PrivateLink allows you to specify Classic Load Balancer (CLB) instances as the service resources of endpoint services. When you accept the connection request from an endpoint to an endpoint service, you must allocate and connect a CLB instance to the endpoint elastic network interface (ENI) in the zone where the endpoint is created.

Scenarios

The following scenario is used as an example. A company created two virtual private clouds (VPCs) named VPC1 and VPC2 in Zone H of the China (Hangzhou) region with Account A. The two VPCs can communicate with each other over PrivateLink. Elastic Compute Service (ECS) instances are created in VPC2. Different NGINX services are deployed on the ECS instances. Two CLB instances named CLB1 and CLB2 are created in VPC2. Due to business development, the company wants to distribute some traffic from CLB1 to CLB2 to prevent overload on CLB1.

flowchart

Limits

  • The CLB instances that serve as service resources in VPC2 must be pay-as-you-go internal-facing CLB instances. Only pay-as-you-go internal-facing CLB instances support PrivateLink.
  • The endpoint in VPC1, the endpoint service in VPC2, and the service resources in VPC2 must be deployed in the same zone of the same region.

Prerequisites

  • VPC1 and VPC2 are created in the China (Hangzhou) region. A vSwitch is created in each VPC. For more information, see Create a VPC and a vSwitch.
  • ECS03, which is used to send requests, is created in VPC1. ECS01 and ECS02, which are used to receive and process requests, are created in VPC2. Different NGINX services are deployed on ECS01 and ECS02. For more information, see Manually deploy an LNMP environment on an ECS instance that runs Alibaba Cloud Linux 2.
  • CLB1 and CLB2, which serve as service resources, are created in VPC2. The CLB instances are deployed in Zone H. For more information about how to create a CLB instance that supports PrivateLink, see Create a CLB instance that supports PrivateLink.
  • Listeners are created for CLB1 and CLB2. ECS01 is added as a backend server of CLB1, and ECS02 is added as a backend server of CLB2. For more information, see Configure a CLB instance.
  • An endpoint is created in VPC1. An endpoint service is created in VPC2 and CLB1 in Zone H is specified as the service resource of the endpoint service. For more information about how to create an endpoint and an endpoint service, see Create an endpoint and an endpoint service.
The following table describes how to plan CIDR blocks for the VPCs. Make sure that the CIDR blocks do not overlap.
Attribute VPC1 VPC2
Region China (Hangzhou) China (Hangzhou)
CIDR block
  • VPC: 10.10.0.0/16
  • vSwitch: 10.0.0.0/24
  • VPC: 192.168.0.0/16
  • vSwitch: 192.168.24.0/24
vSwitch zone Zone H Zone H
ECS instance IP address ECS03: 10.0.0.190
  • ECS01: 192.168.24.246
  • ECS02: 10.0.0.189

Procedure

Configuration process

Step 1: Add a service resource to a zone

  1. Log on to the endpoint service console .
  2. In the top navigation bar, select the region to which the endpoint service in VPC2 belongs. In this example, China (Hangzhou) is selected.
  3. On the Endpoints Service page, click the ID of the endpoint service that you want to manage.
  4. On the Service Resources tab, click Add Service Resource.
  5. In the Add Service Resource dialog box, select a zone to distribute traffic, and select the CLB instance that you want to associate with the endpoint service.

    In this example, Hangzhou Zone H and the ID of CLB2 are selected.

  6. Click OK.

Step 2: Allocate and connect a service resource to a zone

Before you allocate and connect a service resource to a zone, make sure that the following requirements are met:
  • The endpoint connection is in the Disconnected state.
  • The zone of the endpoint is in the Pending to Be Connected or Disconnected state.
  • A service resource is available in Zone H.
  1. Click the Endpoint Connections tab, find the endpoint whose connection request you want to accept, and then click Allow in the Actions column.
  2. In the Allow Connection dialog box, perform operations based on your business requirements:
    • If you want the system to automatically allocate service resources:
      1. Select Allow connections and automatically allocate service resources and click OK.
      2. Click the iconicon next to the endpoint to show the zone details and select the zone that you want to manage. In this example, Hangzhou Zone H is selected.
      3. Click Connect to Service Resource in the Actions column of the zone.
      4. In the Allow Connection message, click OK.
    • If you want to manually allocate service resources, clear the check box for Allow connections and automatically allocate service resources:
      1. Click the icon icon next to the endpoint to show the zone details and select the zone that you want to manage. In this example, Hangzhou Zone H is selected.
      2. Click Allocate Service Resource in the Actions column of the zone.
      3. In the Allocate Service Resource dialog box, click Manual Allocation, select CLB1, and then click OK.
        Note If a service resource exists in the zone of the endpoint and you select Automatic Allocation, the existing service resource is cleared. The service resource can be automatically allocated next time you select Allow connections and automatically allocate service resources for an endpoint connection.
      4. Click Connect to Service Resource in the Actions column of the zone.
      5. In the Allow Connection message, click OK.
  3. Log on to ECS03 and run the curl command to test whether ECS03 in VPC1 can access the service deployed on ECS01 in VPC2. For more information about how to log on to an ECS instance, see Connection methods.
    curl https://<Domain name of the zone of the endpoint>
    The following figure shows that ECS03 can access the service on ECS01. ECS01

