You can create an endpoint in a virtual private cloud (VPC) and specify an Alibaba Cloud service. Requests sent to the endpoint are forwarded by PrivateLink to the target service. This provides secure private network access and helps you avoid the potential security risks of accessing services over the public network.
You can use an interface endpoint to access Alibaba Cloud services over a private network.
After you grant authorization, an Alibaba Cloud service can use a reverse endpoint to access specified resources in your VPC over a private network.
Access Alibaba Cloud services using an interface endpoint
A service consumer creates an interface endpoint in a VPC to access a specified Alibaba Cloud service over a private network.
The system creates an elastic network interface (ENI) for the endpoint zone and assigns a private IP address from the vSwitch CIDR block to the ENI.
Service consumers can use the endpoint domain name, zone domain name, or the IP address of the ENI in the endpoint zone to access the Alibaba Cloud service. All service requests sent to the ENI are forwarded to the backend service over PrivateLink.
The endpoint domain name and the endpoint zone domain name are public authoritative DNS domain names that can be resolved by clients in other VPCs and on-premises data centers. After other VPCs and on-premises data centers establish network connectivity with the VPC, they can use the interface endpoint in the VPC to access Alibaba Cloud services.
If an Alibaba Cloud service is configured with a custom service domain name, you can enable the custom service domain name for an interface endpoint. This lets you use the custom service domain name to access the corresponding Alibaba Cloud service.
Create or delete an interface endpoint
Supported services: For more information, see Alibaba Cloud services that support access using interface endpoints.
Ensure that you have activated the PrivateLink service, and that you have created a VPC and a vSwitch and a security group in the destination region.
Console
Create an interface endpoint
Go to the Endpoint - Create Endpoint page.
Configure the interface endpoint:
Region: Select the region where the Alibaba Cloud service is located.
Endpoint Service: Select Alibaba Cloud Service. Then, select the Alibaba Cloud service that you want to access based on the endpoint service name.
Enable Custom Service Domain Name: If the Alibaba Cloud service supports access using a custom service domain name, you can enable this option. For more information, see Use a custom domain name to access Alibaba Cloud services.
VPC, Zone And VSwitch: To ensure high availability, select vSwitches in at least two zones. You can specify an IP address within the vSwitch for the ENI in the endpoint zone. If you do not specify an IP address, the system assigns one by default.
You cannot specify a vSwitch's system reserved IP address for an ENI.
Security Group: Select a security group to associate with the interface endpoint. The security group controls inbound traffic to the ENIs in all endpoint zones.
IP Version: If the Alibaba Cloud service supports dual-stack, you can select Dual-stack. This allows clients to use both IPv4 and IPv6 addresses to access the service. Otherwise, you can only select IPv4.
Enable Zone Affinity: If the Alibaba Cloud service supports zone affinity, you can choose to enable or disable it. If you enable it:
When a service consumer accesses the service from an interface endpoint's zone using the endpoint domain name, the system prioritizes returning the IP address of the ENI in the corresponding endpoint zone to implement nearest access.
If you access the service from a zone where no interface endpoint is deployed, the system returns the IP addresses of the ENIs in all endpoint zones. The system then randomly selects a zone to access the service.
Endpoint Policy: Select the Default Endpoint Policy to allow full access. The option to configure a Custom Endpoint Policy depends on the Alibaba Cloud service that you access.
After the endpoint is created, you can run the following command on an ECS instance in the same VPC to test the connection.
ping <IP address of the ENI in the endpoint zone> # You can view the IP address of the ENI on the Zone and Network Interface Card tab of the instance details page. # For HTTP/HTTPS services, access the service port directly. curl -sI http://<endpoint domain name> # You can view the endpoint domain name on the instance list page. # The inbound rules of the security group must allow access to HTTP (80) and HTTPS (443) ports. This allows the VPC where the endpoint resides to access the service over HTTP or HTTPS. # Whether you can use HTTPS to access the service depends on the service itself.
Delete an interface endpoint
In the Actions column of the target interface endpoint, click Delete. After the endpoint is deleted, the VPC that contains the endpoint can no longer access the corresponding Alibaba Cloud service over PrivateLink.
API
Call CreateVpcEndpoint to create an interface endpoint.
Call DeleteVpcEndpoint to delete an interface endpoint.
