Create an endpoint in a VPC and specify an Alibaba Cloud service. PrivateLink forwards requests to the target service over a private connection, eliminating public internet exposure.
-
Use an interface endpoint to access Alibaba Cloud services over a private network.
-
After authorization, an Alibaba Cloud service can use a reverse endpoint to access specified resources in your VPC over a private network.
Access same-region services with an interface endpoint
A service consumer creates an interface endpoint in a VPC to privately access an Alibaba Cloud service.
-
The system creates an elastic network interface (ENI) for each endpoint zone and assigns a private IP address from the corresponding vSwitch CIDR block.
-
The service consumer accesses the service through the endpoint domain name or the endpoint zone domain name. PrivateLink forwards all requests to the target service.
-
The endpoint domain name and the endpoint zone domain name are public authoritative DNS domain names, resolvable by clients in other VPCs and on-premises data centers.
-
You can enable a cross-region endpoint to directly connect to an Alibaba Cloud service across regions.
-
After other VPCs and on-premises data centers connect to the VPC, they can also use the interface endpoint to access the Alibaba Cloud service.
-
If the Alibaba Cloud service has a custom service domain name, you can enable it for the interface endpoint to access the service without changing your application configuration.
Create or delete an interface endpoint
-
Supported services: Alibaba Cloud services that support access by using interface endpoints.
-
Make sure that you have activated the PrivateLink service, and have created a VPC and a vSwitch and a security group in the target region.
Console
-
Go to the Endpoint - Create Endpoint page.
-
Configure the interface endpoint:
-
Basic Settings:
-
Region: Select the region where the target Alibaba Cloud service is deployed.
-
Name and Description: Identify the endpoint with a name and description.
-
-
Type: Select Alibaba Cloud Service.
-
Available Services: Select the Alibaba Cloud service you want to access by its endpoint service name.
Available: The service is deployed in the selected region, and you have permission to connect.
-
Network Settings:
-
For high availability, select vSwitches in at least two zones. You can specify an IP address from the vSwitch for the endpoint zone's ENI, or let the system assign one automatically.
You cannot specify a system reserved IP address of a vSwitch for an ENI.
-
IP Version: If the service supports dual-stack, select Dual-stack to allow both IPv4 and IPv6 access. Otherwise, select IPv4.
-
-
Security Group: Associate a security group to control inbound traffic to ENIs in all endpoint zones.
-
Advanced Settings:
-
Enable Custom Domain Name?: If the service supports a custom service domain name, enable this option. Use a custom domain name to access an Alibaba Cloud service.
-
Enable Zone Affinity: If the Alibaba Cloud service supports zone affinity, you can enable or disable this feature.
-
When this feature is enabled, if a service consumer in the same zone as the interface endpoint accesses the service by using the endpoint domain name, Alibaba Cloud DNS prioritizes returning the IP address of the ENI in the corresponding endpoint zone. This provides nearest access.
-
If you access the service from a zone where no interface endpoint is deployed, or if you disable zone affinity, Alibaba Cloud DNS returns the IP addresses of available ENIs in all endpoint zones.
-
-
Endpoint policy: Keep the Default endpoint policy for full access. Custom policy availability depends on the target service (Custom endpoint policy).
-
-
-
After creation, test the connection from an ECS instance in the same VPC:
ping <IP address of the ENI in the endpoint zone> # You can view the IP address of the ENI on the Zone and Network Interface Card tab of the instance details page. # For HTTP/HTTPS services, we recommend that you directly access the service port. curl -sI http://<endpoint domain name> # You can view the endpoint domain name on the endpoint list page. # The inbound rules of the security group must allow access over HTTP (port 80) and HTTPS (port 443). # Whether you can use HTTPS to access the service depends on the service.
API
Call the CreateVpcEndpoint operation to create an interface endpoint.
Configure high availability
When you use an endpoint domain name to access a service through a multi-zone interface endpoint, Alibaba Cloud provides fully managed availability probing. This ensures fast failover if one zone fails:
-
Failover: The system continuously probes the availability of ENIs in different endpoint zones. If an ENI fails a health check, the system removes its DNS record to stop routing traffic to the failed zone.
-
Failback: When the ENI recovers, the system restores its DNS record automatically.
Console
Configure multiple zones
-
When you create an interface endpoint, select vSwitches in at least two zones.
-
After the endpoint is created, click the ID of the target interface endpoint. On the Zone and ENI tab, click Add Zone.
Click Delete in the Actions column of the target zone to remove the zone from the service.
You can then view the Zone Domain and IP Address of the ENI on the Zone and ENI tab.
For high availability, use the endpoint domain name to access the service. View the Endpoint Domain on the interface endpoint list page.
