Create and manage endpoint services - PrivateLink - Alibaba Cloud Documentation Center

PrivateLink allows you to specify Classic Load Balancer (CLB) and Application Load Balancer (ALB) instances as the service resources of endpoint services. This topic describes how to create a Server Load Balancer (SLB) instance that supports PrivateLink. This topic also describes how to create or manage an endpoint service and specify the created SLB instance as a service resource of the endpoint service to allow private access from other virtual private clouds (VPCs).

Limits

The CLB instance that you create to support PrivateLink must be an internal-facing CLB instance that supports only the VPC network type.
The ALB instance that you create to support PrivateLink must be an internal-facing ALB instance that uses a fixed IP address.
Make sure that the region and zone where you want to deploy an endpoint service support PrivateLink and SLB instances. For more information about the regions and zones that support PrivateLink and SLB instances, see the following topics:
When you select a zone for an endpoint service, select the zone in which the CLB or ALB instance is deployed.

Operations

Create an SLB instance
Create an endpoint service
Modify the basic information about an endpoint service
Delete an endpoint service
(Optional) Add tags to an endpoint service

Prerequisites

PrivateLink is activated. If this is the first time that you use PrivateLink, go to the activation page to activate PrivateLink.
The VPC where a CLB instance or an ALB instance resides is created. A vSwitch is created in the corresponding zone of the VPC. For more information, see Create a VPC and a vSwitch.
Note Make sure that the vSwitch resides in the same zone of the same region as the CLB or ALB instance.

Create an SLB instance

PrivateLink allows you to specify CLB and ALB instances as the service resources of endpoint services. You can select appropriate SLB products based on your business requirements.

Create a CLB instance

Log on to the CLB console.
On the Instances page, click Create CLB.

On the buy page, set the following parameters of the CLB instance that supports PrivateLink, click Buy Now, and then complete the payment.


Parameter	Description
SLB region no	Select the region where you want to create the CLB instance. Note Make sure that the CLB instance and the Elastic Compute Service (ECS) instances that you want to specify as backend servers belong to the same region.
Zone Type	Specify whether you want to deploy the CLB instance in one zone or across multiple zones. Default value: Multi-zone.
Primary Zone	Select a primary zone for the CLB instance to distribute network traffic.
Backup Zone	Select a secondary zone for the CLB instance. The secondary zone distributes network traffic only when the primary zone is unavailable.
Instance Name	Enter a name for the CLB instance.
SLB instance	Create an Internet-facing or internal-facing CLB instance based on your business requirements. The system allocates a public IP address or a private IP address to the CLB instance based on the specified instance type. In this example, Intranet is selected.
Instance Billing Method	Select a billing method for the instance. Valid values: Pay-By-Specification Pay-By-CLCU In this example, select Pay-By-Specification.
Specification	Select the specifications of the CLB instance. CLB instances of different specifications provide varied features. For more information, see CLB overview.
Network Type	Select the network type of the CLB instance. In this example, VPC is selected.
IP Version	Select the IP version of the CLB instance. In this example, select IPv4.
Feature	Select the feature type of the CLB instance. Default value: Standard.
VPC ID	Select the VPC that you created.
Vswitch ID	Select a vSwitch in the selected VPC.
Internet Metering Method	Select a metering method for Internet traffic. Internet-facing CLB instances support the following metering methods: By traffic: the pay-by-data-transfer metering method. By bandwidth: the pay-by-bandwidth metering method. Default value: By traffic. Note Internet-facing CLB instances are billed on a pay-by-data-transfer basis. You are not charged data transfer fees for internal-facing CLB instances.
Resource Group	Select the resource group to which the CLB instance belongs.
Quantity	Specify the number of CLB instances that you want to purchase.

After you create the CLB instance, you can create backend servers and configure listeners for the instance to process the requests from the client. This topic provides only the configuration steps of an endpoint service. For more information about how to create backend servers and configure listeners, see Configure a CLB instance.

Create an ALB instance

Log on to the ALB console.
On the Instances page, click Create ALB.

On the buy page, set the following parameters of the ALB instance that supports PrivateLink, click Buy Now, and then complete the payment.


