This topic describes how to use PrivateLink to enable a virtual private cloud (VPC) to access an internal-facing Classic Load Balancer (CLB) instance in a VPC that belongs to another Alibaba Cloud account.

Background information

VPCs are private networks that are isolated from each other. You can use PrivateLink to establish a secure and stable private connection between a VPC and an Alibaba Cloud service. This simplifies the network architecture and prevents security risks over the Internet.

To establish a PrivateLink connection, you must create an endpoint service and an endpoint.
  • Endpoint services

    An endpoint service can be accessed by using an endpoint in another VPC over a PrivateLink connection. Endpoint services are created and managed by service providers.

  • Endpoints

    An endpoint can be associated with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services. Endpoints are created and managed by service consumers.

Entity Description
Service provider Create and manage endpoint services.
Service consumer Create and manage endpoints.
Note PrivateLink is available for use in only specific regions. For more information, see Regions and zones that support PrivateLink.

Scenario

The following scenario is used as an example. Two Alibaba Cloud accounts are created: Account A and Account B. VPC1 is created by using Account A and VPC2 is created by using Account B. Application services are deployed on Elastic Compute Service (ECS) instances in VPC2. The ECS instances in VPC2 are referred to as ECS2 and ECS3. Due to business growth, VPC1 needs to access services in VPC2 through a private connection to prevent security risks over the Internet.

In this scenario, you can perform the following operations: Create a CLB instance that supports PrivateLink in VPC2. Specify ECS2 and ECS3 as the backend servers of the CLB instance. Create an endpoint service in VPC2. Specify the CLB instance as the service resource of the endpoint service. Add the UID of Account A to the service whitelist of the endpoint service. Create an endpoint for VPC1. After the endpoint is created and connected to the endpoint service in VPC2, VPC1 can access the services in VPC2 if the status of the private connection is normal. Create an endpoint service
The following table shows how CIDR blocks are specified for the VPCs in this example. Make sure that the CIDR blocks do not overlap.
Attribute VPC1 VPC2
Region Germany (Frankfurt) Germany (Frankfurt)
CIDR block
  • VPC CIDR block: 10.10.1.0/16
  • vSwitch CIDR block: 10.0.0.0/24
  • VPC CIDR block: 192.168.2.0/16
  • vSwitch CIDR block: 192.168.24.0/24
vSwitch zone Zone B Zone B
ECS instance IP address ECS1 IP address: 10.0.0.182
  • ECS2 IP address: 192.168.20.200
  • ECS2 IP address: 10.0.0.2

Limits

  • The CLB instance that serves as the service resource in VPC2 must be a pay-as-you-go internal-facing CLB instance. Only pay-as-you-go internal-facing CLB instances support PrivateLink.
  • The endpoint in VPC1, the endpoint service in VPC2, and the CLB instance that serves as the service resource must be deployed in the same zone of the same region.

Prerequisites

Before you start, make sure that the following requirements are met:

Procedure

Procedure

Step 1: Create an internal-facing CLB instance that supports PrivateLink

To create an internal-facing CLB instance that supports PrivateLink, perform the following operations:

  1. Log on to the CLB console with Account B.
  2. On the Instances page, click Create CLB.
  3. On the Server Load Balancer page, configure the CLB instance based on the following information and click Buy Now to complete the payment.
    Parameter Description
    Billing Method Select a billing method for the CLB instance. In this example, Pay-As-You-Go is selected.
    SLB region no Select the region and zone where you want to create the CLB instance. Make sure that the CLB instance is deployed in the same region as the ECS instances that you want to add as backend servers. In this example, Germany (Frankfurt) and Europe Central 1 Zone B are selected.
    Zone Type Specify whether you want to deploy the CLB instance in one zone or across multiple zones. In this example, Multi-zone is selected.
    Backup Zone Select a secondary zone for the CLB instance. Traffic is distributed to the secondary zone only when the primary zone is down. In this example, Europe Central 1 Zone A is selected.
    Instance Name Enter a name for the CLB instance.

    The name must be 1 to 80 characters in length, and can contain letters, digits, hyphens (-), forward slashes (/), periods (.), and underscores (_).

    Specification Select a specification for the CLB instance. CLB instances of different specifications provide different features. In this example, Small I (slb.s1.small) is selected.
    SLB instance Specify whether the CLB instance is an Internet-facing or internal-facing CLB instance. In this example, Intranet is selected.
    Network Type Select the network type of the CLB instance. In this example, VPC is selected.
    VPCId VPC2 and a vSwitch in VPC 2 are selected.
    IP Version Select an IP version for the CLB instance. In this example, IPv4 is selected.
    Feature Standard is selected.
    Flow out By Traffic is selected.
    Quantity 1 is selected.
    Resource Group Default Resource Group is selected.

Step 2: Configure the CLB instance

After the CLB instance is created, you must add at least one listener and one group of backend servers to the CLB instance. This way, network traffic can be forwarded by the CLB instance.

  1. On the Instances page, find the CLB instance that is created in Step 1 and click Configure Listener in the Actions column.
  2. On the Protocol and Listener wizard page, set the following parameters, use the default values for other parameters, and then click Next:
    • Select Listener Protocol: In this example, TCP is selected.
    • Listening Port: Specify the frontend port that is used to receive requests and distribute requests to backend servers.

      In this example, 80 is specified.

  3. On the Backend Servers wizard page, select Default Server Group and click Add More to add backend servers.
    1. In the My Servers panel, select ECS2 and ECS3 and click Next.
    2. Set the weights of the backend servers and click Add.
      A backend server with a higher weight receives more requests. In this example, the default value 100 is used.
    3. On the Default Server Group tab, specify a backend port and click Next. In this example, 80, is specified.
      You can specify the same port for multiple backend servers of a CLB instance.
  4. On the Health Check wizard page, configure health checks and click Next. In this example, the default values are used.
  5. On the Confirm wizard page, check the configurations and click Submit.
  6. Click OK to go back to the Instances page.