Configure high availability for an interface endpoint
When an interface endpoint is configured in multiple zones and you use the endpoint domain name to access an Alibaba Cloud service, Alibaba Cloud provides fully managed availability probing. This ensures fast failover to other zones if a zone fails:
Failover: The system performs real-time availability probing on the IP addresses of the ENIs in different endpoint zones. If an exception occurs, the system deletes the corresponding DNS record to prevent traffic from being routed to the failed zone.
Failback: After the fault is resolved, the system automatically adds the corresponding DNS record.
Console
Configure multiple zones
When you create an interface endpoint, select vSwitches in at least two zones.
After the endpoint is created, click the ID of the target interface endpoint. On the Zone And Network Interface Card tab, click Add Zone.
Click Delete in the Actions column of the target zone to remove the zone from the endpoint.
After the configuration is complete, you can view the Zone Domain Name and the IP Address of the ENI in the endpoint zone on the Zone And Network Interface Card tab.
To ensure high availability, use the endpoint domain name to access the service. You can view the Endpoint Domain Name on the interface endpoint list page.
API
Call AddZoneToVpcEndpoint to add a zone to an endpoint.
Call RemoveZoneFromVpcEndpoint to delete a zone from an endpoint.
Zone-affinity nearest access
If the Alibaba Cloud service supports zone affinity, you can choose to enable or disable it. If you enable it:
When a service consumer in the same zone as the interface endpoint accesses the Alibaba Cloud service using the endpoint domain name, the system prioritizes returning the IP address of the ENI in that endpoint zone. This enables nearest access.
If a service consumer accesses the service from a zone where no interface endpoint is deployed, the system returns the IP addresses of the ENIs in all endpoint zones. The system then randomly selects a zone to access the service.
If the support for zone affinity by an Alibaba Cloud service changes:
The Alibaba Cloud service changes from supporting to not supporting zone affinity:
When a service consumer creates an interface endpoint, zone affinity cannot be enabled.
For existing interface endpoints:
If zone affinity is disabled: The current state is not affected, but you cannot enable it.
If zone affinity is enabled: The current state is not affected, and you can disable it.
The Alibaba Cloud service changes from not supporting to supporting zone affinity:
When a service consumer creates an interface endpoint, you can choose to enable or disable zone affinity.
For existing interface endpoints: The current state is not affected, and you can enable or disable zone affinity.
Console
Enable or disable zone affinity
When you create an interface endpoint, configure Enable Zone Affinity.
After the endpoint is created, click the ID of the target interface endpoint. On the Basic Information tab, click the Enable/Disable switch to the right of Enable Zone Affinity.
API
During creation: Call CreateVpcEndpoint and configure
ZoneAffinityEnabled.After creation: Call UpdateVpcEndpointAttribute and adjust
ZoneAffinityEnabled.
Secure a PrivateLink connection
PrivateLink provides three layers of access control: security groups, network ACLs, and endpoint policies. You can use them individually or in combination to implement fine-grained security control.
Security group: Applies to the ENIs in all endpoint zones and controls the traffic that flows from resources in the VPC to the interface endpoint.
When you create an interface endpoint, you must select a custom security group. After the endpoint is created, you can add or remove security groups, but you must ensure that at least one security group is associated.
When you create an interface endpoint, PrivateLink creates a managed security group by default. The outbound rules of the managed security group allow all traffic by default. The security group contains a rule with a priority of 1 that allows all traffic to any IPv4 or IPv6 address.
You can view the managed security group on the ECS console - Security Group page.
You cannot modify or delete a managed security group. However, it consumes your security group quota
q_security-groups(the maximum number of security groups that your account can have).
If you add an outbound rule with a priority of 1 to a custom security group to deny traffic, the service may become inaccessible. This is because a deny rule with the same priority takes precedence over an allow rule. Configure outbound deny rules with caution.
Network ACL: Controls the traffic that flows into and out of the vSwitch where the ENI of the endpoint zone is located.
Endpoint policy: When you use an interface endpoint to access Alibaba Cloud services, you can configure an endpoint policy.
All Alibaba Cloud services that can be accessed using interface endpoints support the configuration of a default endpoint policy, which grants full access permissions to the interface endpoint.
Currently, only Object Storage Service (OSS) and PAI - AI WorkSpace support custom endpoint policies to restrict access to specific resources for specific users.
