All Products
Search

This Product

    PrivateLink:Specify an ALB instance as a service resource in PrivateLink

    Document Center

    PrivateLink:Specify an ALB instance as a service resource in PrivateLink

    Last Updated:Sep 05, 2023

    PrivateLink allows you to specify an Application Load Balancer (ALB) instance as a service resource of an endpoint service. This topic describes how to use PrivateLink to allow an ALB instance in a Virtual Private Cloud (VPC) to provide services to another VPC that belongs to the same Alibaba Cloud account.

    Background information

    An ALB instance supports cross-zone deployment and content-based routing, and provides strong processing capabilities. After you specify an ALB instance as the service resource of an endpoint service, the ALB instance can provide services across multiple zones. You do not need to configure an ALB instance for each zone.

    The following scenario is used in this example. Company A uses Alibaba Cloud Account A to create two VPCs in the China (Hangzhou) region. The VPCs are referred to as VPC 1 and VPC 2. In addition, the company creates two Elastic Compute Service (ECS) instances in each VPC. The ECS instances in VPC 1 are referred to as ECS 01 and ECS 02. The ECS instances in VPC 2 are referred to as ECS 03 and ECS 04. Different NGINX services are deployed on the ECS instances in VPC 2. Due to business growth, the ECS instances in VPC 1 require access to the services that are deployed on the ECS instances in VPC 2 over a private network.

    In this scenario, you must create an ALB instance that supports PrivateLink in VPC2. Make sure that the instance is deployed across Hangzhou Zone H and Hangzhou Zone I. Then, create a backend server group (RS1) for the instance and add ECS 03 and ECS 04 to the backend server group of the ALB instance. Create an endpoint service and specify the ALB instance as the service resource of the endpoint service. Create an endpoint in VPC 1 and associate the endpoint with the endpoint service. If the status of the connection is normal, the ECS instances in VPC 1 can access the services that are deployed on the ECS instances in VPC 2.

    123

    Limits

    • When you create an ALB instance that supports PrivateLink, you must set the network type of the ALB instance to internal-facing and set the IP address type to static.

    • When you create an endpoint service, select a region that supports both PrivateLink and ALB instances. For more information about the regions that support PrivateLink and the regions that support ALB instances, see Regions and zones that support PrivateLink and Supported regions and zones.

    • The endpoint and the endpoint service must be deployed in the same zone. In addition, the zone must be one of the zones where the ALB instance is deployed.

    • By default, PrivateLink cannot be accessed over IPv6. If you need to access PrivateLink over IPv6, contact your account manager.

    Prerequisites

    • VPC 1 and VPC 2 are created in the China (Hangzhou) region. Two vSwitches are created in VPC 1: one in Zone H and the other in Zone I. Another two vSwitches are created in VPC 2: one in Zone H and the other in Zone I. For more information, see Create a VPC and a vSwitch.

    • Two ECS instances (ECS 01 and ECS 02) are created in VPC 1 to send connection requests. ECS 01 is deployed in Zone H and ECS 02 is deployed in Zone I. Two ECS instances (ECS 03 and ECS 04) are created in VPC 2 to receive and process requests. ECS 03 is deployed in Zone H and ECS 04 is deployed in Zone I. Different NGINX services are deployed on ECS 03 and ECS 04. For more information about how to create ECS instances and deploy NGINX services, see Create an instance by using the wizard and Manually build an LNMP environment on an Alibaba Cloud Linux 2 instance.

    • A security group is created in VPC 1. You can configure security group rules based on your requirements for business and security.

      For more information, see Create a security group.

      Note

      ECS 03 and ECS 04 in VPC 2 use the default security group, which is created by the system when the ECS instances are created.

    The following table describes how networks are planned in this example. Your service is not adversely affected if the CIDR blocks of your VPCs overlap with each other.

    Item

    VPC 1

    VPC 2

    Region

    China (Hangzhou)

    China (Hangzhou)

    CIDR block

    • VPC: 10.0.0.0/8

    • vSwitch 1: 10.0.10.0/24

    • vSwitch 2: 10.10.0.0/24

    • VPC: 192.168.0.0/16

    • vSwitch 1: 192.168.3.0/24

    • vSwitch 2: 192.168.5.0/24

    vSwitch zone

    • vSwitch 1: Zone H

    • vSwitch 2: Zone I

    • vSwitch 1: Zone H

    • vSwitch 2: Zone I

    ECS instance IP address

    • ECS 01 in Zone H: 10.0.10.3

    • ECS 02 in Zone I: 10.0.0.27

    • ECS 03 in Zone H: 192.168.3.190

    • ECS 04 in Zone I: 192.168.5.20

    Configuration process

    配置流程

    Step 1: Create an ALB instance that supports PrivateLink

    1. Log on to the ALB console.

    2. On the Instances page, click Create ALB.

    3. On the Application Load Balancer buy page, set the parameters described in the following table for the ALB instance and click Buy Now.

