PrivateLink enables secure and stable access to Alibaba Cloud services, partner Software as a Service (SaaS) applications, and user-built services in other VPCs from your VPCs or data centers through the Alibaba Cloud internal network. This simplifies network architecture and avoids security risks because traffic does not traverse the public network.
For example, consider user-built services. The service consumer creates an endpoint to access the endpoint service provided by the service provider. The service consumer and service provider can be in the same Alibaba Cloud account or in different accounts.
Basic Concepts
Service Providers
As the service owner, the service provider uses Alibaba Cloud resources to build and provide an endpoint service to the service consumer. The service consumer accesses the service by connecting to the endpoint service through an endpoint.
Endpoint service resources: Endpoint services support adding load balancers deployed in multiple zones as service resources. Service resource types include Network Load Balancer (NLB), Application Load Balancer (ALB), Classic Load Balancer (CLB), and Gateway Load Balancer (GWLB).
Endpoint service name: This is the unique identifier for an endpoint service. When creating an endpoint, the service consumer uses the service name to uniquely identify the service to connect to.
Service whitelist: Endpoint services are not visible to all service consumers by default. If the service provider wants VPCs from other Alibaba Cloud accounts to access the endpoint service, manually add their account ID to the service whitelist.
After creating an endpoint service, the service provider's account ID is automatically added to the service whitelist.
Endpoint service status: Creating, Modifying, Available, Deleting.
Service Consumers
As the service accessor, the service consumer creates an endpoint to access the endpoint service from a VPC or data center.
Endpoint types: Create the appropriate endpoint type based on the endpoint service type you want to access.
Gateway endpoint does not depend on PrivateLink. As a "virtual gateway" for a VPC when accessing specific Alibaba Cloud services, gateway endpoints use the reserved IP address space 100.64.0.0/10 and enable more secure access to Alibaba Cloud services through endpoint policies. Currently, Object Storage Service (OSS) is the only Alibaba Cloud service that supports gateway endpoints.
Interface endpoint: Use an interface endpoint to access endpoint services with service resource types NLB, CLB, or ALB.
Gateway Load Balancer endpoint: Use a Gateway Load Balancer endpoint to access endpoint services with service resource type GWLB. Gateway Load Balancer endpoints support acting as the next hop for VPC routing, allowing users to redirect traffic through routing.
Reverse endpoint: This allows the service provider to actively initiate access to cloud services in the service consumer's VPC. The service consumer can configure security groups on the reverse endpoint to restrict its access scope. Endpoint services connected to reverse endpoints only support Alibaba Cloud services.
Endpoint zones: When creating an endpoint, PrivateLink creates an Elastic Network Interface (ENI) in the specified endpoint zone to serve as the local access entry point for the service.
Endpoint policies: Configure an endpoint policy for an interface endpoint only when using it to access Alibaba Cloud services. By default, any user or service in the VPC using Alibaba Cloud account credentials can access any resource in the corresponding service.
Endpoint status: Creating, Modifying, Available, Deleting.
Endpoint Connections
When the service consumer creates an endpoint, the service provider's endpoint service receives an endpoint connection request. After the service provider accepts the request, an endpoint connection is established between the endpoint and the endpoint service.
Endpoint connections include the following statuses: Connecting, Connected, Disconnecting, Disconnected, Modifying, Deleting, and Service Deleted.
Disconnected status can occur in the following situations:
The endpoint service is configured for non-automatic connection. After creating the endpoint, it is in a disconnected state.
The endpoint service rejects the endpoint connection or has not yet allowed the endpoint connection.
The endpoint has an overdue payment.
The endpoint service has an overdue payment.
Core Attributes
Endpoint Service Domain Names
After the service consumer creates an interface endpoint, Alibaba Cloud creates region-level and zone-level service domain names for the consumer to use when connecting to the service:
Endpoint service domain name: endpoint_id.endpoint_service_id.service_region.privatelink.aliyuncs.com
Zone domain name: endpoint_id-endpoint_zone.endpoint_service_id.service_region.privatelink.aliyuncs.com
When accessing Alibaba Cloud services in your VPC, you typically use a specific service domain name. If the service has a custom service domain name configured, enable the custom service domain name for the interface endpoint you created. Once enabled, you do not need to modify the service address in your application and can continue to use that domain name to access the service through PrivateLink's private network.
