All Products
Search

This Product

    PrivateLink:Manage service resources

    Document Center

    PrivateLink:Manage service resources

    Last Updated:Sep 21, 2023

    PrivateLink allows you to specify Classic Load Balancer (CLB), Application Load Balancer (ALB), and Network Load Balancer (NLB) instances as the service resources of endpoint services. This topic uses CLB instances as an example to describe how to replace a service resource with another service resource in the same zone to distribute traffic. This method of distributing traffic prevents business interruption caused by overload on the service resource.

    Limits

    • By default, the feature of replacing a service resource with another service resource in the same zone is disabled. If you want to enable this feature, log on to the Quota Center console, search for the quota ID privatelink_whitelist/svc_res_mgt_uat, and then click Apply in the Actions column to submit an application.

    • All instances except for the NLB instances that serve as service resources of endpoint services can be replaced by other service resources in the same zone.

    • In the following scenario, the endpoint in VPC 1, and the endpoint service and service resources in VPC 2 must be deployed in the same zone of the same region.

    • To support PrivateLink, the CLB instances that serve as service resources in VPC 2 in the following scenario must be pay-as-you-go internal-facing CLB instances.

    Scenarios

    In the following scenario, Company A creates VPC 1 and VPC 2 in Zone H of the China (Hangzhou) region with Alibaba Cloud Account A. VPC 1 and VPC 2 can communicate with each other by using PrivateLink. Elastic Compute Service (ECS) instances are created in VPC 2. Different NGINX services are deployed on the ECS instances. CLB 1 and CLB 2 are created in VPC 2. Due to business growth, the company needs to distribute some traffic from CLB 1 to CLB 2 to prevent business interruption due to overload on CLB 1.

    liuchengtu

    Prerequisites

    • VPC 1 and VPC 2 are created in the China (Hangzhou) region, and a vSwitch is created in each VPC. For more information, see Create a VPC and a vSwitch.

    • ECS 03, which is used to send requests, is created in VPC 1. ECS 01 and ECS 02, which are used to receive and process requests, are created in VPC 2. Different NGINX services are deployed on ECS 01 and ECS 02. For more information, see Manually build an LNMP stack on an Alibaba Cloud Linux 2 instance.

    • CLB 1 and CLB 2, which serve as service resources, are created in VPC 2. The CLB instances are deployed in Zone H. For more information about how to create a CLB instance that supports PrivateLink, see Create an internal-facing CLB instance that supports PrivateLink.

    • Listeners are created for CLB 1 and CLB 2. ECS 01 is added as the backend server of CLB 1, and ECS 02 is added as the backend server of CLB 2. For more information, see Configure a CLB instance.

    • An endpoint is created in VPC 1. An endpoint service is created in VPC 2, and uses CLB 1 in Zone H as the service resource. For more information about how to create an endpoint and an endpoint service, see Create an endpoint and an endpoint service.

    The following table describes the network planning for VPC 1 and VPC 2. Make sure that the CIDR blocks do not overlap when you plan networks.

    Item

    VPC 1

    VPC 2

    Region

    China (Hangzhou)

    China (Hangzhou)

    CIDR block

    • VPC: 10.10.0.0/16

    • vSwitch: 10.10.0.0/24

    • VPC: 192.168.0.0/16

    • vSwitch: 192.168.24.0/24

    vSwitch zone

    Zone H

    Zone H

    ECS instance IP address

    ECS 03: 10.10.0.190

    • ECS 01: 192.168.24.246

    • ECS 02: 192.168.24.241

    Procedure

    liuchengtu

    Step 1: Add a service resource in a zone

    1. Log on to the endpoint service console.

    2. In the top navigation bar, select the region to which the endpoint service in VPC 2 belongs. In this example, China (Hangzhou) is selected.

    3. On the Endpoints Service page, click the ID of the endpoint service that you want to manage.

    4. On the Service Resource tab, click Add Service Resource.

    5. In the Add Service Resource dialog box, select a zone to receive traffic, and select the CLB instance that you want to associate with the endpoint service.

      In this example, Hangzhou Zone H and the ID of CLB 2 are selected.

    6. Click OK.

    Step 2: Allocate and connect to the service resource in the zone

    Before you allocate and connect to the service resource in the zone, make sure that the following requirements are met:

    • The endpoint connection is in the Disconnected state.

    • The zone of the endpoint is in the Waiting to be connected or Disconnected state.

    • The service resource is available in Zone H.

    1. Click the Endpoint Connections tab, find the endpoint whose connection requests you want to accept, and then click Allow in the Actions column.

    2. In the Allow Connection dialog box, perform the following steps based on your business requirements:

      • If you want the system to automatically allocate service resources:

        1. Select Allow connections and automatically allocate service resources. and click OK.

        2. Click the icon icon before the endpoint to show the zone details. Then, select the zone that you want to manage. In this example, Hangzhou Zone H is selected.