      Parameter

      Description

      Region

      Select the region where you want to create an ALB instance. In this example, China (Hangzhou) is selected.

      Network Type

      Select a network type for the ALB instance. In this example, Internal-facing is selected.

      VPC

      Select a VPC where you want to deploy the ALB instance. In this example, VPC 2 is selected.

      Zone

      Select the zones where you want to deploy the ALB instance. You must select at least two zones. In this example, Hangzhou Zone H, Hangzhou Zone I, and a vSwitch in each zone are selected.

      IP Address Type

      Select the type of the IP address that is used by the ALB instance. In this example, Static IP Address is selected.

      IP Version

      Select an IP version for the ALB instance.

      • IPv4: If you select this option, the ALB instance can be accessed only by IPv4 clients.

      • Dual-stack: If you select this option, the ALB instance can be accessed by both IPv4 and IPv6 clients.

      Note

      • For more information about the regions that support dual-stack ALB instances, see Overview of ALB instances.

      • If you want to enable the dual-stack feature, you must enable IPv6 for the vSwitches in the zones of the VPC.

      • Dual-stack ALB instances can forward requests from IPv4 and IPv6 clients to IPv4 and IPv6 backend services.

        • Dual-stack ALB instances can forward requests from IPv6 clients to backend IPv4 services of the following types: ECS, elastic network interface (ENI), Elastic Container Instance, and IP. Backend services of the Function Compute type are not supported.

        • Dual-stack ALB instances can forward requests from IPv6 clients to backend IPv6 services of the following types: ECS, ENI, and Elastic Container Instance. Backend services of the Function Compute and IP types are not supported.

      • You cannot enable access control for listeners of dual-stack ALB instances.

      • You cannot upgrade existing IPv4 ALB instances to dual-stack ALB instances. You can only create dual-stack ALB instances.

      Edition (Instance Fee)

      Select an edition for the ALB instance. In this example, Basic is selected.

      Instance Name

      Enter a name for the ALB instance.

      Resource Group

      Select the resource group to which the ALB instance belongs. In this example, Default Resource Group is selected.

    Step 2: Create a backend server group for the ALB instance

    1. In the left-side navigation pane, choose ALB > Server Groups.

    2. On the Server Groups page, click Create Server Group.

    3. In the Create Server Group dialog box, set the parameters described in the following table and click Create.

      The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see Create and manage a server group.

    4. Parameter

      Description

      Server Group Type

      Select the type of the server group that you want to create. In this example, Instance is selected.

      Server Group Name

      Enter a name for the server group. In this example, enter RS 1.

      VPC

      Select the VPC to which the backend server group belongs. In this example, VPC 2 is selected.

      Backend Server Protocol

      Select a backend protocol. In this example, HTTP is selected.

      Scheduling Algorithm

      Select a scheduling algorithm. In this example, Weighted Round Robin is selected.

      Resource Group

      Select the resource group to which the ALB instance belongs.

      Session Persistence

      Specify whether to enable session persistence. In this example, session persistence is disabled by default.

      Persistent Connection

      Specify whether to enable persistent connection. In this example, persistent connection is disabled by default.

      Enable Health Check

      Specify whether to enable the health check feature. In this example, the health check feature is enabled by default.

      Advanced Settings

      After you enable the health check feature, you can click Modify next to Advanced Settings to configure the advanced settings. In this example, use the default advanced settings.

    5. After you create the server group, find RS 1 on the Server Groups page and click its ID.

    6. Click the Backend Servers tab and click Add Backend Server.

    7. In the Add Backend Server panel, select ECS 03 and ECS 04 and click Next.

    8. Set the ports and weights of ECS 03 and ECS 04. In this example, port 80 and the default weight 100 are set for the instances. Then, click OK.

    Step 3: Configure a listener

    1. In the left-side navigation pane, choose ALB > Instances.

    2. On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.

    3. On the Configure Listener wizard page, set the parameters described in the following table and click Next.

      Parameter

      Description

      Listener Protocol

      Select a listening protocol. In this example, HTTP is selected.

      Listener Port

      Specify the listening port that is used to receive and process requests. In this example, enter 80.

      Listener Name

      Enter a name for the listener.

      Advanced Settings

      You can click Modify to modify the advanced settings. In this example, use the default advanced settings.

    4. On the Select Server Group wizard page, select RS 1 that you created in Step 2 and click Next.

    5. On the Configuration Review wizard page, confirm the configurations and click Submit.

    6. In the ALB Configuration Wizard dialog box, click OK to return to the Instances page.

      If the health check status of the listener is Healthy, ECS 03 and ECS 04 can process the requests forwarded by the ALB instance. ALB

    Step 4: Create an endpoint service

    1. Log on to the endpoint service console.

    2. In the top navigation bar, select the region where you want to create an endpoint service. In this example, China (Hangzhou) is selected.

    3. On the Endpoints Service page, click Create Endpoint Service.

    4. On the Create Endpoint Service page, set the parameters described in the following table and click OK.

      The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see Create an endpoint service.

