Access an NLB instance in another VPC - PrivateLink - Alibaba Cloud Documentation Center

If you want to allow a Network Load Balancer (NLB) instance in a virtual private cloud (VPC) to provide services for another VPC within the same Alibaba Cloud account, you can specify the NLB instance as a service resource in the VPC where the NLB instance is deployed and use PrivateLink to establish a network connection between the two VPCs.

Background information

VPCs are private networks that are isolated from each other in the cloud. You can use PrivateLink to establish a secure and stable private connection between a VPC and an Alibaba Cloud service. This simplifies the network architecture and prevents security risks over the Internet.

To establish a PrivateLink connection, you must create an endpoint service and an endpoint.

Endpoint service
An endpoint service can be accessed by using an endpoint in another VPC over a PrivateLink connection. Endpoint services are created and managed by service providers.
Endpoint
An endpoint can be associated with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services. Endpoints are created and managed by service consumers.

Entity	Description
Service provider	Creates and manages endpoint services.
Service consumer	Creates and manages endpoints.

NLB instances are next-generation Layer 4 load balancers developed by Alibaba Cloud for Internet of Everything (IoE) services. NLB instances feature ultra-high performance and automatic scaling. An NLB instance supports up to 100 million concurrent connections, which helps you handle highly concurrent requests. After you specify an NLB instance as a service resource of an endpoint service, the NLB instance can provide services across multiple zones. You do not need to configure an NLB instance for each zone. For more information, see What is NLB?

Scenarios

The following scenario is used as an example. Company A uses Alibaba Cloud Account A to create two VPCs in the China (Hangzhou) region. The VPCs are referred to as VPC 1 and VPC 2. In addition, the company creates two Elastic Compute Service (ECS) instances in each VPC. The ECS instances in VPC 1 are referred to as ECS 01 and ECS 02. The ECS instances in VPC 2 are referred to as ECS 03 and ECS 04. Different NGINX services are deployed on the ECS instances in VPC 2. Due to business growth, the ECS instances in VPC 1 require access to the services that are deployed on ECS instances in VPC 2 over a private network.

In this scenario, you need to create an NLB instance in VPC 2. Make sure that the NLB instance is deployed across Hangzhou Zone G and Hangzhou Zone K. Then, create a backend server group (RS 1) for the NLB instance and add ECS 03 and ECS 04 to the backend server group. Create an endpoint service and specify the NLB instance as the service resource of the endpoint service. Create an endpoint in VPC 1 and connect the endpoint to the endpoint service. If the status of the connection is normal, the ECS instances in VPC 1 can access the services that are deployed on the ECS instances in VPC 2.

场景图

Limits

The NLB instance that serves as the service resource must be an internal-facing NLB instance.
When you create an endpoint service, select a region that supports both PrivateLink and NLB instances. For more information about the regions that support PrivateLink and the regions that support NLB instances, see Regions and zones that support PrivateLink and Regions that support NLB.
A connection can be established between an endpoint and an endpoint service only if they are deployed in the same zone. The zones where endpoints are deployed must be a subset of the zones where the service resources of endpoint services are deployed. Therefore, we recommend that you select all zones or as many zones as possible in a region when you deploy the service resources of endpoint services. In this way, different endpoints can access the service resources.

Prerequisites

VPC 1 and VPC 2 are created in the China (Hangzhou) region. Two vSwitches are created in VPC 1: one in Zone G and the other in Zone K. Another two vSwitches are created in VPC 2: one in Zone G and the other in Zone K. For more information, see the Step 1: Create a VPC and vSwitches section of the Create a VPC with an IPv4 CIDR block topic.
Two ECS instances (ECS 01 and ECS 02) are created in VPC 1 to send connection requests. ECS 01 is deployed in Zone G and ECS 02 is deployed in Zone K. Two ECS instances (ECS 03 and ECS 04) are created in VPC 2 to receive and process connection requests. ECS 03 is deployed in Zone G and ECS 04 is deployed in Zone K. Different NGINX services are deployed on ECS 03 and ECS 04. For more information about how to create ECS instances and deploy NGINX services, see Create an instance on the Custom Launch tab and Build an LNMP stack on an ECS instance that runs Alibaba Cloud Linux 2 or 3.
A security group is created in VPC 1. You can configure security group rules based on your requirements for business and security. For more information, see Create a security group.
Note
ECS 03 and ECS 04 in VPC 2 use the default security group, which is created by the system when the ECS instances are created.

The following table describes how networks of the VPCs are planned in this example. Your service is not adversely affected if the CIDR blocks of your VPCs overlap with each other.

Item	VPC 1	VPC 2
Region	China (Hangzhou)	China (Hangzhou)
CIDR block	VPC: 10.0.0.0/8 vSwitch 1: 10.0.23.0/24 vSwitch 2: 10.0.24.0/24	VPC: 192.168.0.0/16 vSwitch 3: 192.168.2.0/24 vSwitch 4: 192.168.4.0/24
vSwitch zone	vSwitch 1: Zone G vSwitch 2: Zone K	vSwitch 3: Zone G vSwitch 4: Zone K
ECS instance IP address	ECS 01 in Zone G: 10.0.23.68 ECS 02 in Zone K: 10.0.24.227	ECS 03 in Zone G: 192.168.2.190 ECS 04 in Zone K: 192.168.4.20

Procedure

流程图

Step 1: Create an internal-facing NLB instance

Log on to the NLB console.
In the top navigation bar, select the region in which the NLB instance is deployed.
On the Instances page, click Create NLB.

