This topic describes how to use PrivateLink to allow a Classic Load Balancer (CLB) instance in a virtual private cloud (VPC) to provide services to another VPC that belongs to the same Alibaba Cloud account.

Background information

VPCs are private networks that are isolated from each other. You can use PrivateLink to establish a secure and stable private connection between a VPC and an Alibaba Cloud service. This simplifies the network architecture and prevents security risks over the Internet.

To establish a PrivateLink connection, you must create an endpoint service and an endpoint.
  • Endpoint services

    An endpoint service can be accessed by using an endpoint in another VPC over a PrivateLink connection. Endpoint services are created and managed by service providers.

  • Endpoints

    An endpoint can be associated with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services. Endpoints are created and managed by service consumers.

Entity Description
Service provider Create and manage endpoint services.
Service consumer Create and manage endpoints.
Note PrivateLink is available for use in only specific regions. For more information, see Regions and zones that support PrivateLink.

Scenarios

The following scenario is used as an example. A company created two VPCs named VPC1 and VPC2 in the Germany (Frankfurt) region with Account A, and deployed services on ECS2 and ECS3 in VPC2. Due to business development, resources in VPC1 require access to the services in VPC2 over a private network.

You can create a CLB instance that supports PrivateLink in VPC2, add ECS2 and ECS3 as backend servers of the CLB instance, create an endpoint service, and then specify the CLB instance as a service resource. Then, you can create an endpoint in VPC1. After the endpoint is created and the connection between the endpoint and the endpoint service works as expected, ECS1 in VPC1 can access the services in VPC2. liuchengtu
The following table shows how CIDR blocks are specified for the VPCs in this example. Make sure that the CIDR blocks do not overlap.
Attribute VPC1 VPC2
Region Germany (Frankfurt) Germany (Frankfurt)
CIDR block
  • VPC CIDR block: 10.10.1.0/16
  • vSwitch CIDR block: 10.0.0.0/24
  • VPC CIDR block: 192.168.2.0/16
  • vSwitch CIDR block: 192.168.24.0/24
vSwitch zone Zone B Zone B
ECS instance IP address ECS1 IP address: 10.0.0.182
  • ECS2 IP address: 192.168.20.200
  • ECS2 IP address: 10.0.0.2

Limits

  • The CLB instance that serves as the service resource in VPC2 must be a pay-as-you-go internal-facing CLB instance. Only pay-as-you-go internal-facing CLB instances support PrivateLink.
  • The endpoint in VPC1, the endpoint service in VPC2, and the CLB instance that serves as the service resource must be deployed in the same zone of the same region.

Prerequisites

Procedure

peizhiliucheng

Step 1: Create an internal-facing CLB instance that supports PrivateLink

  1. Log on to the CLB console.
  2. On the Instances page, click Create CLB.
  3. On the Server Load Balancer page, configure the CLB instance based on the following information and click Buy Now to complete the payment.
    Parameter Description
    Billing Method Select a billing method for the CLB instance. In this example, Pay-As-You-Go is selected.
    SLB region no Select the region and zone where you want to create the CLB instance. Make sure that the CLB instance is deployed in the same region as the ECS instances that you want to add as backend servers. In this example, Germany (Frankfurt) and Europe Central 1 Zone B are selected.
    Zone Type Specify whether you want to deploy the CLB instance in one zone or across multiple zones. In this example, Multi-zone is selected.
    Backup Zone Select a secondary zone for the CLB instance. Traffic is distributed to the secondary zone only when the primary zone is down. In this example, Europe Central 1 Zone A is selected.
    Instance Name Enter a name for the CLB instance.

    The name must be 1 to 80 characters in length, and can contain letters, digits, hyphens (-), forward slashes (/), periods (.), and underscores (_).

    Specification Select a specification for the CLB instance. CLB instances of different specifications provide different features. In this example, Small I (slb.s1.small) is selected.
    SLB instance Specify whether the CLB instance is an Internet-facing or internal-facing CLB instance. In this example, Intranet is selected.
    Network Type Select the network type of the CLB instance. In this example, VPC is selected.
    VPCId VPC2 and a vSwitch in VPC 2 are selected.
    IP Version Select an IP version for the CLB instance. In this example, IPv4 is selected.
    Feature Standard is selected.
    Flow out By Traffic is selected.
    Quantity 1 is selected.
    Resource Group Default Resource Group is selected.

Step 2: Configure the CLB instance

After the CLB instance is created, you must add at least one listener and one group of backend servers to the CLB instance. This way, traffic can be forwarded by the CLB instance.

  1. On the Instances page, find the CLB instance that is created in Step 1 and click Configure Listener in the Actions column.
  2. In the Protocol and Listener step, set the following parameters, use the default values for other parameters, and then click Next:
    • Select Listener Protocol: In this example, TCP is selected.
    • Listening Port: Specify the frontend port that is used to receive requests and distribute requests to backend servers.

      In this example, 80 is specified.

