All Products
Search
Document Center

PrivateLink:Create and manage endpoints

Last Updated:Aug 10, 2023

This topic describes how to create and manage endpoints. You can associate endpoints with endpoint services. This way, you can establish PrivateLink connections between virtual private clouds (VPCs) and other Alibaba Cloud services.

Background information

PrivateLink allows you to establish secure, stable, and private connections between VPCs and other Alibaba Cloud services. Compared with connections over the Internet, PrivateLink connections provide higher security. You can create an endpoint and associate the endpoint with an endpoint service. This way, you can establish PrivateLink connections between a VPC and other Alibaba Cloud services.

Limits

  • PrivateLink is available only in specific regions. For more information, see Regions and zones that support PrivateLink.

  • Only Alibaba Cloud and its ecosystem partners can provide services that support reverse endpoints.

Operations

Prerequisites

Before you create an endpoint, make sure that the following requirements are met:

  • PrivateLink is activated. If this is the first time that you use PrivateLink, go to the activation page to activate PrivateLink as prompted.

  • An endpoint service is created, and at least one service resource is added to the endpoint service. For more information, see Create and manage endpoint services.

  • A VPC that is used to access the endpoint service is created. A vSwitch is created in the zone in which the endpoint service is created. For more information, see the Create a VPC and a vSwitch section of the Create a VPC with an IPv4 CIDR block topic.

  • A security group is created.

    • If you want to create an interface endpoint, you can configure security group rules based on your requirements for business and security. We recommend that you configure the following security group rules:

      • A default inbound rule that allows Internet Control Message Protocol (ICMP) traffic to support operations such as pinging ECS instances.

      • A default inbound rule that allows traffic on SSH port 22 and Remote Desktop Protocol (RDP) port 3389 to access ECS instances.

      • (Optional) An inbound rule that allows traffic on HTTP port 80 and HTTPS port 443. This rule allows the VPC of the endpoint to access the VPC of the endpoint service over HTTP or HTTPS.

    • If you want to create a reverse endpoint, you must configure an inbound rule that allows all traffic. This means that you must allow all CIDR blocks to access all ports over all protocols.

    For more information, see Create a security group.

Create an endpoint

  1. Log on to the endpoint console.
  2. In the top navigation bar, select the region where you want to create an endpoint.

  3. If this is the first time that you use PrivateLink, click Activate Endpoint Service on the Endpoints page.

  4. In the dialog box that appears, read and agree to PrivateLink Terms of Service and click Activate PrivateLink.

  5. On the Endpoints page, you can use one of the following methods to create an endpoint:

    • Click the Interface Endpoint tab, and click Create Endpoint.

    • Click the Reverse Endpoint tab, and click Create Endpoint.

    • Click the Gateway Endpoint tab, and click Create Endpoint.

    Note
    • An interface endpoint allows the service consumer to access the service that is provided by the service provider.

    • A reverse endpoint allows the service provider to access resources in the VPC of the service consumer.

    • A gateway endpoint serves as a virtual gateway device. You can create a gateway endpoint in your VPC for an endpoint service and associate the endpoint with a route table. Then, the system automatically adds a route that points to the gateway endpoint for the VPC route table. This way, your VPC can access the endpoint service. For more information about gateway endpoints, see Gateway endpoints.

    • Endpoints are created and managed by service consumers. Endpoint services are created and managed by service providers.

  6. On the Create Endpoint page, specify the parameters that are described in the following table and click OK.

    The following table describes only the configurations of interface endpoints and reverse endpoints. For more information about the configurations of gateway endpoints, see the Create a gateway endpoint and view the route section of the Gateway endpoints topic.

    Parameter

    Description

    Endpoint Name

    Enter a name for the endpoint.

    Endpoint Type

    Select an endpoint type. Valid values:

    • Interface Endpoint: An interface endpoint allows the service consumer to access the service that is provided by the service provider.

    • Reverse Endpoint: A reverse endpoint allows the service provider to access resources in the VPC of the service consumer.

    Endpoints Service

    You can associate an endpoint with an endpoint service by using one of the following methods:

    • Click Add by Instance Name and enter an endpoint service name.

    • Click Select Service and select the ID of the desired endpoint service.

    Note

    You can associate an endpoint with only one endpoint service.

    VPC

    Select the VPC where you want to create the endpoint.

    Security Groups

    Select the security group that you want to associate with the elastic network interface (ENI) of the endpoint. The security group is used to control data transfer from the VPC to the endpoint ENI.

    Note

    Endpoint ENIs serve as ingresses for VPCs to access endpoint services.

    Zone and vSwitch

    Select the zone of the endpoint service and select a vSwitch in the zone. The system automatically creates an endpoint ENI in the vSwitch.