Parameter	Description
Region	Select the region where you want to create the ALB instance.
Network Type	Select the network type of the ALB instance. The system allocates a public IP address or private IP address to the ALB instance based on the selected network type. In this example, Internal is selected.
VPC	Select the VPC that you created.
Zone	Select the zone where the ALB instance resides. Select at least two zones for the ALB instance. Select an existing vSwitch for each selected zone.
IP Mode	Select the type of the IP address that is used by the ALB instance. In this example, Static IP is selected.
IP Version	Select an IP version for the ALB instance. IPv4: If you select this option, the ALB instance can be accessed only by IPv4 clients. Dual-stack Networking: If you select this option, the ALB instance can be accessed by both IPv4 and IPv6 clients. Note The dual-stack feature is not available by default. To use the feature, log on to the Quota Center console. On the Whitelist Quotas page, enter the quota ID `slb_user_visible_gray_label/support_ipv6`, and click Apply. For more information about regions in which dual-stack is supported, see Overview of ALB instances. If you want to enable both IPv4 and IPv6, you must enable IPv6 for the vSwitches in the zones of the VPC. If dual-stack is enabled for ALB, ALB can forward requests from both IPv4 and IPv6 clients to the backend servers. Dual-stack ALB instances can forward requests from IPv6 clients to backend IPv4 services of the following types: ECS, elastic network interface (ENI), Elastic Container Instance, and IP. Backend services of the Function Compute type are not supported. Dual-stack ALB instances can forward requests from IPv6 clients to backend IPv6 services of the following types: ECS, ENI, and Elastic Container Instance. Backend services of the Function Compute and IP types are not supported. You cannot enable access control for listeners of dual-stack ALB instances. You cannot upgrade existing IPv4 ALB instances to dual-stack ALB instances. You can only create dual-stack ALB instances.
Edition	Select an edition for the ALB instance. Basic: Basic ALB instances support basic routing features such as request forwarding based on domain names, URLs, and HTTP headers. Standard: Standard ALB instances support advanced routing features in addition to the features of basic ALB instances. Standard ALB instances support custom TLS security policies, redirects, and rewrites. WAF Enabled: As an upgrade from standard ALB instances, WAF-enabled ALB instances are integrated with Web Application Firewall (WAF) 3.0 to protect your web applications. Network traffic is filtered by WAF before it is routed to ALB listeners. Note For more information about how to integrate the ALB instance with Web Application Firewall (WAF) 3.0, see Activate and manage WAF-enabled ALB instances. For more information about the differences among basic ALB instances, standard ALB instances, and WAF-enabled ALB instances, see Functions and features.
Instance Name	Enter a name for the ALB instance.
Resource Group	Select the resource group to which the ALB instance belongs.

After you create the ALB instance, you can create backend servers and configure listeners for the instance to process the requests from the client. This topic provides only the configuration steps of an endpoint service. For more information about how to create backend servers and configure listeners, see Create a backend server group and configure a listener.

Create an endpoint service

Log on to the endpoint service console.
In the top navigation bar, select the region where you want to create an endpoint service.
On the Endpoints Service page, click Create Endpoint Service.

On the Create Endpoint Service page, set the following parameters and click OK.


Parameter	Description
Select Service Resource	Select the zone where network traffic is distributed. After you select a zone, select an existing SLB instance that you want to associate with the endpoint service. You can click Add Resource from Another Zone to add service resources from multiple zones. Note A CLB instance can serve as a service resource only in the zone in which the vSwitch of the CLB instance resides. An ALB instance can serve as a service resource across multiple zones.
Automatically Accept Endpoint Connections	Select whether the endpoint service automatically accepts connection requests from endpoints. Yes: The endpoint service automatically accepts all connection requests from endpoints. If you select this option, the endpoint service can be accessed by using endpoints. No: The endpoint connection of the endpoint service is in the Disconnected state. In this case, connection requests to the endpoint service must be manually accepted or rejected by the service provider. If the service provider accepts a connection request from an endpoint, the endpoint service can be accessed by using the endpoint. If the service provider rejects a connection request from an endpoint, the endpoint service cannot be accessed by using the endpoint.
Whether to Enable Zone Affinity	Select whether to first resolve the domain name of the nearest endpoint that is associated with the endpoint service. Yes: Among all endpoints that are associated with the endpoint service, the domain name of the nearest endpoint is resolved first. No: Among all endpoints that are associated with the endpoint service, the domain name of the nearest endpoint is not resolved first.
Resource Group	Select the resource group to which the endpoint service belongs.
Description	Enter a description for the endpoint service. You can leave this field empty or enter a description that is 2 to 256 characters in length. The description cannot start with `http://` or `https://`.

