PrivateLink allows you to specify Application Load Balancer (ALB) instances as the service resources of endpoint services.

Background information

ALB supports cross-zone deployment and content-based routing, and provides ultra-high processing capabilities. After you specify an ALB instance as a service resource of an endpoint service, the ALB instance can serve your workloads across multiple zones. You do not need to configure an ALB instance for each zone.

The following scenario is used as an example. You use an Alibaba Cloud account (Account A) to create two virtual private clouds (VPCs) in the China (Hangzhou) region. The VPCs are referred to as VPC1 and VPC2. In addition, you create two Elastic Compute Service (ECS) instances in each VPC. The ECS instances in VPC1 are referred to as ECS01 and ECS02. The ECS instances in VPC2 are referred to as ECS03 and ECS04. Different NGINX services are deployed on the ECS instances in VPC2. As the business develops, the ECS instances in VPC1 require access to the ECS instances in VPC2.

In this scenario, you must create an ALB instance that supports PrivateLink in VPC2. Make sure that the ALB instance is deployed across Hangzhou Zone H and Hangzhou Zone I. Then, create a server group (RS1) for the ALB instance and add ECS03 and ECS04 to the server group. Create an endpoint service and specify the ALB instance as a service resource of the endpoint service. Create an endpoint in VPC1 and connect the endpoint to the endpoint service. If the status of the connection is normal, the ECS instances in VPC1 can access the ECS instances in VPC2.

123

Limits

  • To specify an ALB instance as a service resource in PrivateLink, your account must be included in the whitelist. You can submit a ticket or contact customer service to apply for the permissions.
  • When you create an ALB instance that supports PrivateLink, you must set the network type of the ALB instance to internal-facing and set the IP address type to static.
  • When you create an endpoint service, you must select a region that supports PrivateLink and ALB. For more information about the regions that support PrivateLink and the regions that support ALB, see Regions that support PrivateLink and Regions that support ALB.
  • The endpoint and the endpoint service must be deployed in the same zone. In addition, the zone must be one of the zones where the ALB instance is deployed.

Prerequisites

  • VPC1 and VPC2 are created in the China (Hangzhou) region. Two vSwitches are created in VPC1: One in Zone H and the other in Zone I. Another two vSwitches are created in VPC2: One in Zone H and the other in Zone I. For more information, see Create a VPC and a vSwitch.
  • Two ECS instances (ECS01 and ECS02) are created in VPC1 to send connection requests. ECS01 is deployed in Zone H and ECS02 is deployed in Zone I. Two ECS instances (ECS03 and ECS04) that host different NGINX services are created in VPC2 to receive and process requests. ECS03 is deployed in Zone H and ECS04 is deployed in Zone I. For more information about how to create ECS instances and deploy NGINX services, see Create an instance by using the wizard and Manually deploy an LNMP environment on an ECS instance that runs Alibaba Cloud Linux 2.
  • A security group is created in VPC1. You can configure security group rules based on your business and security requirements. We recommend that you configure the following security group rules:
    • An inbound rule that allows Internet Control Message Protocol (ICMP) traffic to support operations such as pinging the ECS instance.
    • An inbound rule that allows traffic on SSH port 22 and Remote Desktop Protocol (RDP) port 3389 to access the ECS instance.
    • Port 80 is used for HTTP requests. Port 443 is used for HTTPS requests. You can enable these ports to allow VPC1 to access VPC2 by sending HTTP or HTTPS requests.
    For more information, see Create a security group.
    Note ECS03 and ECS04 in VPC2 use the default security group, which is created by Alibaba Cloud when the ECS instances are created.
The following table describes how networks are planned in this example. Your service is not adversely affected if the CIDR blocks of your VPCs overlap with each other.
Item VPC1 VPC2
Region China (Hangzhou) China (Hangzhou)
CIDR blocks
  • VPC: 10.0.0.0/8
  • vSwitch 1: 10.0.10.0/24
  • vSwitch 2: 10.10.0.0/24
  • VPC: 192.168.0.0/16
  • vSwitch 1: 192.168.3.0/24
  • vSwitch 2: 192.168.5.0/24
vSwitch zones
  • vSwitch 1: Zone H
  • vSwitch 2: Zone I
  • vSwitch 1: Zone H
  • vSwitch 2: Zone I
ECS instance IP addresses
  • ECS01 in Zone H: 10.0.10.3
  • ECS02 in Zone I: 10.0.0.27
  • ECS03 in Zone H: 192.168.3.190
  • ECS04 in Zone I: 192.168.5.20