Step 3: Create an alert rule

  1. Log on to the CloudMonitor console.
  2. In the left-side navigation pane, click Cloud Service Monitoring.
  3. On the Cloud Service Monitoring page, click PrivateLink in the Network section.
  4. On the PrivateLink page, click Create Alert Rule in the upper-right corner.
  5. In the Create Alert Rule panel, set the following parameters and click Confirm:
    The following section describes the key parameters that are related to an endpoint service. For more information about the other parameters, see Create an alert rule.
    • Product: In this example, PrivateLink is selected.
    • Resource Range: Specify the application scope of the alert rule. In this example, Instances is selected.
    • Associated Resources: In this example, the endpoint service that is created in VPC2 is selected.
    • Rule Description: Specify the content of the rule. An alert is triggered if the specified metric meets the specified condition.
      Click Add Rule. In the Add Rule Description panel, set the following parameters and click OK.
      Parameter Description
      Alert Rule Enter a name for the rule.
      Metric Type Select the type of the metric that is used to trigger an alert. In this example, Single indicator is selected.
      Metric Select a metric from the drop-down list. In this example, Service Resource Inbound Bandwidth is selected.
      Please select dimension Select the region and ID of the service resource.

      In this example, cn-hangzhou-h is selected for the zoneId parameter and the ID of CLB1 is selected for the resourceId parameter.

      Threshold and Alert Level Specify the threshold value of the metric and the severity level of the alert.

      In this example, Warning Text Message + Email + DingTalk is selected as the severity level and 1 Consecutive Cycles (1 Cycle = 1 Minutes) Average >= 100 Mbit/s is specified as the alert condition. This specifies that the inbound bandwidth of the service resource is checked every minute. If the inbound bandwidth is equal to or greater than 100 Mbit/s once, an alert is triggered.

      Chart Preview Displays the monitoring chart of the metric in the specified period.
    • Click Advanced Settings and set the following parameters:
      • Mute for: Specify the interval at which alert notifications are sent if the alert is not cleared. In this example, 30 min is selected.
      • Effective Time: Specify the time period during which the alert rule remains effective. CloudMonitor checks monitoring data and determines whether to generate alerts only during the effective period. In this example, 00:00 - 23:59 is specified.
    • Alert Contact Group: Specify the contact group to which alert notifications are sent. For more information about how to create a contact and a contact group, see Create an alert contact or alert contact group.

Step 4: Use wrk to perform a stress test

Use wrk to perform a stress test on the backend server of CLB1 (ECS01) in VPC2. When the inbound bandwidth of ECS01 reaches the specified threshold value, an alert is triggered in CloudMonitor.

Note In this example, ECS03 runs the Alibaba Cloud Linux operating system. For more information about how to use the ping command in other operating systems, see the user guide of the operating system that you use.
  1. Log on to ECS03 in VPC1.
  2. Run the following commands on ECS03 to install wrk:
    yum -y install git make gcc
    git clone https://github.com/wg/wrk.git
    yum install unzip
    cd wrk
    make
  3. After wrk is installed, run the following command to perform a stress test on ECS01 by using wrk.
    ./wrk -c 100 -d 600 -t 1  http://<Domain name of the zone of the endpoint>
    If the following echo reply packet is returned, the stress test is completed: wrk
  4. Return to the Alert Rules page in Step5. After a few minutes, Alert is displayed in red in the Status column. This indicates that the inbound bandwidth of CLB1 reaches the threshold value. In this case, you can reduce the workload on CLB1 by distributing some traffic to CLB2.
    Abnormal alarm

