This topic describes how to use PrivateLink to enable a virtual private cloud (VPC) to access an internal-facing Classic Load Balancer (CLB) instance in a VPC that belongs to another Alibaba Cloud account.

Background information

VPCs are private networks that are isolated from each other. You can use PrivateLink to establish private connections between VPCs and Alibaba Cloud services. This simplifies network architecture and secures data transmission.

To use PrivateLink connections to share services between different VPCs that belong to the same account, you must create endpoint services and endpoints.
  • Endpoint services

    After you create an endpoint service in a VPC, you can use an endpoint that is deployed in another VPC to access the endpoint service through PrivateLink connections. Endpoint services are created and managed by service providers.

  • Endpoints

    You can associate an endpoint with an endpoint service to establish a PrivateLink connection. This way, the VPC to which the endpoint belongs can access the VPC to which the endpoint service belongs. Endpoints are created and managed by service consumers.

Note PrivateLink is available for use in only specific regions. For more information, see Regions and zones that support PrivateLink.

Scenarios

The following scenario is used as an example. Assume that you have two Alibaba Cloud accounts (Account 1 and Account 2). The user ID (UID) of Account 1 is 12345678, and the UID of Account 2 is 87654321. VPC 1 is created for Account 1 and VPC 2 is created for Account 2. Application services are deployed on Elastic Compute Service (ECS) instances in VPC 2. Due to business growth, VPC 1 needs to access the services in VPC 2 through a private connection to avoid security risks over the Internet.

You can create a CLB instance that supports PrivateLink in VPC 2, and specify the ECS instances in VPC 2 as backend servers for the CLB instance. Then, create an endpoint service, specify the CLB instance as the service resource for the endpoint service, and add the UID of Account 1 to the whitelist of the endpoint service. Create an endpoint in VPC 1. After an endpoint is created in VPC 1, VPC 1 can access the services in VPC 2. Create an endpoint service

Prerequisites

Before you start, make sure that the following requirements are met:
  • An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, create one.
  • If this is your first time using PrivateLink, log on to the Activation page to enable PrivateLink.
  • ECS instances are created in VPC 2 and application services are deployed on the ECS instances in VPC 2. For more information, see Create an instance by using the wizard.
  • A security group is created in VPC 1. For more information, see Create a security group.

Procedure

Procedure

Step 1: Create a CLB instance that supports PrivateLink

Only CLB instances that support PrivateLink can serve as service resources for endpoint services. Before you establish a PrivateLink connection between the VPCs, you must create a CLB instance that supports PrivateLink.

To create a CLB instance that supports PrivateLink, perform the following operations:

  1. Log on to the CLB console with Account 2.
  2. On the Instances page, click Create CLB.
  3. On the buy page, set the following parameters to create a CLB instance.
    Parameter Description
    Billing Method Select a billing method for the CLB instance. In this example, Pay-As-You-Go is selected.
    Note Only CLB instances that are billed on a pay-as-you-go basis support PrivateLink.
    Region and Zone Select the region and zones where you want to deploy the CLB instance. Make sure that the CLB instance and the ECS instances you want to add to the CLB instance are deployed in the same region. In this example, Germany (Frankfurt) and Europe Central 1 Zone B are selected.
    Zone Type Displays the type of zone in the region where you want to create the CLB instance. In this example, Multi-Zone is selected.
    Backup Zone Select the secondary zone of the CLB instance. By default, the secondary zone is used to distribute traffic only when the primary zone is down. In this example, Europe Central 1 Zone A is selected.
    Instance name Enter a name for the CLB instance.

    The name must be 1 to 80 characters in length, and can contain letters, digits, hyphens (-), forward slashes (/), periods (.), and underscores (_).

    LoadBalancerSpec Select a specification for the CLB instance. CLB instances with different specifications provide different features. Small I (slb.s1.small) is selected in this example.
    Instance Type Specify whether the CLB instance is Internet-facing or internal-facing. In this example, Internal Network is selected.
    Network Type Select the type of the network where you want to deploy the CLB instance. In this example, VPC is selected.
    VPC VPC2 and the vSwitch of VPC 2 are selected.
    IP Version Select an IP version for the CLB instance. IPv4 is selected in this example.
    Feature Standard is selected.
    Billing Method Pay by Traffic is selected.
    Instances 1 is selected.
    Resource Group Default Resource Group is selected.
  4. Click Buy Now to complete the payment.