Console
Configure a security group
When you configure an interface endpoint, you must assign it to one or more security groups. After the endpoint is created, you can add or remove security groups.
Add a security group: On the Security Group tab of the target endpoint's details page, click Add Security Group.
Remove a security group: Click Delete in the Actions column of the security group that you want to remove.
Only client traffic that matches the rules of the associated security groups can access the Alibaba Cloud service through the interface endpoint. You can configure the following security group rules as a reference:
For inbound traffic, if you add only rules that allow access from specified IP addresses, only clients from those IP addresses can access Alibaba Cloud services through this endpoint.
In the outbound direction, all access is allowed by default. This means that ECS instances within the security group are allowed to access external resources.
Configure a network ACL
Go to the VPC console-Network ACL page. Select the target region at the top of the page and click Create Network ACL.
For VPC, select the VPC where the interface endpoint is located.
Click the instance ID or click Manage in the Actions column. On the Associated Resources tab, click Associate VSwitch. Select the target vSwitch where the interface endpoint is located and click Confirm Association. The associated vSwitch controls traffic flowing into and out of the vSwitch based on the network ACL rules.
To remove the control, you can click Detach in the Actions column of the target vSwitch on this tab after it is associated.
On the Inbound Rules/Outbound Rules tab of the target network ACL, click Manage Inbound Rules/Manage Outbound Rules. If traffic matches a network ACL rule based on Protocol Type, IP Version, Source Address/Destination Address, and Port Range, the system applies the specified Policy to allow or deny the traffic.
Configure an endpoint policy
You can configure an Endpoint Policy when you create an interface endpoint. After the endpoint is created, you can click Edit Endpoint Policy on the Endpoint Policy tab of the target interface endpoint's details page to modify the policy.
API
Call AttachSecurityGroupToVpcEndpoint to add an endpoint to a security group.
Call DetachSecurityGroupFromVpcEndpoint to remove an endpoint from a security group.
When you call CreateVpcEndpoint or UpdateVpcEndpointAttribute, pass in PolicyDocument to configure an endpoint policy.
Access services using a custom service domain name
When you access an Alibaba Cloud service from a VPC, you typically use a specific service domain name. If the service is configured with a custom service domain name, you can enable it for the interface endpoint that you create. After you enable it, you can continue to use the domain name to access the service over a private network through PrivateLink without modifying the application.
The custom service domain name takes effect only in the VPC where the interface endpoint is located. Only this VPC can parse the domain name to a private IP address. After other VPCs and on-premises data centers are connected to the VPC and configured for domain name resolution, they can use the custom service domain name to access the service.
A custom service domain name cannot be enabled for multiple interface endpoints in the same VPC at the same time. The interface endpoint for which the domain name is enabled first takes precedence, and other interface endpoints cannot enable the domain name.
You can enable a custom service domain name for an interface endpoint only after the Alibaba Cloud service configures and authenticates the custom service domain name for the endpoint service.
The domain name resolution for a custom service domain name is provided by a PrivateZone managed by PrivateLink.
Enable a custom service domain name for an interface endpoint
When you create an interface endpoint, set Enable Custom Service Domain Name to Enable.
After the endpoint is created, go to the Endpoint Service Domain Name section on the interface endpoint details page and turn on the Custom Service Domain Name switch.
You can turn it off here when it is no longer needed.
Use a custom service domain name to access a service
Access from the same VPC: Within the VPC where the interface endpoint is located, you can directly use the custom service domain name to access the service without any additional configuration.
Access from another VPC:
Connect the networks: For more information, see Cross-VPC interconnection solution and select a peering connection or Cloud Enterprise Network (CEN) to connect the VPCs.
Configure domain name resolution:
Go to the Private DNS console. Click Add Zone. Configure the custom service domain name, set the scope to Alibaba Cloud VPC Internal Network, and select the target VPC.
Click the domain name ID. On the DNS Records tab, click Add Record. Add a CNAME record with @ as the host and the default service domain name as the record value.
Access from an on-premises data center
Connect the network: For more information, see Connecting a VPC to an on-premises data center, and select Express Connect or VPN Gateway to connect to your on-premises data center.
Configure domain name resolution:
Go to the Private DNS console. Click Add Inbound Endpoint. Set Inbound VPC to the VPC where the interface endpoint is located. To ensure high availability, add inbound traffic service IP addresses from at least two zones.
