This topic describes how to create and manage endpoints. You can associate endpoints with endpoint services. This way, you can establish PrivateLink connections between virtual private clouds (VPCs) and other Alibaba Cloud services.

Background information

PrivateLink allows you to establish secure, stable, and private connections between VPCs and other Alibaba Cloud services. Compared with connections over the Internet, PrivateLink provides higher security. You can create an endpoint and associate the endpoint with an endpoint service. This way, you can establish PrivateLink connections between a VPC and other Alibaba Cloud services.

Limits

PrivateLink is available for use only in specific regions. For more information, see Regions and zones that support PrivateLink.

Operations

Prerequisites

Before you create an endpoint, make sure that the following requirements are met:
  • If this is your first time using PrivateLink, log on to the Activation page to activate PrivateLink.
  • An endpoint service is created and at least one service resource is added to the endpoint service. For more information, see Create a CLB instance that supports PrivateLink.
  • A VPC that is used to access the endpoint service is created. A vSwitch is created in the zone in which the endpoint service is created. For more information, see Create a VPC and a vSwitch.
  • A security group is created.
    • If you create an endpoint whose Endpoint Type parameter is set to Interface Endpoint, you can configure security group rules based on your business and security requirements. We recommend that you configure the following security group rules:
      • A default rule that supports Internet Control Message Protocol (ICMP) for operations such as pinging the ECS instance.
      • A default inbound rule that allows traffic on SSH port 22 and Remote Desktop Protocol (RDP) port 3389 to access the ECS instance.
      • Optional. An inbound rule that allows traffic on HTTP port 80 and HTTPS port 443. This rule allows the VPC of the endpoint to access the VPC of the endpoint service over HTTP or HTTPS.
    • If you create an endpoint whose Endpoint Type parameter is set to Reverse Endpoint, you must configure an inbound rule that allows all traffic. This means that you must allow all CIDR blocks to access all ports over all protocols.
    For more information, see Create a security group.

Create an endpoint

  1. Log on to the endpoint console .
  2. In the top navigation bar, select the region where you want to create an endpoint.
  3. On the Endpoints page, you can use one of the following methods to create an endpoint:
    • Click the Interface Endpoint tab, and then click Create Endpoint.
    • Click the Reverse Endpoint tab, and then click Create Endpoint.
    Note
    • An interface endpoint allows the service consumer to access the service that is provided by the service provider. A reverse endpoint allows the service provider to access resources in the VPC of the service consumer.
    • Endpoints are created and managed by service consumers. Endpoint services are created and managed by service providers.
  4. On the Create Endpoint page, set the following parameters and click OK.
    Parameter Description
    Endpoint Name Enter a name for the endpoint.

    The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.

    Endpoint Type Select an endpoint type. Valid values:
    • Interface Endpoint: An interface endpoint allows the service consumer to access the service that is provided by the service provider.
    • Reverse Endpoint: A reverse endpoint allows the service provider to access resources in the VPC of the service consumer.
    Endpoints Service You can associate an endpoint with an endpoint service by using one of the following methods:
    • Click Add by Service Name and enter an endpoint service name.
    • Click Select Service and select the ID of the endpoint service.
    Note You can associate an endpoint with only one endpoint service.
    VPC Select the VPC where you want to create the endpoint.
    Security Groups Select the security group to be associated with the endpoint elastic network interface (ENI). The security group is used to control data transfer from the VPC to the endpoint ENI.
    Note Endpoint ENIs serve as entries for VPCs to access endpoint services.
    Zone and vSwitch Select the zone of the endpoint service and select a vSwitch in the zone. The system automatically creates an endpoint ENI in the vSwitch.
    Description Enter a description for the endpoint.

    The description must be 2 to 256 characters in length, and cannot start with http:// or https://.

    Note When you create an endpoint for the first time, the system automatically creates a service-linked role for PrivateLink. The role allows the endpoint to access other resources. For more information, see Service linked role.

View the domain name or IP address that can be used to access an endpoint service

After you create an interface endpoint, you can use the domain name of the endpoint, the domain name of the zone in which the endpoint is created, or an IP address to access the service resources of the endpoint service.

  1. Log on to the endpoint console .
  2. In the top navigation bar, select the region where the endpoint is created.
  3. On the Endpoints page, click the Interface Endpoint tab.
  4. On the Interface Endpoint tab, find the endpoint that you want to manage and click its ID.
  5. On the details page of the endpoint, you can view the domain name of the endpoint, the domain name of the zone in which the endpoint is created, and the IP address. You can use the domain names and the IP address to access the endpoint service.
    Note If you create a reverse endpoint, PrivateLink does not provide the domain name of the endpoint or the domain name of the zone in which the endpoint is created.

Modify an endpoint

You can modify the name and description of an endpoint.

  1. Log on to the endpoint console .
  2. In the top navigation bar, select the region where the endpoint is created.
  3. On the Endpoints page, click the Interface Endpoint tab or the Reverse Endpoint tab, find the endpoint that you want to manage and click its ID.
    • To modify the name of an endpoint, perform the following steps:
      1. In the Information section, click Edit next to Instance Name.
      2. In the dialog box that appears, enter a new name and click OK.

        The name must be 2 to 100 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.

    • To modify the description of an endpoint, perform the following steps:
      1. In the Information section, click Edit next to Description.
      2. In the dialog box that appears, enter a new description and click OK.

        The description must be 2 to 256 characters in length, and cannot start with http:// or https://.

Delete an endpoint

You can delete an endpoint that you no longer need. After you delete an endpoint, the VPC in which the endpoint is deployed cannot access endpoint services through PrivateLink.
Note Before you delete an endpoint, you must delete the ENI that is associated with the endpoint. For more information, see Delete the ENI of an endpoint.
  1. Log on to the endpoint console .
  2. In the top navigation bar, select the region where the endpoint is created.
  3. On the Endpoints page, click the Interface Endpoint tab or the Reverse Endpoint tab, find the endpoint that you want to delete and click Delete in the Actions column.
  4. In the Delete Endpoint message, click OK.

References