API
-
Call the AddZoneToVpcEndpoint operation to add a zone to an endpoint.
-
Call the RemoveZoneFromVpcEndpoint operation to remove a zone from an endpoint.
Zone affinity
If the Alibaba Cloud service supports zone affinity, you can enable this feature to provide nearest access.
-
When enabled, requests from a client are preferentially routed to the endpoint's ENI within the same zone.
-
If the client is in a zone without an ENI, or if zone affinity is disabled, requests are routed to any available ENI.
If an Alibaba Cloud service's support for zone affinity changes:
-
If an Alibaba Cloud service stops supporting zone affinity:
-
When a service consumer creates an interface endpoint, zone affinity cannot be enabled.
-
For existing interface endpoints:
-
If zone affinity is disabled, the current state is not affected, but you cannot enable it.
-
If zone affinity is enabled, the current state is not affected, and you can disable it.
-
-
-
If an Alibaba Cloud service starts supporting zone affinity:
-
When a service consumer creates an interface endpoint, you can enable or disable zone affinity.
-
For existing interface endpoints, the current state is not affected, and you can enable or disable zone affinity.
-
Console
Enable or disable zone affinity
-
When you create an interface endpoint, configure Enable Zone Affinity.
-
After the endpoint is created, click the ID of the target interface endpoint. On the Basic Information tab, toggle the switch next to Enable Zone Affinity to Enable or Disable.
API
-
During creation: Call the CreateVpcEndpoint operation and configure the
ZoneAffinityEnabledparameter. -
After creation: Call the UpdateVpcEndpointAttribute operation and modify the
ZoneAffinityEnabledparameter.
Secure your PrivateLink connection
PrivateLink provides three layers of access control: security groups, network ACLs, and endpoint policies. Use them individually or combined for fine-grained security.
-
Security groups: Apply to the ENIs in all endpoint zones and control the traffic that flows from resources in the VPC to the interface endpoint.
-
When you create an interface endpoint, you must select a custom security group. After creation, you can add or remove security groups, but at least one must remain associated.
-
PrivateLink also creates a managed security group with a default priority-1 outbound rule that allows all traffic to any IPv4 or IPv6 address.
-
You can view the managed security group on the Security Groups page of the ECS console.
-
You cannot modify or delete a managed security group. However, a managed security group consumes your security group quota
q_security-groups(the maximum number of security groups that your account can own).
-
-
Adding an outbound deny rule with priority 1 to a custom security group may make the service inaccessible, because a deny rule at the same priority takes precedence over an allow rule. Configure outbound deny rules with caution.
-
-
Network ACLs: Control the traffic that flows into and out of the vSwitch where the ENI of the endpoint zone is located.
-
Endpoint policies: When you use an interface endpoint to access an Alibaba Cloud service, you can configure an endpoint policy.
-
All Alibaba Cloud services that can be accessed by using interface endpoints support a default endpoint policy that grants full access to the interface endpoint.
-
Currently, only Object Storage Service (OSS) and PAI - AI WorkSpace support custom endpoint policies to restrict access to specific resources for specific users.
-
Console
Configure security groups
When you configure an interface endpoint, you must assign it to one or more security groups. After the endpoint is created, you can add or remove security groups.
-
Add a security group: On the Security Group tab of the target endpoint's details page, click Join Security Group.
-
Remove a security group: Click Delete in the Actions column of the security group that you want to remove.
Only traffic matching the associated security group rules can reach the service. Example configurations:
-
Inbound: Adding rules that allow only specific IP addresses blocks all other clients from accessing the service through this endpoint.
-
Outbound: All access is allowed by default, permitting ECS instances to reach external resources.
Configure a network ACL
-
Go to the VPC console - Network ACL page. Select the target region at the top of the page and click Create Network ACL.
-
For VPC, select the VPC where the interface endpoint is located.
-
Click the instance ID or click Manage in the Actions column. On the Associated Resources tab, click Associate vSwitch, select the target vSwitch to which the interface endpoint belongs, and then click OK. The associated vSwitch controls traffic that enters and leaves the vSwitch based on the network ACL rules.
To remove the control, you can click Unbind in the Actions column of the target vSwitch on this tab after it is associated.
-
On the Inbound Rules/Outbound Rules tab of the target network ACL, click Manage Inbound Rule/Manage Outbound Rule. If traffic matches a network ACL rule based on the Protocol, IP Version, Source IP Address/Destination IP Address, and Source Port Range, the system applies the specified Policy to allow or deny the traffic.
Configure an endpoint policy
You can configure an endpoint policy when accessing an Alibaba Cloud service. After creation, modify the policy on the Endpoint Policy tab by clicking Edit.