Step 5: Replace a service resource in a zone

Before you replace a service resource, make sure that the following requirements are met:
  • The endpoint connection is in the Connected state.
  • The zone of the endpoint is in the Connected or Disconnected state.
  • Other than CLB1, at least one service resource is available in Zone H.
  • Automatic allocation is disabled for CLB1. For more information, see Enable and disable automatic allocation for a service resource.
  1. Log on to the endpoint service console .
  2. In the top navigation bar, select the region where the endpoint service is deployed. In this example, China (Hangzhou) is selected.
  3. On the Endpoints Service page, click the ID of the endpoint service that you want to manage.
  4. On the endpoint service details page, click the Endpoint Connections tab, find the endpoint that you want to manage, and click the icon icon next to the endpoint to show the zone details.
  5. Select the zone that you want to manage and click Replace Service Resource in the Actions column.
  6. In the Replace Service Resource dialog box, click Smooth Migration or Forcible Migration, select CLB2, and then click OK.
  7. After CLB1 is replaced, log on to ECS03 and run the curl command to test whether ECS03 in VPC1 can access the service deployed on ECS02 in VPC2.
    curl https://<Domain name of the zone of the endpoint>
    The following figure shows that ECS03 can access the service on ECS02. ECS02

What to do next

Enable and disable automatic allocation for a service resource

Before you can disable automatic allocation for a service resource, make sure that at least one service resource that can be automatically allocated is available in a zone.

  1. Log on to the endpoint service console .
  2. In the top navigation bar, select the region where the endpoint service is deployed.
  3. On the Endpoints Service page, click the ID of the endpoint service that you want to manage.
  4. On the endpoint service details page, click the Service Resources tab, find the service resource that you want to manage, and turn on or turn off the switch in the Automatic Allocation column based on your business requirements.
    • Turn on the Disabled switch. In the Do you want to enable automatic allocation? message, click Allow.
    • Turn off the Enabled switch. In the Are you sure that you want to disable automatic allocation? message, click Disable.

Disconnect a service resource from a zone

Before you disconnect a service resource from a zone, make sure that the following requirements are met:
  • The endpoint connection is in the Connected state.
  • The zone of the endpoint is in the Connected state.
  • A service resource is allocated to the zone of the endpoint.
  1. Log on to the endpoint service console .
  2. In the top navigation bar, select the region where the endpoint service is deployed.
  3. On the Endpoints Service page, click the ID of the endpoint service that you want to manage.
  4. On the endpoint service details page, click the Endpoint Connections tab, find the endpoint that you want to manage, and click the icon icon next to the endpoint to show the zone details.
  5. Select the zone that you want to manage and click Disconnect from Service Resource in the Actions column based on the following scenarios:
    • In a smooth migration scenario, click Disconnect from Previous Service Resource and then click Disconnect from Service Resource.
    • In a scenario in which a forcible migration is performed or no migration is performed, click Disconnect from Service Resource.
    Note

    In a smooth migration scenario, the new endpoint ENI and the previous endpoint ENI must be displayed in the zone details.

  6. In the Are you sure that you want to disconnect from the service resources? message, click Yes.

Delete a service resource

  1. Log on to the endpoint service console .
  2. In the top navigation bar, select the region where the endpoint service is deployed.
  3. On the Endpoints Service page, click the ID of the endpoint service that you want to manage.
  4. On the endpoint service details page, click the Service Resources tab, find the service resource that you want to delete, and perform operations based on the following scenarios:
    • If a service resource is not allocated to a zone of an endpoint:
      1. Find the service resource that you want to delete and click Delete in the Actions column.
      2. In the Remove Resource message, click OK.
    • If a service resource is allocated to a zone of an endpoint:
      1. Find the service resource that you want to delete and click Replace Resource in the Actions column.
      2. In the Replace Service Resource dialog box, set the following parameters and click OK.
        Parameter Description
        Migration Type Select Smooth Migration or Forcible Migration based on your business requirements.
        • If you select Smooth Migration, click Release Previous Endpoint Connections in the Actions after the migration is completed. After the previous connections are released, delete the service resource.
        • If you select Forcible Migration, you can directly delete the service resource after the migration is completed.
        Select Destination Service Resource Select the service resource that is used to replace the current service resource.
        Select Source Endpoint Connection Select the endpoint connection that is associated with the current service resource.
      3. Find the service resource that you want to delete and click Delete in the Actions column.
      4. In the Remove Resource message, click OK.
      Note If the service resource that you want to delete is allocated to a zone of an endpoint, you must turn off the Enabled switch in the Automatic Allocation column of the service resource on the Service Resources tab.

References