    If the health status of an ECS instance is Normal, the ECS instance can process requests that are forwarded by CLB.

    fuzaijunheng

Step 3: Create an endpoint service

After you create an endpoint service in a VPC, you can use an endpoint that is deployed in another VPC to access the endpoint service through PrivateLink connections.

  1. Log on to the Endpoint Service console with Account B.
  2. In the top navigation bar, select the region where you want to create an endpoint service. In this example, Germany (Frankfurt) is selected.
  3. On the Endpoints Service page, click Create Endpoint Service.
  4. On the Create Endpoint Service page, set the following parameters and click OK.
    Parameter Description
    Select Service Resource Select a zone to distribute network traffic. Then, select the CLB instance to be associated with the endpoint service.

    In this example, Frankfurt Zone B and the CLB instance created in Step 1 that supports PrivateLink are selected.

    Automatically Accept Endpoint Connections Specify whether to automatically accept connection requests from endpoints. In this example, No is selected.
    • Yes: The endpoint service automatically accepts connection requests from endpoints. Then, the endpoint service can be accessed by using endpoints.
    • No: The endpoint connection of the endpoint service is in the Disconnected state. In this case, connection requests to the endpoint service must be manually accepted or denied by the service provider.
      • If the service provider accepts the connection request from an endpoint, the endpoint service can be accessed by using the endpoint.
      • If the service provider denies the connection request from an endpoint, the endpoint service cannot be accessed by using the endpoint.
    Whether to Enable Zone Affinity In this example, Yes is selected.
    Description Enter a description for the endpoint service.

    The description must be 2 to 256 characters in length. The description cannot start with http:// or https://.

After the endpoint service is created, you can view the ID and name of the endpoint service.

Step 4: Configure a whitelist for the endpoint service

You can configure a whitelist for an endpoint service. If the UID of your account is in the whitelist, you can use your account to create an endpoint and use the endpoint to connect to the endpoint service.

To add the UID of Account A to the whitelist of the endpoint service of Account B, perform the following operations:

  1. Log on to the Endpoint Service console with Account B.
  2. In the left-side navigation pane, click Endpoints Service.
  3. On the Endpoints Service page, find the endpoint service that you created in Step 3, and then click its ID.
  4. On the Service Whitelist tab, click Add Whitelist Account.
  5. In the Add Whitelist Account dialog box, enter the account IDs that you want to add to the whitelist, and then click OK.
    In this example, the UID of Account A is entered.
    Create an endpoint service - create a service

Step 5: Create an endpoint

You can associate an endpoint with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services.

  1. Log on to the Endpoint Service console with Account A
  2. In the top navigation bar, select the region where you want to create the endpoint. In this example, Germany (Frankfurt) is selected.
  3. On the Endpoints page, click Create Endpoint.
  4. On the Create Endpoint page, set the following parameters and click OK.
    Parameter Description
    Endpoint Name Enter a name for the endpoint.

    The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.

    Endpoints Service You can associate an endpoint with an endpoint service by using one of the following methods:
    • Click Add by Service Name and enter an endpoint service name.
    • Click Select Service and select the ID of the endpoint service.
    In this example, Add by Service Name is selected and the endpoint service created in Step 3 is selected.
    VPC Select the VPC where you want to create the endpoint. In this example, VPC1 is selected.
    Security Groups Select the security group to be associated with the endpoint elastic network interface (ENI). The security group is used to control data transfer from the VPC to the endpoint ENI.
    Note Make sure that the rules in the security group allow access to the endpoint ENI from clients.
    Zone and vSwitch Select the zone of the endpoint service and select a vSwitch in the zone. The system automatically creates an endpoint ENI in the vSwitch.

    In this example, Frankfurt Zone B is selected, and the vSwitch in VPC1 is selected.

    Description Enter a description for the endpoint.

    The description must be 2 to 256 characters in length. The description cannot start with http:// or https://.

After the endpoint is created, you can view the domain name or IP address that can be used to access the endpoint service. You can access the endpoint service by using one of the following methods:
  • Use the domain name of the endpoint
  • Use the IP address of the endpoint ENI
  • Use the domain name of the zone

Step 6: Accept connection requests from the endpoint

After you create an endpoint for VPC1, you must configure the endpoint service to allow connection requests from the endpoint. This way, VPC1 can use the endpoint to access the endpoint service in VPC2.
Note Skip this step if you set the Automatically Accept Endpoint Connections parameter to Yes in Step 3.

To allow the endpoint service of Account B to accept connection requests from the endpoint of Account A, perform the following operations:

  1. Log on to the Endpoint Service console with Account B.
  2. In the top navigation bar, select the region where the endpoint service is deployed. In this example, Germany (Frankfurt) is selected.
  3. On the Endpoints Service page, find the endpoint service that you created in Step 3 and click its ID.
  4. Click the Endpoint Connections tab, find the endpoint created in Step 5 and click Allow in the Actions column.
  5. In the Allow Connection message, click OK.
After you set the endpoint service to accept connection requests from the endpoint, the connection status of the endpoint changes from Disconnected to Connected. Connection status

Step 7: Use the endpoint to access services that are deployed in VPC2

To test whether ECS1 can access the services deployed on ECS2 by using the endpoint, perform the following operations:

  1. Open a browser on ECS1.
  2. In the address bar of the browser, enter the domain name or IP address that is used to access services on ECS2.
    In this example, the domain name or IP address that is generated in Step 5 is entered.

    The test result shows that ECS1 can access the services deployed on ECS2.