  3. In the Backend Servers step, select Default Server Group and click Add More to add backend servers.
    1. In the My Servers panel, select ECS1 and ECS2 that you created, and click Next.
    2. Specify weights for the servers and click Add.
      A backend server with a higher weight receives more requests. In this example, the default value 100 is used.
    3. On the Default Server Group tab, specify a backend port and click Next. In this example, 80, is specified.
      You can specify the same port for multiple backend servers of a CLB instance.
  4. In the Health Check step, configure health checks and click Next. In this example, the default values are used.
  5. In the Confirm step, check the configurations and click Submit.
  6. Click OK to go back to the Instance page.

    If the health check status of an ECS instance is Normal, the ECS instance is ready to process requests that are forwarded by CLB.

    fuzaijunheng

Step 3: Create an endpoint service

  1. Log on to the Endpoint Service console.
  2. In the top navigation bar, select the region where you want to create an endpoint service. In this example, Germany (Frankfurt) is selected.
  3. On the Endpoints Service page, click Create Endpoint Service.
  4. On the Create Endpoint Service page, set the following parameters and click OK.
    Parameter Description
    Select Service Resource Select a zone to distribute network traffic. Then, select the CLB instance to be associated with the endpoint service.

    In this example, Frankfurt Zone B and the CLB instance created in Step 1 that supports PrivateLink are selected.

    Automatically Accept Endpoint Connections Specify whether to automatically accept connection requests from endpoints. In this example, No is selected.
    • Yes: The endpoint service automatically accepts connection requests from endpoints. Then, the endpoint service can be accessed by using endpoints.
    • No: The endpoint connection of the endpoint service is in the Disconnected state. In this case, connection requests to the endpoint service must be manually accepted or denied by the service provider.
      • If the service provider accepts the connection request from an endpoint, the endpoint service can be accessed by using the endpoint.
      • If the service provider denies the connection request from an endpoint, the endpoint service cannot be accessed by using the endpoint.
    Whether to Enable Zone Affinity In this example, Yes is selected.
    Description Enter a description for the endpoint service.

    The description must be 2 to 256 characters in length. The description cannot start with http:// or https://.

After the endpoint service is created, the account ID of the service provider is automatically added to the whitelist.

You can view the ID and name of the endpoint service on the Endpoints Service page. endpoint services

Step 4: Create an endpoint

  1. Log on to the Endpoint console.
  2. In the top navigation bar, select the region where you want to create the endpoint. In this example, Germany (Frankfurt) is selected.
  3. On the Endpoints page, click Create Endpoint.
  4. On the Create Endpoint page, set the following parameters for the endpoint and click OK.
    Parameter Description
    Endpoint Name Enter a name for the endpoint.

    The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.

    Endpoints Service You can associate an endpoint with an endpoint service by using one of the following methods:
    • Click Add by Service Name and enter an endpoint service name.
    • Click Select Service and select the ID of the endpoint service.
    In this example, Add by Service Name is selected and the endpoint service created in Step 3 is selected.
    VPC Select the VPC where you want to create the endpoint. In this example, VPC1 is selected.
    Security Groups Select the security group to be associated with the endpoint elastic network interface (ENI). The security group is used to control data transfer from the VPC to the endpoint ENI.
    Note Make sure that the rules in the security group allow access to the endpoint ENI from clients.
    Zone and vSwitch Select the zone of the endpoint service and select a vSwitch in the zone. The system automatically creates an endpoint ENI in the vSwitch.

    In this example, Frankfurt Zone B is selected, and the vSwitch in VPC1 is selected.

    Description Enter a description for the endpoint.

    The description must be 2 to 256 characters in length. The description cannot start with http:// or https://.

After the endpoint is created, you can view the domain name or IP address that can be used to access the endpoint service. You can access the endpoint service by using one of the following methods:
  • Use the domain name of the endpoint
  • Use the IP address of the endpoint ENI
  • Use the domain name of the zone

Step 5: Accept connection requests from endpoints

To establish an endpoint connection, an endpoint service must accept the connection request from an endpoint. In this example, resources in VPC1 can access the endpoint service in VPC2 by using the endpoint after the connection request is accepted.
Note Skip this step if you set the Automatically Accept Endpoint Connections parameter to Yes in Step 3.
  1. In the left-side navigation pane, click Endpoints Service.
  2. In the top navigation bar, select the region where the endpoint service is deployed. In this example, Germany (Frankfurt) is selected.
  3. On the Endpoints Service page, find the endpoint service that you created in Step 3, and then click its ID.
  4. Click the Endpoint Connections tab, find the endpoint from which you want to accept the connection request, and then click Allow in the Actions column.
  5. In the Allow Connection message, click OK.
After you accept the connection request, the connection status of the endpoint changes from Disconnected to Connected. endpointconnection

Step 6: Access services by using the endpoint

To test whether ECS1 in VPC1 can access the service deployed on ECS2 in VPC2 by using the endpoint, perform the following operations:

  1. Open a browser on ECS1.
  2. In the address bar of the browser, enter the domain name or IP address that can be used to access the endpoint service in VPC2, and check whether ECS1 can access the service that is deployed on ECS2.
    In this example, the domain name or IP address that is generated in Step 4 is entered.

    The test result shows that ECS1 in VPC1 can access the service deployed on ECS2 in VPC2.