PrivateLink is used to establish private, stable, and secure connections between virtual private clouds (VPCs) and other Alibaba Cloud services. PrivateLink simplifies network architectures and prevents risks that arise from accessing services over the Internet.

Terms

Before you use PrivateLink, we recommend that you understand the following terms.

PrivateLink
Term Description
Endpoint You can associate an endpoint with an endpoint service to establish a PrivateLink connection that allows a VPC to access external services. Endpoints are created and managed by service consumers.
Endpoint elastic network interface (ENI) Endpoint ENIs serve as ingresses for endpoints to access endpoint services.
Endpoint security group Security groups can control the traffic between VPCs and endpoint ENIs. Each endpoint must be added to at least one security group. After an endpoint is added to a security group, all ENIs of the endpoint are associated with the security group.
Endpoint service After you create an endpoint service in a VPC, you can use an endpoint that is deployed in another VPC to access the endpoint service through PrivateLink connections. Endpoint services are created and managed by service providers.
Service resource You can use endpoints to access the service resources of endpoint services.
Note
  • You can specify Server Load Balancer (SLB) instances as service resources, including Classic Load Balancer (CLB) instances and Application Load Balancer (ALB) instances.
  • The feature to specify ALB instances as service resources is available for only users who are included in the whitelist. If you want to use the feature, submit a ticket or contact your sales manager.
Service whitelist The service whitelist of an endpoint service is used to manage users who are allowed to access the service resources.

After an endpoint service is created, the ID of the Alibaba Cloud account of the service owner is automatically added to the service whitelist. Users whose account IDs are in the whitelist can query the endpoint service and use endpoints to connect to the endpoint service. If you want to allow a VPC that belongs to another Alibaba Cloud account to access the endpoint service, you must add the ID of the Alibaba Cloud account to the service whitelist.

Endpoint connection The connection between an endpoint and an endpoint service.

Overview

PrivateLink contains components of the service consumer and service provider.
Entity Component
Service consumer
  • Endpoint
  • Endpoint zone and ENI
  • Endpoint security group
Service provider
  • Endpoint service
  • Service resource
  • Service whitelist
  • Endpoint connection

Common scenarios

PrivateLink allows you to establish private, stable, and secure connections between endpoint services and VPCs in which endpoints are deployed. PrivateLink facilitates network configuration and meets the requirements of various scenarios.

Share cloud services across VPCs

You can use PrivateLink to enable a VPC to access an SLB instance that serves as the service resource in another VPC.

In the following figure, if you want VPC1 to access the SLB instance in VPC2 over PrivateLink, you can specify the SLB instance as the service resource of the endpoint service in VPC2, and then create an endpoint in VPC1 that is associated with the endpoint service in VPC2.

Access endpoint services across regions

Share cloud services in a VPC with a data center

You can use PrivateLink to enable a data center to access an SLB instance that serves as the service resource in a VPC.

In the following figure, if you want the data center to access the SLB instance in VPC2, you can share the SLB instance with VPC1 over PrivateLink, and then connect VPC1 with the data center by using an Express Connect circuit, a VPN gateway, or Smart Access Gateway (SAG). Share cloud services with a data center

Benefits

  • Low risks

    When you access endpoint services through PrivateLink connections, requests are forwarded within Alibaba Cloud. This prevents risks over the Internet.

  • Security and controllability

    When you use PrivateLink to access cloud services, you can add rules to the security group of the ENI that is used to access the services. This ensures higher security and reliability.

  • Low latency and high quality

    When you use PrivateLink to access cloud services, requests are forwarded within the same zone to reduce network latency.

  • Simplified management

    PrivateLink allows you to access cloud services that are deployed in another VPC within the same account, or cloud services that belong to another account. This simplifies route and security configurations.