endpoint page, associate the created endpoint service, VPC 1, security group, zones, and vSwitches, retain the default settings for other parameters, and then click OK.

Step 6: (Optional) Accept connection requests

After you create an endpoint in VPC 1, you must configure the endpoint service to accept connection requests from the endpoint. Then, VPC 1 can use the endpoint to access the endpoint service. Skip this step because the Automatically Accept Endpoint Connections parameter is set to Yes when you create the endpoint service.

Step 7: Test the network connectivity

After you complete the preceding operations, VPC 1 can access VPC 2 over private connections. The following section describes how to test the network connectivity.

Note

In this example, ECS instances run the Alibaba Cloud Linux operating system. For more information about how to test the network connectivity between VPC 1 and VPC 2 in other operating systems, see the user guide of the operating system that you use.
In this example, two zones are created for the endpoint service and two zones are created for the endpoint to support high availability. You can use the domain name of the endpoint service to access the endpoint service.

Log on to ECS 01 and ECS 02 in VPC 1. For more information, see Connection method overview.
After you log on to the ECS instances in VPC 1, you can use either of the following methods to test the network connectivity between VPCs:
- Access the service deployed in VPC 2 by using the domain name of the endpoint service. This domain name supports automatic traffic switch between zones to ensure high availability. When a zone fails, traffic can be forwarded through the other zone.
  1. On the endpoint details page, view the generated domain name of the endpoint service.
  2. Run the curl command to test the network connectivity.
- Access the service deployed in VPC 2 by specifying the domain name or IP address of a zone.
  1. On the endpoint details page, click the Zone and ENI tab to view the generated domain names and IP addresses of the zones.
  2. Run the curl command to test the network connectivity.

References

CreateVpcEndpoint: creates an endpoint.
CreateVpcEndpointService: creates an endpoint service.
AttachResourceToVpcEndpointService: adds a service resource to an endpoint service.
EnableVpcEndpointConnection: accepts endpoint connection requests.