Step 2: Configure the CLB instance

After you create the CLB instance, you must add at least one listener and one group of backend servers to the CLB instance. This way, connection requests can be directed to the CLB instance.

  1. On the Instances page in the CLB console, find the CLB instance that is created in Step 1 and click Configure Listener in the Actions column.
  2. In the Protocol and Listener wizard, set the following parameters:
    • Select Listener Protocol: In this example, TCP is selected.
    • Listening Port: Specify the frontend port that is used to receive requests and distribute requests to backend servers.

      In this example, the port number is set to 80.

    Use the default values for other parameters. Click Next.

  3. On the Backend Servers wizard page, select Default Server Group and click Add More to add backend servers.
    1. In the My Servers panel, select the ECS instances that you created and click Next.
    2. Configure weights for backend servers. A backend server with a higher weight receives more requests. The default value is 100. We recommend that you use the default value.
    3. Click Add.
    4. On the Backend Servers wizard page, specify the ports that are open on the backend servers (ECS instances) to receive requests. You can specify the same port for backend servers that belong to the same CLB instance. In this example, set the port number to 80.
    5. Click Next.
  4. Configure health checks. The default values are used in this example. Click Next.
  5. On the Confirm wizard page, confirm the information and click Submit.
  6. Click OK to go back to the Instance page.

    If the health check status of an ECS instance is Normal, this indicates that the ECS instance is ready to process requests.

    CLB instance

Step 3: Create an endpoint service

After you create an endpoint service in a VPC, you can connect the endpoint service with an endpoint that is deployed in another VPC. This allows the VPC where the endpoint is deployed to access the other VPC where the endpoint service is created.

  1. Log on to the Endpoint Service console with Account 2.
  2. In the top navigation bar, select the region where you want to create an endpoint service.
    In this example, Germany (Frankfurt) is selected.
  3. On the Endpoints Service page, click Create Endpoint Service.
  4. On the Create Endpoint Service page, set the following parameters for the endpoint service and click OK:
    • Select Service Resource: Select a zone to receive network traffic, and select the CLB instance to be associated with the endpoint service.

      CLB instances serve as service resources and can be associated with endpoint services. The associated CLB instances receive requests from clients. The zone where an endpoint service is deployed must be the same as the primary zone where the service resource is deployed. Only CLB instances that support PrivateLink and are deployed in VPCs can serve as service resources.

      In this example, Frankfurt Zone B and the CLB instance that is created in Step 1 are selected.

    • Automatically Accept Endpoint Connections: Specify whether to automatically accept connection requests from endpoints.
      • Yes: The endpoint service accepts all connection requests from an associated endpoint. Users can access the endpoint service through the associated endpoint.
      • No: The endpoint connection is in the Disconnected state. Endpoint connection requests to the endpoint service must be manually accepted or denied by the service administrator.
        • If the service administrator accepts endpoint connection requests from the associated endpoint, the endpoint service can be accessed through the endpoint.
        • If the service administrator denies endpoint connection requests from the associated endpoint, the endpoint service cannot be accessed through the endpoint.

      In this example, No is selected.

    • Whether to Enable Zone Affinity: Yes is selected in this example.
    • Description: Enter a description for the endpoint service.

      The description must be 2 to 256 characters in length. It cannot start with http:// or https://.

After the endpoint service is created, you can view the service ID and service name of the endpoint service.

Step 4: Configure a whitelist for the endpoint service

You can configure a whitelist for an endpoint service. If the UID of your account is in the whitelist, you can create an endpoint and use the endpoint to connect to the endpoint service.

To add the UID of Account 1 to the whitelist of the endpoint service configured by Account 2, perform the following operations:

  1. Log on to the Endpoint Service console with Account 2.
  2. In the left-side navigation pane, click Endpoints Service.
  3. On the Endpoints Service page, find the endpoint service that you created in Step 3, and click its ID.
  4. On the Service Whitelist tab, click Add to Whitelist.
  5. In the Add to Whitelist dialog box, enter the UID that you want to add to the whitelist, and then click OK.
    In this example, the UID of Account 1 is used, which is 12345678.
    Create an endpoint service - create a service

Step 5: Create a vSwitch

Create a vSwitch in VPC 1. The vSwitch must be deployed in the same zone as the CLB instance that is created in Step 1. After the vSwitch is created, the system creates an endpoint elastic network interface (ENI) within the vSwitch. The endpoint ENI functions as the entry for VPC 1 to access services deployed in VPC 2.