      Parameter

      Description

      Service Resource Type

      Select the type of the service resource that you want to add to the endpoint service. In this example, ALB is selected.

      Select Service Resource

      Select the zones where the service resource is deployed and then select the service resource.

      In this example, select Hangzhou Zone H. Then, click +Add Resource from Another Zone and select Hangzhou Zone I. For Hangzhou Zone H and Hangzhou Zone I, select the ALB instance created in Step 1 as the service resource.

      Automatically Accept Endpoint Connections

      Specify whether the endpoint service automatically accepts connection requests from endpoints. In this example, No is selected.

      Enable Zone Affinity

      In this example, No is selected. This indicates that among all endpoints that are associated with the endpoint service, the domain name of the nearest endpoint is not resolved first.

      Resource Group

      Select the resource group to which the endpoint service belongs.

      After you create the endpoint service, you can view the endpoint service whose Service Resource Type is ALB.终端节点服务

    Step 5: Create an endpoint

    1. Log on to the endpoint console.

    2. In the top navigation bar, select the region where you want to create an endpoint. In this example, China (Hangzhou) is selected.

    3. On the Endpoints page, click the Interface Endpoint tab, and click Create Endpoint.

    4. On the Create Endpoint page, set the parameters described in the following table and click OK.

      The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see Create an endpoint.

      Parameter

      Description

      Endpoint Name

      Enter a name for the endpoint that you want to create.

      Endpoint Type

      Select a type for the endpoint. In this example, Interface Endpoint is selected.

      Endpoints Service

      You can associate the endpoint with an endpoint service in one of the following ways:

      • Click Add by Instance Name and enter the name of the endpoint service.

      • Click Select Service and select the ID of the endpoint service.

      In this example, click Select Service, and select the endpoint service created in Step 4.

      VPC

      Select the VPC to which the endpoint belongs. In this example, VPC 1 is selected.

      Security Groups

      Select the security group that you want to associate with the elastic network interface (ENI) of the endpoint. The security group is used to control data transfer from VPC 1 to the endpoint ENI.

      Note

      Make sure that the rules in the security group allow clients to access the endpoint ENI.

      Zone and vSwitch

      Select the zone where the endpoint service is deployed and select a vSwitch in the zone. The system automatically creates an endpoint ENI and attaches it to the vSwitch.

      In this example, select Hangzhou Zone H and a vSwitch in the zone. Then, click +Add vSwitch, select Hangzhou Zone I, and then select a vSwitch in the zone.

      Resource Group

      Select the resource group to which the endpoint belongs.

      After you create the endpoint, you can view the domain names and IP addresses of the zones. See the following figure.可用区域名

    Step 6: Accept connection requests

    To establish an endpoint connection, the endpoint service must accept the connection requests from the associated endpoint. Then, VPC 1 can use the endpoint to access the endpoint service.

    Note

    Skip this step if you set the Automatically Accept Endpoint Connections parameter to Yes in Step 4.

    1. In the left-side navigation pane, click Endpoints Service.

    2. In the top navigation bar, select the region where the endpoint service is deployed. In this example, China (Hangzhou) is selected.

    3. On the Endpoints Service page, find the endpoint service that you created in Step 4 and click its ID.

    4. On the details page of the endpoint service, click the Endpoint Connections tab, find the endpoint that you want to manage, and then click Allow in the Actions column.

    5. In the Allow Connection dialog box, select Allow connections and automatically allocate service resources and click OK.

    After the connection requests are accepted, the state of the endpoint connection changes from Disconnected to Connected. Then, the endpoint service can process requests from the endpoint. You can use the domain names and IP addresses of the zones that are generated in Step 5 to access the endpoint service.接受终端节点连接

    Step 7: Test the network connectivity

    After you complete the preceding operations, VPC 1 can access VPC 2 over private connections. The following section describes how to test the network connectivity.

    Note

    In this example, the Windows Server 2012 operating system is installed on ECS 01 and ECS 02, and the Alibaba Cloud Linux operating system is installed on ECS 03 and ECS 04. For more information about how to test the network connectivity of servers that run other operating systems, refer to the user guides of the operating systems.

    • Check whether ECS 01 in VPC 1 can access services on ECS 03 in VPC 2.

      1. Log on to ECS 01. For more information, see Connection method overview.

      2. Open a browser on ECS 01.

      3. Enter the domain name or IP address of Zone H that is generated in Step 5 in the browser.

        In this example, enter the domain name of Zone H. The following figure shows the test results.

        可用区H验证结果

        The test result shows that ECS 01 can access the services deployed on ECS 03.

    • Check whether ECS 02 in VPC 1 can access the services on ECS 04 in VPC 2.

      1. Log on to ECS 02.

      2. Open a browser on ECS 02.

      3. Enter the domain name or IP address of Zone I that is generated in Step 5 in the browser.

        In this example, enter the domain name of Zone I. The following figure shows the test results.

        可用区I的验证结果

        The test result shows that ECS 02 can access the services deployed on ECS 04.

    References