PrivateLink allows you to access resources in a virtual private cloud (VPC) from another VPC over secure and private networks. PrivateLink simplifies network architecture and avoids security risks from the Internet.
Introduction
PrivateLink provides secure, flexible, and highly available private network connections for services across accounts and virtual private clouds (VPCs). Users of PrivateLink are classified into service consumers and service providers.
As a service consumer, you do not need to configure components to connect a VPC or a data center to another VPC. The components include IPv4 gateways, IPv6 gateways, NAT gateways, elastic IP addresses (EIPs), transit routers, and Express Connect Routers (ECRs).
As a service provider, you can focus on service development. PrivateLink simplifies the network connection with service consumers and avoids complex routing and security rule configurations.
Scenarios
Scenario 1: Access Alibaba Cloud services
Alibaba Cloud provides services that can be accessed by using PrivateLink.
If you need to access an Alibaba Cloud service from a VPC and a data center, specify the Alibaba Cloud service name when you create an endpoint in the VPC. All requests sent to the endpoint are forwarded to the corresponding Alibaba Cloud service through PrivateLink. In addition, clients in the data center can establish network connections with the VPC through networking products, so that the clients can access Alibaba Cloud services through endpoints in the VPC.
When you use an interface endpoint to access Alibaba Cloud services, you can configure endpoint policies and security groups to control which client resources can use the interface endpoint to access Alibaba Cloud services.
When you access an Alibaba Cloud service through a reverse endpoint, you can choose to set a security group to control the scope of client resources that can be accessed by the Alibaba Cloud service.
When you use a GWLB endpoint (GWLBE) to access Alibaba Cloud services, you can specify custom VPC routing policies to determine which clients can access Alibaba Cloud services through the GWLBE.
NoteWhen you use a gateway endpoint to access OSS, the gateway endpoint does not depend on PrivateLink. You can use a gateway endpoint to access a limited number of Alibaba Cloud services. When you create a gateway endpoint, you can configure endpoint policies to secure access to Alibaba Cloud services.
Scenario 2: Share a user-created service
As a service provider, you can create a hosted service on Alibaba Cloud and share the service with service consumers.
You can create an endpoint service in your VPC and select Network Load Balancer (NLB), Classic Load Balancer (CLB), or Application Load Balancer (ALB) as the service resource. By configuring a service whitelist, you can grant other Alibaba Cloud users the permissions to access the service. Other Alibaba Cloud users can create an interface endpoint by specifying the service name in their own VPC to establish a connection with your endpoint service. All requests sent to the interface endpoint are forwarded to your service through PrivateLink.
Scenario 3: Access a virtual network device
As a service provider, you can deploy virtual network devices, such as firewalls, intrusion detection, traffic mirroring, and deep packet inspection, based on the GWLB, and share these hosted network virtual devices with other Alibaba Cloud users.
You can create an endpoint service in your own VPC and select GWLB as the service resource. By configuring a service whitelist, you can grant other Alibaba Cloud users the permissions to access your virtual network devices. Other Alibaba Cloud users can create a GWLBE by specifying the service name in their own VPC and establish a connection with your endpoint service. All requests sent to this GWLBE will be forwarded to your virtual network devices through PrivateLink.
As a service consumer, you can set the GWLBE as the next hop for VPC routes. You can configure VPC routing policies to determine the clients whose requests are forwarded to the GWLBE to access virtual network devices. After the requests are forwarded to the GWLBE, PrivateLink forwards the requests to the GWLB in the same zone. The GWLB encapsulates the original packet by using GENEVE and forwards the traffic to a healthy virtual network device at the backend based on the traffic scheduling algorithm.
Benefits
Secure network transmission
When you access a service over a PrivateLink, traffic is transmitted over a private network. This provides higher security than access over the Internet. PrivateLink provides a wide range of security features to meet your requirements.
Simplified network management
The networks of service providers and service consumers are independent of each other and allow address conflicts. This also avoids complex routing and security rule configurations by providing a secure cross-account and cross-VPC access mode.
PrivateLink allows service consumers to use the private IP addresses of their VPCs to access services. This meets the needs of service consumers to access services across VPCs and from data centers.
High availability and automatic elasticity
Requests are forwarded between clients and servers in the same zone to ensure the lowest latency. You can use Alibaba Cloud DNS together with interface endpoints to implement disaster recovery across zones.
PrivateLink supports auto scaling and provide upper limits based on different service resource types. This meets diverse elasticity requirements.
Access PrivateLink
You can access and manage PrivateLink in the following ways by using an Alibaba Cloud account:
VPC console: a web console that supports interactive operations. The VPC console allows you to access services in a VPC from another VPC.
Alibaba Cloud SDKs: support multiple programming languages, such as Java, Go, PHP, Python, C#, and C++.
OpenAPI Explorer: allows you to retrieve and call API operations, and dynamically generates SDK sample code.
Terraform: an open source tool that can help you version control configuration files or use them to call compute resources of Alibaba Cloud and other platforms that support Terraform.