Virtual Private Cloud (VPC) provides a logically isolated network environment in the cloud, allowing you to deploy Alibaba Cloud resources and access Alibaba Cloud services. PrivateLink enables resources within the VPC to connect to services in other VPCs using private IP addresses. These services include Alibaba Cloud services and user-built services. This topic introduces the basic concepts of PrivateLink to help you make the most of PrivateLink.
How PrivateLink works
PrivateLink operates as illustrated in the diagram below. The service consumer creates an endpoint to access the endpoint service provided by the service provider. Both the service consumer and service provider can be within the same Alibaba Cloud account or across different accounts.
Service provider
The service provider owns and operates the service, utilizing Alibaba Cloud resources like Server Load Balancer and Elastic Compute Service (ECS) to offer services to the service consumer. Service providers include both Alibaba Cloud and Alibaba Cloud users with an account.
Endpoint service
The endpoint service is created by the service provider, and the service name is its unique identifier. The service consumer accesses the service by accessing the endpoint connected to the endpoint service. The endpoint service supports adding Server Load Balancer application service clusters deployed in multiple zones as service resources. The service resource types are divided into the following four types.
Network Load Balancer (NLB)
Classic Load Balancer (CLB)
Gateway Load Balancer (GWLB)
Application Load Balancer (ALB)
Service name
Each endpoint service is assigned a unique service name, which the service consumer uses to identify the connected service when creating an endpoint.
Service whitelist
By default, your service is not visible to all service consumers. To allow VPC from other Alibaba Cloud accounts to access your endpoint service, you must manually add their account ID to the service whitelist.
Endpoint service status
The status of the endpoint service is detailed in the table below.
Endpoint service status | Status description |
Creating | The endpoint service is being created |
Modifying | The endpoint service is being modified |
Available | The endpoint service is in an active state and can be accessed by the service consumer |
Deleting | The endpoint service is being deleted |
Service consumer
The service consumer is the user who accesses the service. By creating an endpoint, the service consumer can access the endpoint service from their VPC or data center.
Endpoint
The service consumer creates an endpoint by specifying the service name, connecting their VPC to the target endpoint service. The endpoint supports various types, and the service consumer must create the appropriate type based on the service being accessed.
The types of endpoints include the following:
Interface endpoint: Service consumers can access NLB/CLB/ALB service resources via the interface endpoint, which supports multi-level domain name access to fulfill multi-zone disaster recovery service access needs.
GWLB endpoint: Service consumers can access GWLB service resources through the GWLB endpoint, which can serve as the next hop in VPC routing and enables users to redirect traffic via routing.
Reverse endpoint: Enables the service provider to initiate active access to the Alibaba Cloud service within the service consumer's VPC. The service consumer may set up a security group on the reverse endpoint to restrict its access scope. The endpoint service linked to the reverse endpoint is exclusive to Alibaba Cloud services.
Gateway endpoint is a unique type of endpoint that does not depend on PrivateLink. It operates using the reserved IP range 100.64.0.0/10 and enhances secure access to cloud services through specific endpoint policies. The cloud service currently supporting gateway endpoints is Object Storage Service (OSS).
Endpoint zones and Elastic Network Interface (ENI)
When creating an endpoint, the service consumer must specify the endpoint zone. Upon successful creation, the endpoint will include one or more endpoint zones, each linked to a specific switch in the service consumer's VPC via a hosted ENI. Service requests sent to this ENI are then routed to the corresponding service resources of the service provider within the same zone through PrivateLink.
Endpoints supporting the IPv4 network type have an IPv4 address, while those supporting the dual-stack network type have both IPv4 and IPv6 addresses.
The Gateway Load Balancer endpoint supports only one endpoint zone.
Endpoint policy
An endpoint policy is a JSON-formatted, resource-based policy using the RAM Policy language. By binding the policy to the interface endpoint, the service consumer can control which resources are allowed to perform specific operations on the endpoint service. The default policy permits all resources to perform all operations through the endpoint.
Endpoint policies are applicable in scenarios where Alibaba Cloud services are accessed.
You can set endpoint policies for interface endpoints.
While the gateway endpoint does not depend on PrivateLink, it allows for the configuration of endpoint policies.
Endpoint status
Upon creating an endpoint, the endpoint service receives a connection request. The service provider can accept or reject this request. If accepted, the service consumer can use the endpoint once it becomes available.
The status of the endpoint is detailed in the table below.
Endpoint status | Status description |
Creating | The endpoint is being created |
Modifying | The endpoint is being modified |
Available | The endpoint is available for use |
Deleting | The endpoint is being deleted |
Endpoint connection
An endpoint connection is the link between the endpoint and the endpoint service. When the service consumer creates an endpoint, they initiate a connection request to the endpoint service. The service provider can choose to accept this request automatically or manually.
Endpoint connection status
The status of the endpoint connection is detailed in the table below.
Endpoint Connection Status | Status Description |
Connecting | The connection between the endpoint and the endpoint service is being established. |
Connected | The connection between the endpoint and the endpoint service has been established. |
Disconnecting | The connection between the endpoint and the endpoint service is being disconnected. |
Disconnected | The disconnected status may be due to the following situations:
|
Modifying | The connection status between the endpoint and the endpoint service is being modified. |
Deleting | The connection between the endpoint and the endpoint service is being deleted. |
Service Deleted | The endpoint service connected to the endpoint has been deleted. It is recommended that you delete the endpoint as soon as possible. |
Custom service domain name
A service domain name is a string of characters separated by dots, simplifying service access without the need to remember complex IP addresses.
PrivateLink interface endpoints provide default service domain names, which are resolved using authoritative DNS, which is a secure, fast, stable, and scalable service that efficiently routes access traffic to the corresponding service.
When the service provider is Alibaba Cloud, to accommodate different cloud service access methods and simplify user access, some cloud services offer the same domain names as those used for public network access through custom service domain names. These custom domain names are based on PrivateZone DNS resolution. PrivateZone provides domain name resolution services within the VPC network environment for various clients, such as ECS instances and containers, ensuring convenient access to required resources.
When creating an interface endpoint, the service consumer has the option to enable a custom service domain name. Once enabled, the custom service domain name allows access to Alibaba Cloud services. Alternatively, the default service domain name provided by the interface endpoint may also be used for access.