A Virtual Private Cloud (VPC) is a logically isolated network environment in the cloud where you can deploy Alibaba Cloud resources and access Alibaba Cloud services. PrivateLink allows resources in a VPC to use their private IP addresses to connect to Alibaba Cloud services and user-built services that are deployed in other VPCs.
The following figure uses a user-built service as an example. A service consumer creates an endpoint to access an endpoint service provided by a service provider. The service consumer and the service provider can be in the same Alibaba Cloud account or in different Alibaba Cloud accounts.
Service provider
A service provider is the owner of a service. The service provider uses Alibaba Cloud resources, such as Server Load Balancer (SLB) and Elastic Compute Service (ECS), to build and provide services to service consumers. A service provider can be Alibaba Cloud or an Alibaba Cloud user.
Endpoint service
An endpoint service is created by a service provider and is uniquely identified by a service name. A service consumer accesses the service by connecting to an endpoint that is associated with the endpoint service. An endpoint service supports adding Server Load Balancer (SLB) application service clusters that are deployed in multiple zones as service resources. The following types of service resources are supported.
Network Load Balancer (NLB)
Classic Load Balancer (CLB)
Gateway Load Balancer (GWLB)
Application Load Balancer (ALB)
Service name
Each endpoint service has a unique service name. When a service consumer creates an endpoint, the service name is used to identify the service to which the endpoint connects.
Service whitelist
By default, your service is not visible to all service consumers. If you want to allow VPC that belong to other Alibaba Cloud accounts to access your endpoint service, you must add the IDs of the accounts to the service whitelist.
After you create an endpoint service, the ID of your account is automatically added to the service whitelist.
Endpoint service status
The following table describes the statuses of an endpoint service.
Endpoint service status | Status description |
Creating | The endpoint service is being created. |
Modifying | The endpoint service is being modified. |
Active | The endpoint service is active and can be accessed by service consumers. |
Deleting | The endpoint service is being deleted. |
Service consumer
A user that accesses a service is called a service consumer. By creating an endpoint, a service consumer can access an endpoint service from a VPC or a data center.
Endpoint
A service consumer creates an endpoint by specifying a service name to connect their VPC to the destination endpoint service. Endpoints are available in different types. A service consumer must create an endpoint of the type required by the service.
The following types of endpoints are available:
Interface endpoint: An interface endpoint allows a service consumer to access NLB, CLB, or ALB services. Interface endpoints support multi-level domain name access to meet requirements for multi-zone disaster recovery.
Gateway Load Balancer endpoint: A Gateway Load Balancer endpoint (GWLBe) allows a service consumer to access GWLB services. A GWLBe can be specified as a next hop in a VPC route table to redirect traffic.
Reverse endpoint: A reverse endpoint allows a service provider to initiate connections to cloud services in the VPC of a service consumer. The service consumer can configure a security group for the reverse endpoint to restrict the access scope. The endpoint service that is connected to a reverse endpoint can only be an Alibaba Cloud service.
A gateway endpoint is a special type of endpoint. For more information, see Accessing cloud services from a VPC over a private connection. Unlike other endpoints, a gateway endpoint does not rely on PrivateLink. It uses the reserved IP address range 100.64.0.0/10 and endpoint policies to provide more secure access to cloud services. Currently, Object Storage Service (OSS) is the only cloud service that supports gateway endpoints.
Endpoint zones and elastic network interfaces
When a service consumer creates an endpoint, they must specify one or more zones for the endpoint. After an endpoint is created, it consists of one or more endpoint elastic network interfaces (ENIs). Each endpoint ENI is a managed ENI that is associated with a vSwitch in the VPC of the service consumer. All service requests sent to the endpoint ENI are forwarded to the service resources of the service provider in the same zone over PrivateLink.
If an endpoint supports the IPv4 network type, the endpoint has an IPv4 address. If an endpoint supports the dual-stack network type, the endpoint has both an IPv4 address and an IPv6 address.
A Gateway Load Balancer endpoint supports only one zone.
Endpoint policy
An endpoint policy is a resource-based policy written in JSON format based on the RAM policy language. You can attach an endpoint policy to an interface endpoint to control which RAM users can perform specific operations on the endpoint service through the endpoint. By default, the endpoint policy allows all RAM users to perform all operations on the service through the endpoint.
Endpoint policies apply when you access Alibaba Cloud services.
You can configure endpoint policies for interface endpoints.
Although gateway endpoints do not rely on PrivateLink, you can configure endpoint policies for them.
Endpoint status
When you create an endpoint, the endpoint service receives a connection request. The service provider can accept or reject the request. If the service provider accepts the request, the service consumer can use the endpoint after it enters the Active state.
The following table describes the statuses of an endpoint.
Endpoint status | Status description |
Creating | The endpoint is being created. |
Modifying | The endpoint is being modified. |
Active | You can use endpoints |
Deleting | The endpoint is being deleted. |
Endpoint connection
An endpoint connection is the connection between an endpoint and an endpoint service. When a service consumer creates an endpoint, a connection request is sent to the endpoint service. The service provider can accept the connection request automatically or manually.
Endpoint connection status
The following table describes the statuses of an endpoint connection.
Endpoint connection status | Status description |
Connecting | A connection is being established between the endpoint and the endpoint service. |
Connected | A connection is established between the endpoint and the endpoint service. |
Disconnecting | The connection between the endpoint and the endpoint service is being terminated. |
Disconnected | An endpoint connection is in the Disconnected state for one of the following reasons:
|
Modifying | The connection between the endpoint and the endpoint service is being modified. |
Deleting | The connection between the endpoint and the endpoint service is being deleted. |
Service Deleted | The endpoint service that is connected to the endpoint is deleted. Delete the endpoint as soon as possible. |
Custom service domain name
A service domain name is a string of dot-separated characters that identifies a service. Service consumers can use service domain names to easily access services without having to remember complex IP addresses.
Interface endpoints of PrivateLink provide default service domain names. Default service domain names use authoritative DNS resolution. Authoritative DNS resolution is a secure, fast, stable, and scalable Domain Name System (DNS) service that can efficiently route access traffic to the destination service.
If the service provider is Alibaba Cloud, some cloud services support custom service domain names to ensure compatibility with different access methods and simplify user access. The custom service domain names are the same as the domain names that are used for public access or access from other cloud services. Custom service domain names are resolved based on internal DNS resolution (PrivateZone). PrivateZone provides domain name resolution for clients, such as ECS instances and containers, in a VPC to ensure convenient access to resources.
When a service consumer creates an interface endpoint, they can enable the custom service domain name feature. After you enable this feature, you can use the custom service domain name to access the Alibaba Cloud service. You can also use the default service domain name that is provided by the interface endpoint to access the service.