If you want to allow an Application Load Balancer (ALB) instance in a virtual private cloud (VPC) to provide services for another VPC within the same Alibaba Cloud account, you can specify the ALB instance as a service resource in the VPC where the ALB instance is deployed and use PrivateLink to establish a network connection between the two VPCs.
Background information
VPCs are private networks that are isolated from each other in the cloud. You can use PrivateLink to establish a secure and stable private connection between a VPC and an Alibaba Cloud service. This simplifies the network architecture and prevents security risks over the Internet.
To establish a PrivateLink connection, you must create an endpoint service and an endpoint.
Endpoint service
An endpoint service can be accessed by using an endpoint in another VPC over a PrivateLink connection. Endpoint services are created and managed by service providers.
Endpoint
An endpoint can be associated with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services. Endpoints are created and managed by service consumers.
Entity | Description |
Service provider | Creates and manages endpoint services. |
Service consumer | Creates and manages endpoints. |
An ALB instance can serve as a service resource across multiple zones. ALB is a highly scalable service that can process large amounts of traffic at the application layer. In addition, ALB supports the advanced content-based routing feature. After you specify an ALB instance as a service resource of an endpoint service, the ALB instance can provide services across multiple zones. You do not need to configure an ALB instance for each zone. For more information, see What is ALB?
Scenarios
The following scenario is used as an example. Company A uses Alibaba Cloud Account A to create two VPCs in the China (Hangzhou) region. The VPCs are referred to as VPC 1 and VPC 2. In addition, the company creates two Elastic Compute Service (ECS) instances in each VPC. The ECS instances in VPC 1 are referred to as ECS 01 and ECS 02. The ECS instances in VPC 2 are referred to as ECS 03 and ECS 04. Different NGINX services are deployed on the ECS instances in VPC 2. Due to business growth, the ECS instances in VPC 1 require access to the services that are deployed on the ECS instances in VPC 2 over a private network.
In this scenario, you need to create an ALB instance that supports PrivateLink in VPC 2. Make sure that the instance is deployed across Hangzhou Zone H and Hangzhou Zone I. Then, create a backend server group (RS 1) for the instance and add ECS 03 and ECS 04 to the backend server group of the ALB instance. Create an endpoint service and specify the ALB instance as a service resource of the endpoint service. Create an endpoint in VPC 1 and connect the endpoint to the endpoint service. If the status of the connection is normal, the ECS instances in VPC 1 can access the services that are deployed on the ECS instances in VPC 2.
Limits
When you create an ALB instance that supports PrivateLink, you must set the network type of the ALB instance to internal-facing and set the IP address type to static.
When you create an endpoint service, select a region that supports both PrivateLink and ALB instances. For more information about the regions that support PrivateLink and the regions that support ALB instances, see Regions and zones that support PrivateLink and Regions and zones where ALB is available.
The endpoint and the endpoint service must be deployed in the same zone. In addition, the zone must be one of the zones where the ALB instance is deployed.
Prerequisites
VPC 1 and VPC 2 are created in the China (Hangzhou) region. Two vSwitches are created in VPC 1: one in Zone H and the other in Zone I. Another two vSwitches are created in VPC 2: one in Zone H and the other in Zone I. For more information, see the Step 1: Create a VPC and vSwitches section of the Create a VPC with an IPv4 CIDR block topic.
Two ECS instances (ECS 01 and ECS 02) are created in VPC 1 to send connection requests. ECS 01 is deployed in Zone H and ECS 02 is deployed in Zone I. Two ECS instances (ECS 03 and ECS 04) are created in VPC 2 to receive and process requests. ECS 03 is deployed in Zone H and ECS 04 is deployed in Zone I. Different NGINX services are deployed on ECS 03 and ECS 04. For more information about how to create ECS instances and deploy NGINX services, see Create an instance on the Custom Launch tab and Build an LNMP stack on an ECS instance that runs Alibaba Cloud Linux 2 or 3.
A security group is created in VPC 1. You can configure security group rules based on your requirements for business and security.
For more information, see Create a security group.
NoteECS 03 and ECS 04 in VPC 2 use the default security group, which is created by the system when the ECS instances are created.
The following table describes how networks of the VPCs are planned in this example. Your services are not adversely affected if the CIDR blocks of your VPCs overlap with each other.