API
-
Call the AttachSecurityGroupToVpcEndpoint operation to associate an endpoint with a security group.
-
Call the DetachSecurityGroupFromVpcEndpoint operation to disassociate an endpoint from a security group.
-
When you call the CreateVpcEndpoint or UpdateVpcEndpointAttribute operation, pass the PolicyDocument parameter to configure an endpoint policy.
Use a custom service domain name
When you access an Alibaba Cloud service from a VPC, you typically use a specific service domain name. If the service has a custom service domain name, you can enable it for the interface endpoint. This lets you access the service privately through PrivateLink without changing your application configuration.
The custom service domain name resolves to a private IP address only within the VPC where the interface endpoint is located. After other VPCs and on-premises data centers connect to this VPC and configure domain name resolution, they can also use the custom domain name.
A custom service domain name cannot be enabled for multiple interface endpoints in the same VPC at the same time. The interface endpoint for which the domain name is enabled first takes precedence, and other interface endpoints cannot enable the domain name.
You can enable a custom service domain name only after the Alibaba Cloud service configures and verifies it for the endpoint service.
Domain name resolution for custom service domain names is provided by a PrivateZone managed by PrivateLink.
Enable a custom service domain name
-
When you create an interface endpoint, set Enable Custom Domain Name? to Enable.
-
After the endpoint is created, go to the Domain Name of Endpoint Service section on the interface endpoint details page and turn on the Custom Domain Name switch.
You can turn it off here when it is no longer needed.
Access a service
-
Access from the same VPC: Within the VPC where the interface endpoint is located, you can directly use the custom service domain name to access the service without any additional configuration.
-
Access from another VPC:
-
Connect the networks: Use a Cross-VPC interconnection solution such as VPC peering or Cloud Enterprise Network (CEN).
-
Configure domain name resolution:
-
Go to the Private DNS console, and click Add Zone. Configure the custom service domain name, set the scope of the domain name to Alibaba Cloud VPCs, and then select the target VPC.
-
Click the domain ID. On the Settings tab, click Add Record. Add a CNAME record for which the hostname is
@and the record value is the default service domain name.
-
-
-
Access from an on-premises data center
-
Connect the network: Use Express Connect or VPN Gateway to connect to your on-premises data center.
-
Configure domain name resolution:
-
Go to the Private DNS console, and click Add Inbound Endpoint. Set Inbound VPC to the VPC where the interface endpoint is located. To ensure high availability, add inbound traffic service IP addresses from at least two zones.
-
Configure a forwarding zone in the on-premises data center.
This topic uses BIND as an example. If your on-premises data center uses a different DNS system, see its documentation to configure conditional forwarding. The principle is the same: forward DNS requests for the specific domain to the service IP addresses of the VPC PrivateZone inbound endpoint.
-
Configure the BIND file.
The location of the BIND configuration file varies by operating system. Common paths are
/etc/named.confand/etc/bind/named.conf.// This example shows how to access the pai-dlc service. Set the zone to the corresponding custom service domain name. zone "pai-dlc-vpc.cn-beijing.aliyuncs.com" IN { type forward; forwarders { 10.0.0.173; // Replace with the service IP address of the inbound endpoint. 10.0.1.109; }; }; -
Restart the BIND service to make sure that the configuration takes effect.
The command to restart the BIND service varies by operating system. A common command is
systemctl restart named.
-
-
-
Disconnect
When you no longer need to access the service, delete the interface endpoint. This action is irreversible and terminates the connection. Proceed with caution.
Console
In the Actions column of the target interface endpoint, click Delete. After the endpoint is deleted, the VPC to which the endpoint belongs can no longer access the corresponding Alibaba Cloud service over a private connection. When you delete the endpoint, you can select Delete the endpoint zone to also delete the ENIs in the endpoint zones.
API
Call the DeleteVpcEndpoint operation to delete an interface endpoint.
Access a cross-region service via an interface endpoint
Create an interface endpoint with cross-region enabled to privately connect to an Alibaba Cloud service in a different region.
Currently, Model Studio supports cross-region connections. Support for other services is being added.
-
After you enable a cross-region endpoint and select a service region, the system displays available Alibaba Cloud services in that region.
Available: The service is deployed in your selected service region and supports the region of your endpoint.
If you cannot select the service when creating an endpoint, contact the service provider to confirm your account is whitelisted.
-
Access the service through the endpoint domain name. Cross-region connections do not generate endpoint zone domain names, allowing applications to leverage PrivateLink's fully managed availability probing and failover.
-
Create interface endpoints in at least two zones for high availability.
