Access a CLB instance in another VPC - PrivateLink - Alibaba Cloud Documentation Center

If you want to allow a Classic Load Balancer (CLB) instance in a virtual private cloud (VPC) to provide services for another VPC within the same Alibaba Cloud account, you can specify the CLB instance as a service resource in the VPC where the CLB instance is deployed and use PrivateLink to establish a network connection between the two VPCs.

Background information

VPCs are private networks that are isolated from each other in the cloud. You can use PrivateLink to establish a secure and stable private connection between a VPC and an Alibaba Cloud service. This simplifies the network architecture and prevents security risks over the Internet.

To establish a PrivateLink connection, you must create an endpoint service and an endpoint.

Endpoint service
An endpoint service can be accessed by using an endpoint in another VPC over a PrivateLink connection. Endpoint services are created and managed by service providers.
Endpoint
An endpoint can be associated with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services. Endpoints are created and managed by service consumers.

Entity	Description
Service provider	Creates and manages endpoint services.
Service consumer	Creates and manages endpoints.

CLB distributes inbound network traffic across multiple Elastic Compute Service (ECS) instances that act as backend servers based on forwarding rules. You can specify CLB instances as the service resources of endpoint services to improve the performance and availability of your applications. For more information, see What is CLB?

Scenarios

The following scenario is used as an example. Company A creates two VPCs named VPC 1 and VPC 2 in the Germany (Frankfurt) region with Alibaba Cloud Account A and deploys application services on ECS instances named ECS 2 and ECS 3 in VPC 2. Due to business growth, resources in VPC 1 require access to the services in VPC 2 over a private connection.

You can create a CLB instance that supports PrivateLink in VPC 2, and specify ECS 2 and ECS 3 as the backend servers of the CLB instance. This allows the CLB instance to receive the traffic from clients and distribute the traffic to the backend servers based on the forwarding rules of a listener. Create an endpoint service and specify the CLB instance as the service resource of the endpoint service. Then, create an endpoint in VPC 1. After the endpoint is created and connected to the endpoint service as expected, ECS 1 in VPC 1 can access the services in VPC 2 over the private network. 架构图

Limits

To support PrivateLink, the CLB instance that serves as a service resource in VPC 2 must be a pay-as-you-go internal-facing CLB instance.
When you create an endpoint service, you must select a region that supports PrivateLink and CLB instances. For more information about the regions that support PrivateLink and CLB instances, see Regions and zones that support PrivateLink and Regions that support CLB.
The endpoint and endpoint service must be deployed in the same zone where the CLB instance is deployed.

Prerequisites

VPC 1 and VPC 2 are created in the Germany (Frankfurt) region, and a vSwitch is created for each VPC. For more information, see the Step 1: Create a VPC and vSwitches section of the Create a VPC with an IPv4 CIDR block topic.
ECS 1 is created in VPC 1, ECS 2 and ECS 3 are created in VPC 2, and different NGINX services are deployed on ECS 2 and ECS 3. For more information about how to create ECS instances and deploy NGINX services, see Create an instance on the Custom Launch tab and Build an LNMP stack on an ECS instance that runs Alibaba Cloud Linux 2 or 3.
A security group is created in VPC 1. You can configure security group rules based on your requirements for business and security.
We recommend that you configure the following security group rules:
- An inbound rule that allows traffic on SSH port 22 and Remote Desktop Protocol (RDP) port 3389 to access the ECS instance.
- An inbound rule that allows traffic on HTTP port 80 and HTTPS port 443. This rule allows the VPC of the endpoint to access the VPC of the endpoint service over HTTP or HTTPS.
For more information, see Create a security group.
Note
ECS 2 and ECS 3 in VPC 2 belong to the default security group, which is created by the system when the ECS instances are created.

The following table describes how networks of the VPCs are planned in this example. Your services are not adversely affected if the CIDR blocks of your VPCs overlap with each other.

Item	VPC 1	VPC 2
Region	Germany (Frankfurt)	Germany (Frankfurt)
CIDR block	VPC: 10.10.0.0/16 vSwitch: 10.10.2.0/24	VPC: 192.168.0.0/16 vSwitch: 192.168.24.0/24
vSwitch zone	Zone B	Zone B
ECS instance IP address	ECS 1: 10.10.2.1	ECS 2: 192.168.24.200 ECS 3: 192.168.24.12

Procedure

liuchengtu

Step 1: Create a CLB instance that supports PrivateLink

Log on to the CLB console.
On the Instances page, click Create CLB.