Item | VPC 1 | VPC 2 |
Region | China (Hangzhou) | China (Hangzhou) |
CIDR block |
|
|
vSwitch zone |
|
|
ECS instance IP address |
|
|
Procedure
Step 1: Create an ALB instance that supports PrivateLink
Log on to the ALB console.
On the Instances page, click Create ALB.
On the Application Load Balancer buy page, set the parameters described in the following table for the ALB instance and click Buy Now.
Parameter
Description
Region
Select the region where you want to create an ALB instance. In this example, China (Hangzhou) is selected.
Network Type
Select a network type for the ALB instance. In this example, Intranet is selected.
VPC
Select a VPC where you want to deploy the ALB instance. In this example, VPC 2 is selected.
Zone
Select the zones where you want to deploy the ALB instance. You must select at least two zones. In this example, Hangzhou Zone H, Hangzhou Zone I, and a vSwitch in each zone are selected.
IP Mode
Select the type of the IP address that is used by the ALB instance. In this example, Static IP is selected.
IP Version
Select an IP version for the ALB instance. In this example, IPv4 is selected.
IPv4: If you select this option, the ALB instance can be accessed only by IPv4 clients.
Dual-stack: If you select this option, the ALB instance can be accessed by both IPv4 and IPv6 clients.
Edition
Select an edition for the ALB instance. In this example, Basic is selected.
Instance Name
Enter a name for the ALB instance.
Resource Group
Select the resource group to which the ALB instance belongs. In this example, Default Resource Group is selected.
Step 2: Create a backend server group for the ALB instance
In the left-side navigation pane, choose .
On the Server Groups page, click Create Server Group.
In the Create Server Group dialog box, set the parameters described in the following table and click Create.
The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see Create and manage server groups.
Parameter
Description
Server Group Type
Select the type of the server group that you want to create. In this example, Server is selected.
Server Group Name
Enter a name for the server group. In this example, RS 1 is entered.
VPC
Select the VPC to which the backend server group belongs. In this example, VPC 2 is selected.
Backend Server Protocol
Select a backend protocol. In this example, HTTP is selected.
Scheduling Algorithm
Select a scheduling algorithm. In this example, Weighted Round-robin is selected.
Resource Group
Select the resource group to which the ALB instance belongs.
After you create the server group, find RS 1 on the Server Groups page and click its ID.
Click the Backend Servers tab and click Add Backend Server.
In the Add Backend Server panel, select ECS 03 and ECS 04 and click Next.
Set the ports and weights of ECS 03 and ECS 04. In this example, port 80 and the default weight 100 are set for the instances. Then, click OK.
Step 3: Configure a listener
In the left-side navigation pane, choose .
On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.
On the Configure Listener wizard page, set the parameters described in the following table and click Next.
The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see Add an HTTP listener.
Parameter
Description
Listener Protocol
Select a listening protocol. In this example, HTTP is selected.
Listener Port
Specify the listening port that is used to receive and process requests. In this example, 80 is entered.
Listener Name
Enter a name for the listener.
Advanced Settings
You can click Modify to modify the advanced settings. In this example, the default advanced settings are used.
On the Select Server Group wizard page, select RS 1 that you created in Step 2 and click Next.
On the Configuration Review wizard page, confirm the configurations and click Submit.
In the ALB Configuration Wizard message, click OK to return to the Instances page.
If the health check status of the listener is Healthy, ECS 03 and ECS 04 can process the requests forwarded by the ALB instance.
Step 4: Create an endpoint service
- Log on to the endpoint service console.
In the top navigation bar, select the region where you want to create an endpoint service. In this example, China (Hangzhou) is selected.
On the Endpoints Service page, click Create Endpoint Service.
On the Create Endpoint Service page, set the parameters described in the following table and click OK.
The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see the Create an endpoint service section of the Create and manage endpoint services topic.
Parameter
Description
Service Resource Type
Select the type of the service resource that you want to add to the endpoint service. In this example, ALB is selected.
Select Service Resource
Select the zones where the service resource is deployed and then select the service resource.
In this example, Hangzhou Zone H is selected. Then, click +Add Service Resource and select Hangzhou Zone I. For Hangzhou Zone H and Hangzhou Zone I, select the ALB instance created in Step 1 as the service resource.
Automatically Accept Endpoint Connections
Specify whether the endpoint service automatically accepts connection requests from endpoints. In this example, No is selected.