  1. In the left-side navigation pane, click vSwitch.
  2. In the top navigation bar, select the region where you want to create the vSwitch.
    In this example, Germany (Frankfurt) is selected.
  3. On the vSwitch page, click Create vSwitch.
  4. In the Create vSwitch dialog box, set the following parameters for the vSwitch and click OK:
    • VPC: Select the VPC to which the vSwitch belongs. In this example, VPC1 is selected.
    • Name: Enter a name for the vSwitch.

      The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter.

    • Zone: Select the zone where you want to deploy the vSwitch. In this example, Frankfurt Zone B is selected.
    • IPv4 CIDR Block: Specify the IPv4 CIDR block of the vSwitch.
    • Description: Enter a description for the vSwitch.

      The description must be 2 to 256 characters in length. It cannot start with http:// or https://.

Step 6: Create an endpoint

You can associate an endpoint with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services.

  1. Log on to the Endpoint Service console with Account 1.
  2. In the top navigation bar, select the region where you want to create the endpoint.
    In this example, Germany (Frankfurt) is selected.
  3. On the Endpoints page, click Create Endpoint.
  4. On the Create Endpoint page, set the following parameters and click OK:
    • Endpoint Name: Enter a name for the endpoint.

      The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.

    • Endpoint Service: You can specify an endpoint service to be associated with the endpoint by performing the following operations:
      • Click Add by Service Name and enter an endpoint service name.
      • Click Select Service and select the ID of the endpoint service that you want to associate with the endpoint.

      In this example, Add by Service Name is clicked and the endpoint service created in Step 3 is selected. For more information, see Step 3: Create an endpoint service.

    • VPC: Select the VPC for which you want to create the endpoint. In this example, VPC 1 is selected.
    • Security Groups: Assign a security group to the endpoint ENI. The security group is used to manage data transfer between the VPC and the endpoint ENI.
      Note Make sure that the rules in the security group allow access from clients to the endpoint ENI.
    • Zone and vSwitch: Select the zone of the endpoint service, and select a vSwitch in the zone. The system automatically creates an endpoint ENI within the vSwitch.

      In this example, Frankfurt Zone B is selected, and the vSwitch that is created in Step 5 is selected. For more information, see Step 5: Create a vSwitch.

    • Description: Enter the description of the endpoint.

      The description must be 2 to 256 characters in length and cannot start with http:// or https://.

After the endpoint is created, you can view the domain name or IP address that is used to access the endpoint service. You can access the endpoint service in the following ways:
  • Use the domain name of the endpoint
  • Use the IP address of the ENI
  • Use the domain name of the zone

Step 7: Accept connection requests from the endpoint

After you create an endpoint for VPC 1, the endpoint can send connection requests to the endpoint service. After a connection request is accepted by the endpoint service, VPC 1 can access the endpoint service in VPC 2.
Note Skip this step if you set the endpoint service to automatically accept connection requests in Step 3.

To allow the endpoint service of Account 2 to accept endpoint connection requests from Account 1, perform the following operations:

  1. Log on to the Endpoint Service console with Account 2.
  2. In the top navigation bar, select the region where the endpoint service is deployed.
    In this example, Germany (Frankfurt) is selected.
  3. On the Endpoints Service page, find the endpoint service that you created in Step 3, and then click its ID.
  4. Click the Endpoint Connections tab, find the endpoint created in Step 6, and then click Allow in the Actions column.
  5. In the Allow Connection message, click OK.
After you accept the endpoint connection request, the connection status of the endpoint changes from Disconnected to Available. Connection status

Step 8: Test the connectivity

To test whether VPC 1 can use the endpoint to access the services in VPC 2, perform the following operations:

  1. Open the browser on an ECS instance that belongs to Account 1.
  2. Enter the domain name or IP address of the endpoint service into the address bar of the browser to test the connectivity.
    In this example, the domain name or IP address that is generated in Step 6 is entered. For more information, see Step 6: Create an endpoint.