      • If you want to manually allocate service resources, clear the check box for Allow connections and automatically allocate service resources.:

        1. Click the icon icon before the endpoint to show the zone details. Then, select the zone that you want to manage. In this example, Hangzhou Zone H is selected.

        2. Click Allocate Service Resource in the Actions column of the zone.

        3. In the Allocate Service Resource dialog box, click Manual Allocation, select CLB 1, and then click OK.

          Note

          If a service resource exists in the zone of the endpoint and you select Automatic Allocation, the existing service resource is cleared. The service resource can be automatically allocated if you select Allow connections and automatically allocate service resources for an endpoint connection.

        4. On the Endpoint page, find the endpoint that you want to manage and click Allow in the Actions column.

    3. Remotely log on to ECS 03 and run the curl command to test whether ECS 03 in VPC 1 can access the services deployed on ECS 01 in VPC 2. For more information about how to remotely log on to an ECS instance, see Connection methods. 

      curl https://<Domain name of the zone of the endpoint>

      If the information shown in the following figure is displayed, ECS 03 can access the services deployed on ECS 01. ECS01

    Step 3: Create an alert rule

    1. Log on to the CloudMonitor console.

    2. In the left-side navigation pane, click Cloud Service Monitoring.

    3. On the Cloud Service Monitoring page, click PrivateLink in the Network section.

    4. On the PrivateLink page, click Create Alert Rule.

    5. In the Create Alert Rule panel, specify the parameters that are described in the following section and click Confirm.

      The following section describes the key parameters that are related to an endpoint service. For more information about other parameters, see Create an alert rule.

      • Product: PrivateLink is selected in this example.

      • Resource Range: Specify the applicable scope of the alert rule. Instances is selected in this example.

      • Associated Resources: The endpoint service that is created in VPC 2 is selected in this example.

      • Rule Description: Specify the content of the alert rule. An alert is triggered if the specified metric meets the specified condition.

        Click Add Rule. In the Add Rule Description panel, specify the parameters described in the following table and click OK.

        Parameter

        Description

        Alert Rule

        Enter a name for the rule.

        Metric Type

        Select the type of the metric that is used to trigger an alert. Single Metric is selected in this example.

        Metric

        Select a metric from the drop-down list. Service Resource Inbound Bandwidth is selected in this example.

        Select Dimension

        Select the region ID and the service resource ID.

        In this example, cn-hangzhou-h is selected for the zoneId parameter and the ID of CLB 1 is selected for the resourceId parameter. If you do not select this option, all dimensions are monitored.

        Threshold and Alert Level

        Specify the alert threshold and the alert level of the alert rule.

        In this example, Warning is selected as the alert level, and 1 Consecutive Cycles (1 Cycle = 1 Minutes) Average >= 100 Mbit/s is specified as the alert condition. This indicates that the inbound bandwidth of the service resource is checked once every minute. If the inbound bandwidth is greater than or equal to 100 Mbit/s, an alert is triggered.

        Chart Preview

        Displays the monitoring chart of the metric within a specified period of time.

      • Mute For: Specify the interval after which an alert is resent if the alert is not cleared. In this example, 30 Minutes is selected.

      • Effective Period: Specify the time period during which the alert rule remains effective. CloudMonitor checks monitoring data and determines whether to generate alerts only during the specified period. In this example, 00:00 - 23:59 is specified.

      • Alert Contact Group: Specify the contact group to which alerts are sent. For more information about how to create a contact and a contact group, see Create an alert contact or alert contact group.

    Step 4: Use wrk to perform a stress test

    Use wrk to perform a stress test on the backend server (ECS 01) of CLB 1 in VPC 2. If the inbound bandwidth of ECS 01 reaches the specified alert threshold, an alert is triggered in CloudMonitor.

    Note

    In this example, ECS 03 runs the Alibaba Cloud Linux operating system. For more information about how to use the ping command in other operating systems, see the user guide for the operating system that you use.

    1. Remotely log on to ECS 03 in VPC 1.

    2. Run the following commands on ECS 03 in VPC 1 in sequence to install wrk: 

      yum -y install git make gcc
git clone https://github.com/wg/wrk.git
yum install unzip
cd wrk
make

    3. After wrk is installed, run the following command to perform a stress test on ECS 01 by using wrk: 

      ./wrk -c 100 -d 600 -t 1  http://<Domain name of the zone of the endpoint>

      If the following echo reply packet is returned, the stress test is complete: wrk

    4. Return to the Alert Rules page. After a few minutes, Alert is displayed in red in the Status column. This indicates that the inbound bandwidth of CLB 1 reaches the alert threshold. In this case, you must distribute some traffic on CLB 1 to CLB 2.

      Abnormal alarm

    Step 5: Replace the service resource in the zone

    Before you replace the service resource, make sure that the following requirements are met:

    • The endpoint connection is in the Connected state.

    • The zone of the endpoint is in the Connected or Disconnected state.

    • In addition to CLB 1, at least one service resource is available in Zone H.

    • Automatic allocation is disabled for CLB 2. For more information, see Enable and disable automatic allocation for a service resource.

