PrivateLink allows you to specify Network Load Balancer (NLB) instances as the service resources of endpoint services. This topic describes how to use PrivateLink to allow an NLB instance in a virtual private cloud (VPC) to provide services for another VPC that belongs to the same Alibaba Cloud account.

Background information

NLB instances receive requests from clients and forward requests to backend servers based on the forwarding rules that you configure for listeners. After you specify an NLB instance as a service resource of an endpoint service, the NLB instance can provide services across multiple zones. You do not need to configure an NLB instance for each zone.

The following scenario is an example. A company creates two VPCs in the China (Hangzhou) region with an Alibaba Cloud account (Account A). The VPCs are referred to as VPC 1 and VPC 2. In addition, the company creates two Elastic Compute Service (ECS) instances in each VPC. The ECS instances in VPC 1 are referred to as ECS 01 and ECS 02. The ECS instances in VPC 2 are referred to as ECS 03 and ECS 04. Different NGINX services are deployed on the ECS instances in VPC 2. Due to business growth, the ECS instances in VPC 1 require access to the services that are deployed on ECS instances in VPC 2 over a private network.

You can perform the following operations to achieve this purpose: Create an NLB instance in VPC 2. Make sure that the NLB instance is deployed across Hangzhou Zone G and Hangzhou Zone K. Then, create a backend server group (RS 1) for the NLB instance and add ECS 03 and ECS 04 to the backend server group. Create an endpoint service and specify the NLB instance as the service resource of the endpoint service. Create an endpoint in VPC 1 and connect the endpoint to the endpoint service. If the status of the connection is normal, the ECS instances in VPC 1 can access the services that are deployed on the ECS instances in VPC 2.

Architecture

Limits

  • When you create an endpoint service, select a region that supports PrivateLink and NLB instances. For more information about the regions that support PrivateLink and the regions that support NLB instances, see Regions and zones that support PrivateLink and Regions that support NLB.
  • A connection can be established between an endpoint and an endpoint service only if they are deployed in the same zone. The zones where endpoints are deployed must be a subset of the zones where the service resources of endpoint services are deployed. Therefore, we recommend that you select all zones or as many zones as possible in a region when you deploy the service resources of endpoint services. In this way, different endpoints can access the service resources.
  • By default, PrivateLink cannot be accessed over IPv6. If you need to access PrivateLink over IPv6, contact your account manager.

Prerequisites

  • VPC 1 and VPC 2 are created in the China (Hangzhou) region. Two vSwitches are created in VPC 1: one in Zone G and the other in Zone K. Another two vSwitches are created in VPC 2: one in Zone G and the other in Zone K. For more information, see Create a VPC and a vSwitch.
  • Two ECS instances (ECS 01 and ECS 02) are created in VPC 1 to send connection requests. ECS 01 is deployed in Zone G and ECS 02 is deployed in Zone K. Two ECS instances (ECS 03 and ECS 04) are created in VPC 2 to receive and process connection requests. ECS 03 is deployed in Zone G and ECS 04 is deployed in Zone K. Different NGINX services are deployed on ECS 03 and ECS 04. For more information about how to create ECS instances and deploy NGINX services, see Create an instance by using the wizard and Manually build an LNMP environment on an Alibaba Cloud Linux 2 instance.
  • A security group is created in VPC 1. You can configure security group rules based on your requirements for business and security. For more information, see Create a security group.
    Note ECS 03 and ECS 04 in VPC 2 use the default security group, which is created by the system when the ECS instances are created.
The following table describes how networks of the VPCs are planned in this example. Your service is not adversely affected if the CIDR blocks of your VPCs overlap with each other.
ItemVPC 1VPC 2
RegionChina (Hangzhou)China (Hangzhou)
CIDR block
  • VPC: 10.0.0.0/8
  • vSwitch 1: 10.0.23.0/24
  • vSwitch 2: 10.0.24.0/24
  • VPC: 192.168.0.0/16
  • vSwitch 3: 192.168.2.0/24
  • vSwitch 4: 192.168.4.0/24
vSwitch zone
  • vSwitch 1: Zone G
  • vSwitch 2: Zone K
  • vSwitch 3: Zone G
  • vSwitch 4: Zone K
ECS instance IP address
  • ECS 01 in Zone G: 10.0.23.68
  • ECS 02 in Zone K: 10.0.24.227
  • ECS 03 in Zone G: 192.168.2.190
  • ECS 04 in Zone K: 192.168.4.20