Modify the basic information about an endpoint service

You can modify the basic information about an endpoint service. For example, you can modify the description, default peak bandwidth, and settings about whether to automatically accept connection requests from endpoints and whether to enable zone affinity.

Log on to the endpoint service console.
In the top navigation bar, select the region where you want to create an endpoint service.
On the Endpoints Service page, find the endpoint service that you want to modify, and click the ID of the endpoint service.

On the page that appears, modify the basic information about the endpoint service as needed in the Information section. The following table describes the configuration items that can be modified in the Information section.


Parameter	Description
Whether to Automatically Accept Connections	Specify whether the endpoint service automatically accepts connection requests from endpoints. Click Enable or Disable next to Whether to Automatically Accept Connections. In the dialog box that appears, click OK.
Whether to Enable Zone Affinity	Specify whether the domain name of the nearest endpoint that is associated with the endpoint service is resolved first. Click Enable or Disable next to Whether to Enable Zone Affinity. In the dialog box that appears, click OK.
Description	Click Edit next to Description. In the dialog box that appears, enter a new description and click OK.
Default Speed Limit	Specify the default peak bandwidth of the endpoint service. Click Modify next to Default Speed Limit. In the Set Default Speed Limit dialog box, enter a new value in the Adjust Speed Limit field and click OK.

Delete an endpoint service

You can delete an endpoint service that you no longer need. After you delete the endpoint service, the SLB instances that are associated with the endpoint service in the corresponding VPC are still retained.

Warning After you delete an endpoint service, other VPCs will be unable to access the service resources of the endpoint service over private connections. Exercise caution when you perform this operation.

Before you delete an endpoint service, make sure that the following requirements are met:

Connection requests from the endpoints that are associated with the endpoint service are rejected. For more information, see Reject endpoint connection requests.
Service resources that are added to the endpoint service are removed. For more information, see Delete a service resource.

Log on to the endpoint service console.
In the top navigation bar, select the region where you want to create an endpoint service.
On the Endpoints Service page, find the endpoint service that you want to delete, and click Delete in the Actions column.
In the dialog box that appears, click OK.

(Optional) Add tags to an endpoint service

As the number of endpoint services increases, it becomes more difficult for you to manage endpoint services. You can use tags to group endpoint services. In this way, you can efficiently search for and filter endpoint services.

Tags are used to classify instances. Each tag consists of a key-value pair. To use tags, make sure that the following requirements are met:

The key of each tag that is added to an Internet NAT gateway must be unique.
You cannot create tags without adding them to Internet NAT gateways. All tags must be added to Internet NAT gateways.
Tag information is not shared across regions.
For example, tags created in the China (Hangzhou) region are not displayed in the China (Shanghai) region.
You can modify the key and value of a tag or remove a tag from an Internet NAT gateway. If you delete an Internet NAT gateway, the tags that are added to the Internet NAT gateway are deleted.
You can add up to 20 tags to each Internet NAT gateway. This limit cannot be increased.

Log on to the endpoint service console.
In the top navigation bar, select the region where you want to create an endpoint service.
On the Endpoints Service page, find the endpoint service to which you want to add a tag, move the pointer over the icon in the Tags column, and click Edit.

In the Configure Tags dialog box, specify the key and value based on the following table and click OK.


Parameter	Description
Tag Key	The key of the tag. You can select or enter a key. The key cannot exceed 64 characters in length and cannot start with `aliyun` or `acs:`. The key cannot contain `http://` or `https://`.
Tag Value	The value of the tag. You can select or enter a value. The value cannot exceed 128 characters in length and cannot start with `aliyun` or `acs:`. The value cannot contain `http://` or `https://`.

Return to the Endpoints Service page and click Filter by Tag. In the filter section, search for an endpoint service based on a tag key and a tag value.

References

CreateVpcEndpointService: creates an endpoint service.
UpdateVpcEndpointServiceAttribute: modifies the attributes of an endpoint service.
DeleteVpcEndpointService: deletes an endpoint service.