On the CLB (Pay-As-You-Go) International Site buy page, set the parameters of the CLB instance described in the following table, and click Buy Now to complete the payment.

Parameter	Description
Region	Select a region where you want to create the CLB instance. In this example, Germany (Frankfurt) is selected. Note Make sure that the CLB instance and the ECS instances that you want to specify as backend servers belong to the same region.
Zone Type	Specify whether to deploy the CLB instance in one zone or across multiple zones. By default, Multi-zone is selected.
Primary Zone	Select a primary zone for the CLB instance to receive network traffic. In this example, Europe Central 1 Zone B is selected.
Backup Zone	Select a secondary zone for the CLB instance. The secondary zone receives network traffic only if the primary zone is unavailable. In this example, Europe Central 1 Zone A is selected.
Instance Name	Enter a name for the CLB instance.
SLB instance	Select a type for the CLB instance. You can create an Internet-facing CLB instance or an internal-facing CLB instance based on your business requirements. The system allocates a public or private IP address to the CLB instance based on the specified instance type. In this example, Intranet is selected.
Instance Billing Method	Select a billing method for the CLB instance. Valid values: Pay-By-Specification Pay-By-CLCU In this example, Pay-By-Specification is selected.
Specification	Select a specification for the CLB instance. CLB instances with different specifications deliver different performances. In this example, Small I (slb.s1.small) is selected.
Network Type	Select a network type for the CLB instance. In this example, VPC is selected.
IP Version	Select an IP version for the CLB instance. In this example, IPv4 is selected.
Feature	Select a feature type for the CLB instance. By default, Standard is selected.
VPC ID	Select VPC 2.
Vswitch ID	Select a vSwitch in VPC 2.
Internet Data Transfer Fee	Select a metering method. Internet-facing CLB instances support the following metering methods: By traffic: the pay-by-data-transfer metering method By bandwidth: the pay-by-bandwidth metering method By default, By traffic is selected. Note Internet-facing CLB instances use the pay-by-data-transfer metering method. In this example, the CLB instance that you want to create is internal-facing and does not generate traffic fees.
Resource Group	Select a resource group for the CLB instance. In this example, Default Resource Group is selected.
Quantity	Specify the number of CLB instances that you want to purchase. In this example, 1 is specified.

Step 2: Configure the CLB instance

After the CLB instance is created, you must add at least one listener and one group of backend servers to the CLB instance. This way, network traffic can be forwarded by the CLB instance.

On the Instances page, find the CLB instance that was created in Step 1 and click Configure Listener in the Actions column.
On the Protocol & Listener wizard page, set the following parameters, use the default values for other parameters, and then click Next:
- Select Listener Protocol: In this example, TCP is selected.
- Listener Port: specifies the port that the CLB instance uses to receive requests and forward the requests to the backend servers.
  In this example, 80 is specified.
On the Backend Servers wizard page, select Default Server Group and click Add More to add backend servers.
1. In the Servers panel, select ECS 2 and ECS 3 that you created, and click Next.
2. Specify weights for the backend servers and click Add.
  A backend server with a higher weight receives more requests. In this example, the default value 100 is used.
3. On the Default Server Group tab, specify a backend port and click Next. In this example, 80 is specified.
  You can specify the same port for multiple backend servers of a CLB instance.
On the Health Check wizard page, configure the health check feature and click Next. In this example, the default values of the parameters are used.
On the Confirm wizard page, check the configurations and click Submit.
Click OK to return to the Instances page.
If the health check status of an ECS instance is Healthy, the ECS instance can process requests that are forwarded by the CLB instance.

Step 3: Create an endpoint service

Log on to the endpoint service console.
In the top navigation bar, select the region in which you want to create an endpoint service. In this example, Germany (Frankfurt) is selected.
On the Endpoints Service page, click Create Endpoint Service.

On the Create Endpoint Service page, set the parameters described in the following table and click OK.

The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see the Create an endpoint service section of the Create and manage endpoint services topic.