Procedure

procedure

Step 1: Create an ALB instance that supports PrivateLink

  1. Log on to the ALB console.
  2. On the Instances page, click Create ALB.
  3. On the ALB (Pay-As-You-Go) International Site page, set the following parameters of the ALB instance and click Buy Now.
    Parameter Description
    Region Select the region where you want to create the ALB instance. In this example, China (Hangzhou) is selected.
    Network Type Select a network type. In this scenario, only Internal is supported.
    VPC Select the VPC where you want to deploy the ALB instance. In this example, VPC2 is selected.
    Zone Select the zones where you want to deploy the ALB instance. You must select at least two zones. In this example, Hangzhou Zone H, a vSwitch in Hangzhou Zone H, Hangzhou Zone I, and a vSwitch in Hangzhou Zone I are selected.
    IP Mode Specify the type of IP address used by the ALB instance. In this example, Static IP is selected.
    Edition Select the edition of the ALB instance. In this example, Basic is selected.
    Name Enter a name for the ALB instance.
    Resource Group Select the resource group to which the ALB instance belongs. In this example, Default Resource Group is selected.

Step 2: Create a server group for the ALB instance

  1. In the left-side navigation pane, choose ALB > Server Groups.
  2. On the Server Groups page, click Create Server Group.
  3. In the Create Server Group dialog box, set the following parameters and click Create.
    Parameter Description
    Server Group Type Select the type of server group that you want to create. In this example, Instance is selected.
    Server Group Name Enter a name for the server group. In this example, RS1 is entered.
    VPC Select the VPC to which the backend servers belong. In this example, VPC2 is selected.
    Backend Server Protocol Select a backend protocol. In this example, HTTP is selected.
    Scheduling Algorithm Select a scheduling algorithm. In this example, Weighted Round Robin is selected.
    Resource Group Select the resource group to which the ALB instance belongs.
    Session Persistence Specify whether to enable session persistence. In this example, session persistence is disabled, which is the default setting.
    Configure Health Check Specify whether to enable health checks. In this example, health checks are enabled, which is the default setting.
    Advanced Settings After you enable health checks, you can click Modify next to Advanced Settings to configure the advanced settings. In this example, the default advanced settings are used.
  4. After you create the server group, find RS1 on the Server Groups page and click its ID.
  5. Click the Backend Servers tab and click Add Backend Server.
  6. In the Add Backend Server panel, select ECS03 and ECS04 and click Next.
  7. Set the ports and weights of ECS03 and ECS04. In this example, port 80 and the default weight 100 are set for the ECS instances. Then, click OK.

Step 3: Configure a listener

  1. In the left-side navigation pane, choose ALB > Instances.
  2. On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.
  3. On the Configure Listener wizard page, set the following parameters and click Next.
    Parameter Description
    Listener Protocol Select a listening protocol. In this example, HTTP is selected.
    Listener Port Specify the listening port that is used to receive and process requests. In this example, 80 is entered.
    Listener Name Enter a name for the listener.
    Advanced Settings You can click Modify to modify the advanced settings. In this example, the default advanced settings are used.
  4. On the Select Server Group wizard page, select RS1, which is created in Step 2. Then, click Next.
  5. On the Confirm wizard page, confirm the configurations and click Submit.
  6. In the ALB Configuration Wizard message, click OK. Then, return to the Instances page.
    If the health check status of the listener is Healthy, it indicates that ECS03 and ECS04 can process requests forwarded by the ALB instance. ALB

Step 4: Create an endpoint service

  1. In the top navigation bar, select the region where you want to create an endpoint service. In this example, China (Hangzhou) is selected.
  2. On the Endpoints Service page, click Create Endpoint Service.
  3. On the Create Endpoint Service page, set the following parameters and click OK.
    Parameter Description
    Service Resource Type Select the type of service resource to be added to the endpoint service. In this example, ALB is selected.
    Select Service Resource Select the zones where the service resource is deployed and then select the service resource.