    • You can select one zone of the endpoint service.

      1. Click the image.png icon in the Zone and vSwitch section.

      2. In the message that appears, click OK.

    • You can select multiple zones of the endpoint service. By default, you must select two zones and one vSwitch in each zone. If you want to select more zones, click Add vSwitch.

    Note

    You can select multiple zones to ensure that failover can be quickly performed if one of the zones is down. This ensures high business availability and stability, and prevents service interruptions or data loss.

    Resource Group

    Select the resource group to which the endpoint belongs.

    Description

    Enter a description for the endpoint.

    Note:

    When you create an endpoint for the first time, the system automatically creates a service-linked role for the endpoint. The role allows the endpoint to access other resources. For more information, see Service linked role.

View the domain name or IP address that can be used to access an endpoint service

After you create an interface endpoint, you can use the domain name of the endpoint, the domain name of the zone in which the endpoint is deployed, or the IP address of the zone to access the service resources of the endpoint service.

  1. Log on to the endpoint console.
  2. In the top navigation bar, select the region where you want to create an endpoint.

  3. On the Interface Endpoint tab of the Endpoints page, find the endpoint that you want to manage, and click the endpoint ID.

  4. On the details page of the endpoint that is used to access the endpoint service, you can view the following information: the domain name of the endpoint, the resource group, the domain name of the zone in which the endpoint is deployed, and the IP address of the zone.

    Note

    For a reverse endpoint, the details page of the endpoint does not display the domain name of the endpoint or the domain name of the zone in which the endpoint is deployed.

Modify the configurations of an endpoint

You can modify the name and description of an endpoint.

  1. Log on to the endpoint console.
  2. In the top navigation bar, select the region where you want to create an endpoint.

  3. On the Endpoints page, click the Interface Endpoint tab or the Reverse Endpoint tab, find the endpoint that you want to manage, and then click the endpoint ID. For more information about how to modify the configurations of a gateway endpoint, see the More operations section of the Gateway endpoints topic.

    • To modify the name of an endpoint, perform the following steps:

      1. In the Information section, click Edit next to Instance Name.

      2. In the dialog box that appears, enter a new name and click OK.

    • To modify the description of an endpoint, perform the following steps:

      1. In the Information section, click Edit next to Description.

      2. In the dialog box that appears, enter a new description and click OK.

Delete an endpoint

Before you delete an endpoint, you must delete the ENI that is associated with the endpoint. For more information, see Delete the ENI of an endpoint.

Warning

You can delete an endpoint that you no longer need. After you delete the endpoint, the VPC in which the endpoint is deployed cannot access the corresponding endpoint service over PrivateLink connections. Exercise caution when you perform this operation.

  1. Log on to the endpoint console.
  2. In the top navigation bar, select the region where you want to create an endpoint.

  3. On the Endpoints page, click the Interface Endpoint tab or the Reverse Endpoint tab, find the endpoint that you want to delete, and then click Delete in the Actions column.

  4. In the Delete Endpoint message, click OK.

(Optional) Add a tag to an endpoint

As the number of endpoints increases, it becomes more difficult for you to manage endpoints. You can use tags to group endpoints. In this way, you can efficiently search for and filter endpoints.

Tags are used to classify endpoints. Each tag consists of a key and a value. Before you use tags, take note of the following limits:

  • The keys of tags that are added to the same endpoint must be unique.

  • You can add up to 20 tags to an endpoint.

  • When you create tags, you must add them to endpoints.

  • Tag information is not shared across regions.

    For example, tags created in the China (Hangzhou) region are not displayed in the China (Shanghai) region.

  • You can modify the key and value of a tag or delete a tag of an endpoint. If you delete an endpoint, the tags that are added to the instance are also deleted.

  1. Log on to the endpoint console.

  2. In the top navigation bar, select the region where you want to create an endpoint.

  3. Click Endpoints in the left-side navigation pane. On the Endpoints page, find the endpoint to which you want to add a tag, move the pointer over the 标签图标 icon in the Tags column, and then click Edit.

  4. In the Configure Tags dialog box, specify the key and value based on the following table and click OK.
    ParameterDescription
    Tag KeyThe key of the tag. You can select or enter a key.

    The key cannot exceed 64 characters in length, and cannot start with aliyun or acs:. The key cannot contain http:// or https://.

    Tag ValueThe value of the tag. You can select or enter a value.

    The value cannot exceed 128 characters in length, and cannot start with aliyun or acs:. The value cannot contain http:// or https://.

  5. Return to the Endpoints page and click Filter by Tag. In the filter section, search for an endpoint based on a tag key and a tag value.

References