On the NLB (Pay-As-You-Go) International Site page, set the parameters described in the following table and click Buy Now.

Parameter	Description
Region	Select the region where you want to create an NLB instance. In this example, China (Hangzhou) is selected.
Network Type	Select a network type for the NLB instance. In this example, Intranet is selected.
IP Version	Select an IP version for the NLB instance. In this example, IPv4 is selected. IPv4: If you select this option, the NLB instance can be accessed only by IPv4 clients. Dual-stack Networking: If you select this option, the NLB instance can be accessed by IPv4 and IPv6 clients.
VPC	Select a VPC where you want to deploy the NLB instance. In this example, VPC 2 is selected.
Zone	Select the zones where you want to deploy the NLB instance. You must select at least two zones. In this example, Hangzhou Zone G, a vSwitch in Hangzhou Zone G, Hangzhou Zone K, and a vSwitch in Hangzhou Zone K are selected.
Instance Name	Enter a name for the NLB instance.
Resource Group	Select the resource group to which the NLB instance belongs. In this example, Default Resource Group is selected.
Service-linked Role	You must click Create Service-linked Role to create a service-linked role when you create an NLB instance for the first time.

Step 2: Create a backend server group for the NLB instance

In the left-side navigation pane, choose NLB > Server Group.
In the top navigation bar, select the region where the NLB instance is deployed. In this example, China (Hangzhou) is selected.
On the Server Group page, click Create Server Group.

In the Create Server Group dialog box, set the parameters described in the following table and click Create.

The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see Create and manage a server group.

Parameter	Description
Server Group Type	Select the type of the server group that you want to create. In this example, Server Type is selected.
Server Group Name	Enter a name for the server group. In this example, `RS 1` is entered.
VPC	Select the VPC to which the backend server group belongs. In this example, VPC 2 is selected.
Backend Server Protocol	Select a backend protocol. In this example, TCP is selected.
Scheduling Algorithm	Select a scheduling algorithm. In this example, Weighted Round-Robin is selected by default.
IPv6 Support	Specify whether to enable IPv6. If you enable IPv6, you can add IPv4 and IPv6 backend servers to the server group. If you do not enable IPv6, you can add only IPv4 backend servers to the server group. Note If IPv6 is disabled for the VPC that you select for the server group, IPv6 is disabled for the server group by default.
Enable Connection Draining	After connection draining is enabled, connections to backend servers remain open during the specified period of time even if the backend servers are removed or the backend servers fail health checks. Connection Draining Timeout Period: If you enable connection draining, you must specify a timeout period. In this example, connection draining is disabled by default.
Client IP Preservation	Specify whether to enable client IP preservation. After client IP preservation is enabled, backend servers can retrieve client IP addresses. In this example, client IP preservation is enabled by default.
Enable All-port Forwarding	Specify whether to enable all-port forwarding. After all-port forwarding is enabled, you do not need to specify a port when you add a backend server. The NLB instance forwards requests to a backend server based on the frontend port. Note If you enable all-port forwarding for your listener, you must enable this feature for the backend server group. In this example, all-port forwarding is disabled by default.
Configure Health Check	Specify whether to enable the heath check feature. In this example, the health check feature is enabled by default.

After you create the server group, find RS 1 on the Server Groups page and click its ID.
Click the Backend Servers tab and click Add Backend Server.
In the Add Backend Server panel, select ECS 03 and ECS 04 and click Next.
Set the ports and weights of ECS 03 and ECS 04. In this example, port 80 and the default weight 100 are set for the instances. Then, click OK.

Step 3: Configure a listener

In the left-side navigation pane, choose NLB > Instances.
On the Instances page, find the NLB instance that you want to manage and click its ID.
Click the Listener tab. On the Listener tab, click Create Listener.

On the Configure Listener wizard page, set the following parameters and click Next.

The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see Add a TCP listener.

Parameter	Description
Listener Protocol	Select a listening protocol. In this example, TCP is selected.
Listen by Port Range	Specify whether to enable listening by port range. If you enable this feature, the NLB instance listens on all ports in a specific port range, and redirects requests destined for the ports to the backend servers. In this example, listening by port range is disabled by default.
Listener Port	Specify the listening port that is used to receive and process requests. In this example, `80` is entered.
Listener Name	Enter a name for the listener.

On the Select Server Group wizard page, select RS 1 that you created in Step 2 and click Next.
On the Configuration Review wizard page, confirm the configurations and click Submit.
In the NLB Configuration Wizard message, click OK to return to the Instances page.
If the health check status of the listener is Healthy, ECS 03 and ECS 04 can process requests that are forwarded by the NLB instance.