Configure a forwarding zone in the on-premises data center.
This topic uses BIND as an example. If your on-premises data center uses a different DNS system, refer to its documentation to configure conditional forwarding. The principle is the same: forward DNS requests for the specific domain to the service IP addresses of the VPC PrivateZone inbound endpoint.
Configure the BIND file.
The location of the BIND configuration file varies by operating system. Common paths are
/etc/named.confand/etc/bind/named.conf.// This example shows how to access the pai-dlc service. Set the zone to the corresponding custom service domain name. zone "pai-dlc-vpc.cn-beijing.aliyuncs.com" IN { type forward; forwarders { 10.0.0.173; // Replace with the inbound traffic service IP address. 10.0.1.109; }; };Restart the BIND service to ensure the configuration takes effect.
The command to restart the BIND service varies by operating system. A common command is
systemctl restart named.
Alibaba Cloud service accesses authorized user resources using a reverse endpoint
After you grant authorization, an Alibaba Cloud service can use a reverse endpoint to securely access specified resources in your VPC over a private network. You can use security groups and network ACLs to further control the scope of resources that the Alibaba Cloud service can access.
A security group applies to the ENIs in all endpoint zones and controls the traffic that flows from the reverse endpoint to resources in the VPC.
After you create a reverse endpoint, PrivateLink creates a managed security group by default. The inbound rules of the managed security group allow all traffic by default. The security group contains a rule with a priority of 1 that allows all traffic from any IPv4 or IPv6 address.
You can view the managed security group on the ECS console - Security Group page.
You cannot modify or delete a managed security group. However, it consumes your security group quota
q_security-groups(the maximum number of security groups that your account can have).
Supported services: For more information, see Alibaba Cloud services that support access using reverse endpoints.
Ensure that you have activated the PrivateLink service, and created a VPC and a vSwitch and a security group in the destination region.
Reverse endpoints do not support dual-stack access.
Console
Create a reverse endpoint
Go to the Endpoint - Create Endpoint page.
Configure the Reverse Endpoint:
Region: Select the region where the resources accessed by the Alibaba Cloud service are located.
Endpoint Service: Select Select Available Service. Then, select an Alibaba Cloud service from the list based on the service name.
VPC, Zone And VSwitch: To ensure high availability, select vSwitches in at least two zones. You can specify an IP address within the vSwitch for the ENI in the endpoint zone. If you do not specify an IP address, the system assigns one by default.
Security Group: Select a security group to apply to the ENIs in all endpoint zones. A reverse endpoint allows an Alibaba Cloud service to proactively access user resources.
Delete a reverse endpoint
In the Actions column of the target reverse endpoint, click Delete. After the endpoint is deleted, the corresponding Alibaba Cloud service can no longer access the specified resources in your VPC through the reverse endpoint.
API
Call CreateVpcEndpoint to create a reverse endpoint.
Call DeleteVpcEndpoint to delete a reverse endpoint.
More information
Differences between interface endpoints and gateway endpoints
A gateway endpoint does not depend on PrivateLink and supports only a limited number of Alibaba Cloud services.
Attribute | Gateway endpoint | PrivateLink |
Use case | Use endpoint policies for gateway endpoints and bucket policies for OSS to reduce the risk of unauthorized access and implement bidirectional access control:
| Standard solution for securely accessing Alibaba Cloud services from a VPC over a private network. PrivateLink supports more types of Alibaba Cloud services and provides more advanced features than gateway endpoints. |
Applicable service types | Currently, gateway endpoints support only OSS. | PrivateLink supports a wide range of Alibaba Cloud services and user-created services, including services provided by independent software vendors (ISVs). |
Security features on the VPC side | Only endpoint policies are supported. | Security groups, network ACLs, and endpoint policies are supported. |
Networking capabilities | Complex networking is not supported. IP address conflicts may occur with the CIDR blocks of Alibaba Cloud services (100.x.x.x/8). | Complex networking is supported. You can use PrivateLink with VPC peering connections, Cloud Enterprise Network (CEN), Express Connect circuits, or VPN gateways to implement cross-region and hybrid cloud networking. |
O&M capabilities | None | Flow logs simplify auditing and troubleshooting. |
Fees | Free of charge | Instance fees and data transfer fees apply. For user-created services, you can choose whether the service consumer or the service provider pays the fees. |