    1. Log on to the endpoint service console.

    2. In the top navigation bar, select the region where the endpoint service is deployed. In this example, China (Hangzhou) is selected.

    3. On the Endpoints Service page, click the ID of the endpoint service that you want to manage.

    4. On the endpoint service details page, click the Endpoint Connections tab, find the endpoint that you want to manage, and then click the icon icon before the endpoint to show the zone details.

    5. Select the zone that you want to manage and click Replace Service Resource in the Actions column.

    6. In the Replace Service Resource dialog box, click Smooth Migration or Forcible Migration, select CLB 2, and then click OK.

      Note

      Smooth migration works in the following way:

      1. The system automatically creates an endpoint elastic network interface (ENI). Then, the system connects the new endpoint ENI to CLB 2, records the IP address of the endpoint ENI, and then performs Domain Name System (DNS) resolution on the IP address.

      2. The system automatically removes the IP address of the original endpoint ENI from the DNS resolution list.

      3. After you verify that all existing services are deleted, perform Step 7 and Step 8 to disconnect CLB 1 from the original endpoint ENI. After CLB 1 is disconnected from the original endpoint ENI, the original endpoint ENI is deleted.

    7. Click Disconnect from Service Resource in the Actions column of the zone.

    8. In the Are you sure that you want to disconnect from the previous service resources? message, click Yes.

    9. After CLB 1 is replaced, remotely log on to ECS 03 and run the curl command to test whether ECS 03 in VPC 1 can access the service deployed on ECS 02 in VPC 2. 

      curl https://<Domain name of the zone of the endpoint>

      If the information shown in the following figure is displayed, ECS 03 can access the service on ECS 02. ECS02

    Related operations

    Enable and disable automatic allocation for a service resource

    Before you disable automatic allocation for a service resource, make sure that at least one service resource that can be automatically allocated is available in a zone.

    1. Log on to the endpoint service console.

    2. In the top navigation bar, select the region where the endpoint service is deployed.

    3. On the Endpoints Service page, click the ID of the endpoint service that you want to manage.

    4. On the details page of the endpoint service, click the Service Resource tab, find the service resource that you want to manage, and then turn on or turn off the switch in the Automatic Allocation column based on your business requirements.

      • Turn on Disabled. In the Do you want to enable automatic allocation? message, click Allow.

      • Turn off Enabled. In the Do you want to enable automatic allocation? message, click Disable.

    Disconnect from a service resource in a zone

    Before you disconnect from a service resource in a zone, make sure that the following requirements are met:

    • The endpoint connection is in the Connected state.

    • The zone of the endpoint is in the Connected state.

    • A service resource is allocated to the zone of the endpoint.

    1. Log on to the endpoint service console.

    2. In the top navigation bar, select the region where the endpoint service is deployed.

    3. On the Endpoints Service page, click the ID of the endpoint service that you want to manage.

    4. On the details page of the endpoint service, click the Endpoint Connections tab, find the endpoint that you want to manage, and then click the icon icon before the endpoint to show the zone details.

    5. Select the zone that you want to manage and click Disconnect from Service Resource in the Actions column based on the following scenarios:

      • In a smooth migration scenario, click Disconnect from Previous Service Resource and click Disconnect from Service Resource.

      • In a scenario in which a forcible migration is performed or no migration is performed, click Disconnect from Service Resource.

      Note

      In a smooth migration scenario, the new endpoint ENI and the original endpoint ENI are displayed in the zone details.

    6. In the Are you sure that you want to disconnect from the previous service resources? message, click Yes.

    Delete a service resource

    1. Log on to the endpoint service console.

    2. In the top navigation bar, select the region where the endpoint service is deployed.

    3. On the Endpoints Service page, click the ID of the endpoint service that you want to manage.

    4. On the endpoint service details page, click the Service Resource tab, find the service resource that you want to delete, and then perform operations based on the following scenarios:

      • If a service resource is not allocated to a zone of an endpoint:

        1. Click Delete in the Actions column of the service resource.

        2. In the Remove Resource message, click OK.

      • If a service resource is allocated to a zone of an endpoint:

        1. Click Replace Resource in the Actions column of the service resource.

        2. In the Replace Service Resource dialog box, specify the parameters that are described in the following table and click OK.

          Parameter

          Description

          Migration Type

          Select Smooth Migration or Forcible Migration based on your business requirements.

          • If you select Smooth Migration, click Release Previous Endpoint Connections in the Actions column after the migration is complete. After the previous connections are released, delete the service resource.

          • If you select Forcible Migration, you can directly delete the service resource after the migration is complete.

          Select Destination Service Resource

          Select the service resource that is used to replace the current service resource.

          Select Source Endpoint Connection

          Select the endpoint connection that is associated with the current service resource.

        3. Click Delete in the Actions column of the service resource.

        4. In the Remove Resource message, click OK.

        Note

        If the service resource that you want to delete is allocated to a zone of an endpoint, you must turn off Enabled in the Automatic Allocation column of the service resource on the Service Resource tab.

    References