Procedure

Flowchart

Step 1: Create an internal-facing NLB instance

  1. Log on to the NLB console.
  2. In the top navigation bar, select the region where the NLB instance is deployed.
  3. On the Instances page, click Create NLB.
  4. On the NLB (Pay-As-You-Go) International Site page, set the following parameters of the NLB instance and click Buy Now.
    ParameterDescription
    RegionSelect the region where you want to create the NLB instance. For this example, select China (Hangzhou).
    Network TypeSelect a network type. For this example, select Intranet.
    IP VersionSelect an IP version for the NLB instance.
    • IPv4: If you select this option, the NLB instance can be accessed by only IPv4 clients.
    • Dual-stack Networking: If you select this option, the NLB instance can be accessed by both IPv4 and IPv6 clients.
    VPCSelect the VPC where you want to deploy the NLB instance. For this example, select VPC 2.
    ZoneSelect the zones where you want to deploy the NLB instance. You must select at least two zones. For this example, select Hangzhou Zone G, a vSwitch in Hangzhou Zone G, Hangzhou Zone K, and a vSwitch in Hangzhou Zone K.
    Instance NameEnter a name for the NLB instance.
    Resource GroupSelect the resource group to which the NLB instance belongs. For this example, select Default Resource Group.
    Service-linked RoleYou must click Create Service-linked Role to create a service-linked role when you create an NLB instance for the first time.

Step 2: Create a backend server group for the NLB instance

  1. In the left-side navigation pane, choose NLB > Server Groups.
  2. In the top navigation bar, select the region where the NLB instance is deployed. For this example, select China (Hangzhou).
  3. On the Server Groups page, click Create Server Group.
  4. In the Create Server Group dialog box, set the following parameters and click Create.
    ParameterDescription
    Server Group TypeSelect the type of the server group that you want to create. For this example, select Server Type.
    Server Group NameEnter a name for the server group. For this example, enter RS 1.
    VPCSelect the VPC to which the backend server group belongs. For this example, select VPC 2.
    Backend Server ProtocolSelect a backend protocol. For this example, select TCP.
    Scheduling AlgorithmSelect a scheduling algorithm. For this example, select Weighted Round-Robin by default.
    IPv6 SupportSpecify whether to enable IPv6.
    • If you enable IPv6, you can add IPv4 and IPv6 backend servers to the server group.
    • If you do not enable IPv6, you can add only IPv4 backend servers to the server group.
    Note If IPv6 is disabled for the VPC that you select for the server group, IPv6 is disabled for the server group by default.
    Enable Connection DrainingAfter connection draining is enabled, connections to backend servers remain open during the specified period of time even if the backend servers are removed or the backend servers fail health checks.

    Connection Draining Timeout Period: If you enable connection draining, you must specify a timeout period.

    In this example, connection draining is disabled by default.

    Client IP PreservationSpecify whether to enable client IP preservation. After client IP preservation is enabled, backend servers can retrieve client IP addresses.

    In this example, client IP preservation is enabled by default.

    Enable All-port ForwardingSpecify whether to enable all-port forwarding. After all-port forwarding is enabled, you do not need to specify a port when you add a backend server. The NLB instance forwards requests to a backend server based on the frontend port.
    Note If you enable Listen by Port Range for your listeners, you must enable this feature for the backend server group.

    In this example, all-port forwarding is disabled by default.

    Configure Health CheckSpecify whether to enable health checks.

    In this example, health checks are enabled by default.

    Advanced SettingsAfter health checks are enabled, you can modify Advanced Settings based on your business requirements. For this example, use the default advanced settings.
  5. After you create the backend server group, find RS 1 on the Server Groups page and click its ID.
  6. Click the Backend Servers tab and click Add Backend Server.
  7. In the Add Backend Server panel, select ECS 03 and ECS 04 and click Next.
  8. Set the ports and weights of ECS 03 and ECS 04. In this example, port 80 and the default weight 100 are set for the ECS instances. Then, click OK.

Step 3: Configure a listener

  1. In the left-side navigation pane, choose NLB Instances.
  2. On the Instances page, find the NLB instance that you want to manage and click its ID.
  3. Click the Listener tab. On the Listener tab, click Create Listener.
  4. On the Configure Listener wizard page, set the following parameters and click Next.
    ParameterDescription
    Listener ProtocolSelect a listening protocol. For this example, select TCP.
    Listen by Port RangeSpecify whether to enable listening by port range. After listening by port range is enabled, the NLB instance listens on all ports that fall within the specified port range, and redirects requests destined for the ports to the backend servers. In this example, listening by port range is disabled by default.
    Listener Port RangeSpecify the listening port that is used to receive and process requests. For this example, enter 80.
    Listener NameEnter a name for the listener.
    Advanced SettingsYou can click Modify to modify the advanced settings. For this example, use the default advanced settings.
  5. On the Select Server Group wizard page, select RS 1 created in Step 2. Then, click Next.
  6. On the Configuration Review wizard page, confirm the configurations and click Submit.
  7. In the NLB Configuration Wizard message, click OK. Then, return to the Instances page.
    If the health check status of the listener is Healthy, ECS 03 and ECS 04 can process requests that are forwarded by the NLB instance.