The custom service domain name is effective within the VPC where the interface endpoint resides. Only the VPC containing the interface endpoint can resolve the private IP address. Other VPCs and data centers can access the service using the custom service domain name after they connect to the VPC containing the interface endpoint and configure domain name resolution.
IP Versions
Service providers can offer endpoint services to service consumers through IPv4 or dual-stack.
Select dual-stack only when all service resources added to the endpoint service support dual-stack.
If the endpoint service supports dual-stack, configure a dual-stack endpoint. Clients can then access the service using both IPv4 and IPv6 addresses.
High Availability for Service Access
Configure multi-zone service resources for the endpoint service.
If the service resources are NLB or ALB, add multi-zone NLB or ALB instances.
If the service resources are CLB, add multiple CLB instances with different primary zones.
When creating an interface endpoint, select vSwitches in at least two zones.
The service consumer accesses the service using the endpoint domain name. Alibaba Cloud provides fully managed availability probing to ensure quick failover to other zones in case of a zone failure:
It probes the availability of Elastic Network Interface (ENI) IP addresses in different endpoint zones in real time. If an anomaly occurs, it deletes the corresponding DNS record to prevent service interruption or data loss due to zone failures.
After fault recovery, it automatically adds the corresponding DNS record.
Elasticity and Throttling
Elastic Performance
PrivateLink supports automatic elastic scaling:
It provides zone-level automatic elasticity. The bandwidth supported by each endpoint in each zone automatically scales with business usage growth.
It provides corresponding elasticity limits based on different endpoint types and service resource types.
The current elastic bandwidth metric only represents the capacity supported by the endpoint zone's network interface controller (NIC). The full link's actual capacity depends on the backend service resource type and application processing capability.
If your application requires higher throughput, contact your account manager to apply.
Endpoint Type | Service Resource Type | Elastic Bandwidth Description |
Interface endpoint | Network Load Balancer (NLB) | The default initial metric is 10 Gbps. Starting February 1, 2026, newly created interface endpoints can scale up to 50 Gbps. When endpoints are distributed across multiple zones, the maximum bandwidth for an endpoint is |
Interface endpoint | Application Load Balancer (ALB) | The default initial metric is 5 Gbps, and it can scale up to 25 Gbps. When endpoints are distributed across multiple zones, the maximum bandwidth for an endpoint is |
Interface endpoint | Classic Load Balancer (CLB) | Each PrivateLink endpoint can support up to 5 Gbps of bandwidth per zone. When endpoints are distributed across multiple zones, the maximum bandwidth for an endpoint is If the service resource type is CLB, the endpoint's default connection bandwidth limit is 3072 Mbps. The maximum connection bandwidth does not exceed this limit. This means that if the service provider does not adjust the endpoint connection's bandwidth limit, each endpoint can support no more than 3072 Mbps of bandwidth per zone. |
Gateway Load Balancer endpoint | Gateway Load Balancer (GWLB) | The default initial metric is 5 Gbps, and it can scale up to 25 Gbps. When endpoints are distributed across multiple zones, the maximum bandwidth for an endpoint is |
Relationship Between Elastic Bandwidth and Throttling
Elastic bandwidth: This is the zone-level automatic elasticity provided by the system. It represents the maximum bandwidth supported by each endpoint within each zone. No pre-configuration is needed.
Throttling: This is a throttling policy configured by the service provider for endpoint connections to prevent backend service resource overload. Service providers can set different throttling values for different endpoint connections.
Inheritance mechanism: After the service provider sets a throttling limit for an endpoint connection, the Elastic Network Interfaces (ENIs) in each zone for that endpoint automatically inherit and enforce this throttling value, enabling precise traffic control.
How to view:
Call GetVpcEndpointAttribute to view the
Bandwidthinformation in the response.View the Bandwidth Limit on the Basic Information page of the endpoint details page.
Note that throttling is not a business commitment metric. Because of the distributed architecture, the endpoint's throttling value is evenly distributed across multiple devices in the cluster within a zone. The set throttling value can only be reached with multiple connections. Actual throttling results may vary and might exceed the set throttling value.