If the service has a custom service domain name, you can enable it for the interface endpoint to access the service without changing your application configuration.
Console
-
Go to the Endpoint - Create Endpoint page.
-
Configure the interface endpoint:
-
Region: Select the region where the target Alibaba Cloud service is deployed.
-
Type: Select Alibaba Cloud Service.
-
Service Settings: Select Enable inter-region endpoint and select a Service Region.
-
Available Services: From the list of Alibaba Cloud services supported in the service region, select the destination service by its endpoint service name.
-
Inter-Region Bandwidth Configuration:
-
Billing Method: Billed by CDT. Cross-region traffic fees are uniformly settled and billed by CDT. For a complete list of billable items, see Cross-region private connections.
-
Bandwidth: If the Connected Regions is for connections between regions in the Chinese mainland, the default cross-region bandwidth is 1,000 Mbit/s. If it is for connections between regions outside the Chinese mainland, the default cross-region bandwidth is 100 Mbit/s. You can adjust these values by using the
pvl_quota_cross_region_ep_max_bandwidth_payg_chinaandpvl_quota_cross_region_ep_max_bandwidth_payg_overseaquotas.
-
-
For other configurations, see Create or delete an interface endpoint.
-
API
Call the CreateVpcEndpoint operation to create an interface endpoint.
Access user resources with a reverse endpoint
After authorization, an Alibaba Cloud service can use a reverse endpoint to securely access specified resources in your VPC over a private network. Use security groups and network ACLs to restrict which resources the service can access.
-
A security group applies to the ENIs in all endpoint zones and controls the traffic that flows from the reverse endpoint to resources in the VPC.
-
After you create a reverse endpoint, PrivateLink creates a managed security group with a default priority-1 inbound rule that allows all traffic from any IPv4 or IPv6 address.
-
You can view the managed security group on the Security Groups page of the ECS console.
-
You cannot modify or delete a managed security group. However, a managed security group consumes your security group quota
q_security-groups(the maximum number of security groups that your account can own).
-
Supported services: Alibaba Cloud services that support access by using reverse endpoints.
Make sure that you have activated the PrivateLink service, and have created a VPC and a vSwitch and a security group in the target region.
Reverse endpoints do not support dual-stack access.
Console
Create a reverse endpoint
-
Go to the Endpoint - Create Endpoint page.
-
Configure the reverse endpoint:
-
Basic Settings:
-
Region: Select the region that contains the resources you want the Alibaba Cloud service to access.
-
Endpoint Type: Select Reverse Endpoint.
-
Name and Description: Identify the endpoint with a name and description.
-
-
Type: Select Alibaba Cloud Service.
-
Available Services: Select the Alibaba Cloud service that you want to access based on the endpoint service name.
-
Network Settings: For high availability, select vSwitches in at least two zones. You can specify an IP address for the ENI in the endpoint zone, or let the system assign one automatically.
-
Security Group: Select a security group for the ENIs in all endpoint zones. This security group controls access from the Alibaba Cloud service to your resources.
-
Delete a reverse endpoint
In the Actions column of the target reverse endpoint, click Delete. After deletion, the Alibaba Cloud service can no longer access your VPC resources through this endpoint.
API
-
Call the CreateVpcEndpoint operation to create a reverse endpoint.
-
Call the DeleteVpcEndpoint operation to delete a reverse endpoint.
More information
Gateway endpoints vs. interface endpoints
A gateway endpoint does not depend on PrivateLink and supports only a limited number of Alibaba Cloud services.
Feature | Gateway endpoint | PrivateLink |
Use cases | Use endpoint policies together with OSS bucket policies to reduce the risk of unauthorized access and implement bidirectional authentication:
| A standard solution for securely accessing Alibaba Cloud services from a VPC over a private network. It supports more cloud service types and advanced capabilities than gateway endpoints. |
Supported service types | Currently supports only Object Storage Service (OSS). | Supports many Alibaba Cloud services and user-created services, including services provided by ISVs. |
VPC security capabilities | Supports only endpoint policies. | Supports security groups, network ACLs, and endpoint policies. |
Networking capabilities | Complex networking is not supported. Conflicts may occur with the CIDR blocks of Alibaba Cloud services (100.x.x.x/8). | Complex networking is supported. You can use PrivateLink with VPC peering connections, Cloud Enterprise Network (CEN), Express Connect, or VPN gateways to build cross-region and hybrid cloud networks. |
O&M capabilities | None | Supports flow logs for auditing and troubleshooting. |
Fees | Free of charge. | You are charged for instance fees and data transfer fees. For user-created services, you can select whether the service consumer or service provider pays the fees. |