Step 4: Create an endpoint service

  1. Log on to the endpoint service console.
  2. In the top navigation bar, select the region where you want to create an endpoint service. In this example, select China (Hangzhou).
  3. On the Endpoints Service page, click Create Endpoint Service.
  4. On the Create Endpoint Service page, set the following parameters of the endpoint service and click OK.
    ParameterDescription
    Service Resource TypeSelect the type of the service resource that you want to add to the endpoint service. For this example, select NLB.
    Select Service ResourceSelect the zones where the service resource is deployed and then select the service resource.

    For this example, select Hangzhou Zone G. Then, click +Add Resource from Another Zone and select Hangzhou Zone K. For Hangzhou Zone G and Hangzhou Zone K, select the NLB instance created in Step 1 as the service resource.

    Automatically Accept Endpoint ConnectionsSpecify whether the endpoint service automatically accepts connection requests from endpoints. For this example, select No.
    Enable Zone AffinitySpecify whether to first resolve the domain name of the nearest endpoint that is associated with the endpoint service. For this example, select No.
    Resource GroupSelect the resource group to which the endpoint service belongs.
    DescriptionEnter a description for the endpoint service.

Step 5: Create an endpoint

  1. Log on to the endpoint console.
  2. In the top navigation bar, select the region where you want to create an endpoint. Select China (Hangzhou) in this example.
  3. On the Endpoints page, click the Interface Endpoint tab and click Create Endpoint.
  4. On the Create Endpoint page, set the following parameters of the endpoint and click OK.
    ParameterDescription
    Endpoint NameEnter a name for the endpoint.
    Endpoint TypeSelect the type of the endpoint that you want to create. For this example, select Interface Endpoint.
    Endpoints ServiceYou can associate the endpoint with an endpoint service in one of the following ways:
    • Click Add by Instance Name and enter the name of an endpoint service.
    • Click Select Service and select the ID of an endpoint service.

    For this example, click Select Service, and select the endpoint service that is created in Step 4.

    VPCSelect the VPC to which the endpoint belongs. For this example, select VPC 1.
    Security GroupsSelect the security group that you want to associate with the elastic network interface (ENI) of the endpoint. The security group is used to control data transfer from VPC 1 to the endpoint ENI.
    Note Make sure that the rules in the security group allow clients to access the endpoint ENI.
    Zone and vSwitchSelect the zone of the endpoint service and select a vSwitch in the zone. The system automatically creates an endpoint ENI and attaches it to the vSwitch.

    For this example, select Hangzhou Zone G and a vSwitch in the zone. Then, click +Add vSwitch, select Hangzhou Zone K, and then select a vSwitch in the zone.

    Resource GroupSelect the resource group to which the endpoint belongs.
    DescriptionEnter a description for the endpoint.

    After you create the endpoint, you can view the domain names and IP addresses of the zones.

Step 6: Accept connection requests

To establish an endpoint connection, the endpoint service must accept the connection requests from the associated endpoint. Then, VPC 1 can use the endpoint to access the endpoint service.
Note Skip this step if you set the Automatically Accept Endpoint Connections parameter to Yes in Step 4.
  1. Log on to the endpoint service console.
  2. In the top navigation bar, select the region where you want to create an endpoint service. In this example, select China (Hangzhou).
  3. On the Endpoints Service page, find the endpoint service created in Step 4 and click its ID.
  4. On the details page of the endpoint service, click the Endpoint Connections tab, find the endpoint that you want to manage, and then click Allow in the Actions column.
  5. In the Allow Connection dialog box, select Allow connections and automatically allocate service resources, and click OK.
  6. After the connection requests are accepted, the state of the endpoint connection changes from Disconnected to Connected. Then, the endpoint service can process requests from the endpoint. You can use the domain names and IP addresses of the zones that are generated in Step 5 to access the endpoint service.

Step 7: Test the network connectivity

After you perform the preceding operations, VPC 1 can access VPC 2 over private connections. The following section describes how to test the network connectivity.
Note In this example, the Windows Server 2012 operating system is installed on ECS 01 and ECS 02. The Alibaba Cloud Linux operating system is installed on ECS 03 and ECS 04. For more information about how to test the network connectivity of servers that run other operating systems, refer to the user guides of the operating systems.
  • Check whether ECS 01 in VPC 1 can access the services that are deployed on ECS 03 in VPC 2.
    1. Log on to ECS 01. For more information, see Guidelines on instance connection.
    2. Open a browser on ECS 01.
    3. Enter the domain name or IP address of Zone G generated in Step 5 in the browser.

    The test result shows that ECS 01 can access the services deployed on ECS 03.

  • Check whether ECS 02 in VPC 1 can access the services that are deployed on ECS 04 in VPC 2.
    1. Log on to ECS 02.
    2. Open a browser on ECS 02.
    3. Enter the domain name or IP address of Zone K generated in Step 5 in the browser.

      The test result shows that ECS 02 can access the services deployed on ECS 04.

References