Step 4: Create an endpoint service

Log on to the endpoint service console.
In the top navigation bar, select the region where you want to create an endpoint service. In this example, China (Hangzhou) is selected.
On the Endpoints Service page, click Create Endpoint Service.

On the Create Endpoint Service page, set the following parameters of the endpoint service and click OK.

The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see Create and manage endpoint services.

Parameter	Description
Service Resource Type	Select the type of the service resource that you want to add to the endpoint service. In this example, NLB is selected.
Select Service Resource	Select the zones where the service resource is deployed and then select the service resource. In this example, Hangzhou Zone G is selected. Then, click +Add Service Resource and select Hangzhou Zone K. For Hangzhou Zone G and Hangzhou Zone K, select the NLB instance created in Step 1 as the service resource.
Automatically Accept Endpoint Connections	Specify whether the endpoint service automatically accepts connection requests from endpoints. In this example, No is selected.
Enable Zone Affinity	Specify whether to first resolve the domain name of the nearest endpoint that is associated with the endpoint service. In this example, No is selected.
Resource Group	Select the resource group to which the endpoint service belongs.
Description	Enter a description for the endpoint service.

Step 5: Create an endpoint

Log on to the endpoint console.
In the top navigation bar, select the region where you want to create an endpoint. In this example, China (Hangzhou) is selected.
On the Endpoints page, click the Interface Endpoint tab, and click Create Endpoint.

On the Create Endpoint page, set the parameters described in the following table and click OK.

The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see Create and manage endpoints.

Parameter	Description
Endpoint Name	Enter a name for the endpoint.
Endpoint Type	Select a type for the endpoint that you want to create. In this example, Interface Endpoint is selected.
Endpoints Service	Select the endpoint service that you want to associate. In this example, Select Service is clicked, and the endpoint service that is created in Step 4 is selected.
VPC	Select the VPC to which the endpoint belongs. In this example, VPC 1 is selected.
Security Groups	Select the security group that you want to associate with the elastic network interface (ENI) of the endpoint. The security group is used to control data transfer from VPC 1 to the endpoint ENI. Note Make sure that the rules in the security group allow clients to access the endpoint ENI. By default, you can add an endpoint to up to five security groups.
Zone and vSwitch	Select the zone of the endpoint service and select a vSwitch in the zone. The system automatically creates an endpoint ENI and attaches it to the vSwitch. In this example, Hangzhou Zone G and a vSwitch in the zone are selected. Then, click +Add vSwitch, select Hangzhou Zone K, and then select a vSwitch in the zone.
Resource Group	Select the resource group to which the endpoint belongs.

After you create the endpoint, you can view the domain names and IP addresses of the zones.

Step 6: Accept connection requests

To establish an endpoint connection, the endpoint service must accept the connection requests from the associated endpoint. Then, VPC 1 can use the endpoint to access the endpoint service.

Note

Skip this step if you set the Automatically Accept Endpoint Connections parameter to Yes in Step 4.

Log on to the endpoint service console.
In the top navigation bar, select the region where you want to create an endpoint service. In this example, China (Hangzhou) is selected.
On the Endpoints Service page, find the endpoint service that you created in Step 4 and click its ID.
On the details page of the endpoint service, click the Endpoint Connections tab, find the endpoint that you want to manage, and then click Allow in the Actions column.
In the Allow Connection dialog box, select Allow connections and automatically allocate service resources. and click OK.
After the connection requests are accepted, the state of the endpoint connection changes from Disconnected to Connected. Then, the endpoint service can process requests from the endpoint. You can use the domain names and IP addresses of the zones that are generated in Step 5 to access the endpoint service.

Step 7: Test the network connectivity

After you complete the preceding operations, VPC 1 can access VPC 2 over private connections. The following section describes how to test the network connectivity.

Note

In this example, the Alibaba Cloud Linux operating system is installed on the ECS instances. For more information about how to test the network connectivity of servers that run other operating systems, refer to the user guides of the operating systems.

Check whether ECS 01 in VPC 1 can access the services on ECS 03 in VPC 2.
1. Log on to ECS 01. For more information, see Connection method overview.
2. Run the cURL command on the terminal of ECS 01 by using the domain name or IP address of the zone for the endpoint to test the connectivity.
  In this example, the domain name or IP address of Zone G that is generated in Step 5 is entered.
  The test result shows that ECS 01 can access the services deployed on ECS 03.
Check whether ECS 02 in VPC 1 can access the services on ECS 04 in VPC 2.
1. Log on to ECS 02.
2. Run the cURL command on the terminal of ECS 02 by using the domain name or IP address of the zone for the endpoint to test the connectivity.
  In this example, the domain name or IP address of Zone K that is generated in Step 5 is entered.
  The test result shows that ECS 02 can access the services deployed on ECS 04.

References

CreateVpcEndpoint: creates an endpoint.
CreateVpcEndpointService: creates an endpoint service.
AttachResourceToVpcEndpointService: adds a service resource to an endpoint service.
EnableVpcEndpointConnection: accepts endpoint connection requests.