Enable Zone Affinity
In this example, No is selected. This indicates that among all endpoints that are associated with the endpoint service, the domain name of the nearest endpoint is not resolved first.
Resource Group
Select the resource group to which the endpoint service belongs.
After you create the endpoint service, you can view the endpoint service whose Service Resource Type is ALB.
Step 5: Create an endpoint
- Log on to the endpoint console.
In the top navigation bar, select the region where you want to create an endpoint. In this example, China (Hangzhou) is selected.
On the Endpoints page, click the Interface Endpoint tab, and click Create Endpoint.
On the Create Endpoint page, set the parameters described in the following table and click OK.
The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see the Create an endpoint section of the Create and manage endpoints topic.
Parameter
Description
Endpoint Name
Enter a name for the endpoint.
Endpoint Type
Select a type for the endpoint. In this example, Interface Endpoint is selected.
Endpoints Service
Select the endpoint service that you want to associate.
In this example, Select Service is clicked, and the endpoint service that is created in Step 4 is selected.
VPC
Select the VPC to which the endpoint belongs. In this example, VPC 1 is selected.
Security Groups
Select the security group that you want to associate with the elastic network interface (ENI) of the endpoint. The security group is used to control data transfer from VPC 1 to the endpoint ENI.
NoteMake sure that the rules in the security group allow clients to access the endpoint ENI.
By default, you can add an endpoint to up to five security groups.
Zone and vSwitch
Select the zone where the endpoint service is deployed and select a vSwitch in the zone. The system automatically creates an endpoint ENI and attaches it to the vSwitch.
In this example, Hangzhou Zone H and a vSwitch in the zone are selected. Then, click +Add vSwitch, select Hangzhou Zone I, and then select a vSwitch in the zone.
Resource Group
Select the resource group to which the endpoint belongs.
After you create the endpoint, you can view the domain names and IP addresses of the zones. The following figure shows an example.
Step 6: Accept connection requests
To establish an endpoint connection, the endpoint service must accept the connection requests from the associated endpoint. Then, VPC 1 can use the endpoint to access the endpoint service.
Skip this step if you set the Automatically Accept Endpoint Connections parameter to Yes in Step 4.
In the left-side navigation pane, click Endpoints Service.
In the top navigation bar, select the region where the endpoint service is deployed. In this example, China (Hangzhou) is selected.
On the Endpoints Service page, find the endpoint service that you created in Step 4 and click its ID.
On the details page of the endpoint service, click the Endpoint Connections tab, find the endpoint that you want to manage, and then click Allow in the Actions column.
In the Allow Connection dialog box, select Allow connections and automatically allocate service resources. and click OK.
After the connection requests are accepted, the state of the endpoint connection changes from Disconnected to Connected. Then, the endpoint service can process requests from the endpoint. You can use the domain names and IP addresses of the zones that are generated in Step 5 to access the endpoint service.
Step 7: Test the network connectivity
After you complete the preceding operations, VPC 1 can access VPC 2 over private connections. The following section describes how to test the network connectivity.
In this example, the Windows Server 2012 operating system is installed on ECS 01 and ECS 02, and the Alibaba Cloud Linux operating system is installed on ECS 03 and ECS 04. For more information about how to test the network connectivity of servers that run other operating systems, refer to the user guides of the operating systems.
Check whether ECS 01 in VPC 1 can access the services on ECS 03 in VPC 2.
Log on to ECS 01. For more information, see Connection method overview.
Open a browser on ECS 01.
Enter the domain name or IP address of Zone H that is generated in Step 5 in the browser.
In this example, the domain name of Zone H is entered. The following figure shows the test result.
The test result shows that ECS 01 can access the services deployed on ECS 03.
Check whether ECS 02 in VPC 1 can access the services on ECS 04 in VPC 2.
Log on to ECS 02.
Open a browser on ECS 02.
Enter the domain name or IP address of Zone I that is generated in Step 5 in the browser.
In this example, the domain name of Zone I is entered. The following figure shows the test result.
The test result shows that ECS 02 can access the services deployed on ECS 04.
References
CreateVpcEndpoint: creates an endpoint.
CreateVpcEndpointService: creates an endpoint service.
AttachResourceToVpcEndpointService: adds a service resource to an endpoint service.
EnableVpcEndpointConnection: accepts endpoint connection requests.