    In this example, Hangzhou Zone H is selected. Then, click +Add Resource from Another Zone and select Hangzhou Zone I. For Hangzhou Zone H and Hangzhou Zone I, select the ALB instance that is created in Step 1 as the service resource.

    Automatically Accept Endpoint Connections Specify whether to automatically accept connection requests from endpoints. In this example, No is selected.
    Whether to Enable Zone Affinity Specify whether connection requests from a zone of an endpoint are prioritized to be forwarded to the same zone of the service resource. In this example, No is selected.
    Description Enter a description for the endpoint service.
    After you create the endpoint service, you can view the endpoint service whose Service Resource Type is ALB. endpoint services

Step 5: Create an endpoint

  1. In the top navigation bar, select the region where you want to create the endpoint. In this example, China (Hangzhou) is selected.
  2. On the Endpoints page, click the Interface Endpoint tab and click Create Endpoint.
  3. On the Create Endpoint page, set the following parameters of the endpoint and click OK.
    Parameter Description
    Endpoint Name Enter a name for the endpoint.
    Endpoint Type Select the type of endpoint that you want to create. In this example, Interface Endpoint is selected.
    Endpoints Service You can associate the endpoint with an endpoint service in one of the following ways:
    • Click Add by Service Name and enter the name of an endpoint service.
    • Click Select Service and select the ID of an endpoint service.

    In this example, Select Service is clicked, and the endpoint service that is created in Step 4 is selected.

    VPC Select the VPC to which the endpoint belongs. In this example, VPC1 is selected.
    Security Groups Select the security group to be associated with the endpoint elastic network interface (ENI). The security group can control network traffic from VPC1 to the endpoint.
    Note Make sure that the rules in the security group allow access to the endpoint ENI.
    Zone and vSwitch Select the zone of the endpoint service and select a vSwitch in the zone. The system automatically creates an endpoint ENI and attaches it to the vSwitch.

    In this example, Hangzhou Zone H is selected and a vSwitch in the zone is selected. Then, click +Add vSwitch, select Hangzhou Zone I, and then select a vSwitch in the zone.

    Description Enter a description for the endpoint.

    After you create the endpoint, you can view the domain names and IP addresses of the zones.

Step 6: Accept connection requests

To establish an endpoint connection, the endpoint service must accept the connection requests from the associated endpoint. Then, VPC1 can use the endpoint to access the endpoint service.
Note Skip this step if you set the Automatically Accept Endpoint Connections parameter to Yes in Step 4.
  1. In the left-side navigation pane, click Endpoints Service.
  2. In the top navigation bar, select the region where the endpoint service is deployed. In this example, China (Hangzhou) is selected.
  3. On the Endpoints Service page, find the endpoint service created in Step 4 and click its ID.
  4. On the details page of the endpoint service, click the Endpoint Connections tab, find the endpoint that you want to manage, and then click Allow in the Actions column.
  5. In the Allow Connection dialog box, select the Allow connections and automatically allocate service resources. check box and click OK.

After the connection requests are accepted, the status of the endpoint connection changes from Disconnected to Connected. Then, the endpoint service can process requests from the endpoint. You can use the domain names and IP addresses of the zones in Step 5 to access the endpoint service.

Step 7: Test network connectivity

After you perform the preceding operations, VPC1 can access VPC2 through private connections. The following section shows how to test the network connectivity.
Note In this example, the Windows Server 2012 operating system is installed on ECS01 and ECS02. The Alibaba Cloud Linux operating system is installed on ECS03 and ECS04. For more information about how to test the network connectivity of servers that run other operating systems, refer to the user guides of the operating systems.
  • Check whether ECS01 in VPC1 can access services on ECS03 in VPC2.
    1. Log on to ECS01. For more information, see Connect to an ECS instance.
    2. Open a browser on ECS01.
    3. Enter the domain name or IP address of Zone H from Step 5 in the browser.

      In this example, the domain name of Zone H is entered. The following figure shows the test result.

      135

      The test result shows that ECS01 can access the services deployed on ECS03.

  • Check whether ECS02 in VPC1 can access the services on ECS04 in VPC2.
    1. Log on to ECS02.
    2. Open a browser on ECS02.
    3. Enter the domain name or IP address of Zone I from Step 5 in the browser.

      In this example, the domain name of Zone I is entered. The following figure shows the test result.

      136

      The test result shows that ECS02 can access the services deployed on ECS04.

References