Parameter	Description
Service Resource Type	Select the type of the service resource that you want to add to the endpoint service. In this example, CLB is selected.
Select Service Resource	Select a zone that you want to receive network traffic. Then, select the CLB instance that you want to associate with the endpoint service. In this example, Frankfurt Zone B and the CLB instance created in Step 1 are selected.
Automatically Accept Endpoint Connections	Specify whether the endpoint service automatically accepts connection requests from endpoints. In this example, No is selected. Yes: If you select this option, the endpoint service automatically accepts connection requests from endpoints. As a result, you can use endpoints to access the service resources of the endpoint service. No: If you select this option, the endpoint connection of the endpoint service is in the Disconnected state by default. In this case, connection requests to the endpoint service must be manually accepted or denied by the service provider. If the service provider accepts a connection request from an endpoint, the service resources of this endpoint service can be accessed by using the endpoint. If the service provider denies a connection request from an endpoint, the service resources of this endpoint service cannot be accessed by using the endpoint.
Enable Zone Affinity	In this example, Yes is selected. This indicates that the domain name of the nearest endpoint is first resolved among all the endpoints that are associated with the endpoint service.
Resource Group	Select the resource group to which the endpoint service belongs.

After the endpoint service is created, the account ID of the service provider is automatically added to the service whitelist.

You can view the instance ID and instance name on the details page of the endpoint service.

Step 4: Create an endpoint

Log on to the endpoint console.
In the top navigation bar, select the region in which you want to create an endpoint. In this example, Germany (Frankfurt) is selected.
On the Endpoints page, click Create Endpoint.

On the Create Endpoint page, set the parameters described in the following table and click OK.

The following table describes only the parameters that are relevant to this topic. For more information about how to set other parameters, see the Create an endpoint section of the Create and manage endpoints topic.

Parameter	Description
Endpoint Name	Enter a name for the endpoint.
Endpoint Type	Select a type for the endpoint. In this example, Interface Endpoint is selected.
Endpoints Service	In this example, the endpoint service that was created in Step 3 is selected.
VPC	Select the VPC where you want to create the endpoint. In this example, VPC 1 is selected.
Security Groups	Select the security group that you want to associate with the endpoint elastic network interface (ENI). The security group is used to control data transfer from the VPC to the endpoint ENI. Note Make sure that the rules in the security group allow access to the endpoint ENI from clients.
Zone and vSwitch	Select the zone where the endpoint service is deployed and select a vSwitch in the zone. The system automatically creates an endpoint ENI and attaches it to the vSwitch. In this example, Frankfurt Zone B and a vSwitch that was created in VPC 1 are selected.
Resource Group	Select the resource group to which the endpoint belongs.

After you create the endpoint, you can view the domain name of the endpoint and the domain name and IP address of the selected zone on the details page of the endpoint.

Step 5: Accept connection requests from the endpoint

After you create an endpoint in VPC 1, you must configure the endpoint service to accept connection requests from the endpoint. This way, resources in VPC 1 can access the endpoint service in VPC 2 by using the endpoint.

Note

Skip this step if you set the Automatically Accept Endpoint Connections parameter to Yes in Step 3.

In the left-side navigation pane, click Endpoints Service.
In the top navigation bar, select the region where the endpoint service is deployed. In this example, Germany (Frankfurt) is selected.
On the Endpoints Service page, find the endpoint service created in Step 3 and click its ID.
On the details page of the endpoint service, click the Endpoint Connections tab, find the endpoint that you want to manage, and then click Allow in the Actions column.
In the Allow Connection dialog box, select Allow connections and automatically allocate service resources. and click OK.

After you allow the endpoint service to accept connection requests from the endpoint, the state of the endpoint connection changes from Disconnected to Connected. Then, the endpoint service can process requests from the endpoint.

Step 6: Access services by using the endpoint

The following section describes how to test whether ECS 1 in VPC 1 can access the services that are deployed on ECS 2 and ECS 3 in VPC 2 by using the endpoint.

Log on to ECS 1 in VPC 1. For more information, see Connection method overview.
Run the curl command on the terminal of ECS 1 by using the domain name or IP address of the zone for the endpoint to test the connectivity.
In this example, the domain name or IP address of Frankfurt Zone B generated in Step 4 is entered.
The test result shows that ECS 1 in VPC 1 can access the services in VPC 2.