PrivateLink:How it works

Service providers

As the service owner, the service provider uses Alibaba Cloud resources to build and provide an endpoint service to the service consumer. The service consumer accesses the service by connecting to the endpoint service through an endpoint.

• Endpoint service resources: Deploy load balancers across zones. Supported types include Network Load Balancer (NLB), Application Load Balancer (ALB), Classic Load Balancer (CLB), and Gateway Load Balancer (GWLB).

• Endpoint service name: The unique identifier for an endpoint service. When creating an endpoint, the service consumer uses the service name to identify the service to connect to.

• To grant access to VPCs in other Alibaba Cloud accounts, the service provider must add the consumer's account ID to the service whitelist.

  After creating an endpoint service, the service provider is automatically whitellisted.

• Endpoint service status: Creating, Modifying, Available, Deleting.

Service consumers

As a service consumer, you create an endpoint to access an endpoint service from your VPC or data center.

• Endpoint types: Select an endpoint type based on the endpoint service you want to access.

  Endpoint type	Service resource	When to use
  Interface endpoint	NLB, ALB, or CLB	Most common.
  Gateway Load Balancer endpoint	GWLB	Use when routing traffic through GWLB. Configure the endpoint as the next hop in the route table.
  Reverse endpoint	Alibaba Cloud services only	Use when the service provider needs to initiate access to cloud services in your VPC. You control access by configuring security groups on the reverse endpoint.

  Gateway endpoint is a separate feature that does not depend on PrivateLink. Gateway endpoints use the reserved IP address space 100.64.0.0/10 to enable more secure access to Alibaba Cloud services through endpoint policies. Currently, Object Storage Service (OSS) is the only Alibaba Cloud service that supports gateway endpoints.

• Endpoint zones: When creating an endpoint, PrivateLink creates an Elastic Network Interface (ENI) in the specified endpoint zone. The ENI is the local entry point to the service.

• Endpoint policies: Endpoint policies apply only to interface endpoints that access Alibaba Cloud services. By default, any user or service in the VPC using Alibaba Cloud account credentials can access any resource in the corresponding service.

• An endpoint can be in one of the following states: Creating, Modifying, Available, Deleting.

Endpoint connections

When the service consumer creates an endpoint, the endpoint service receives an endpoint connection request. The service provider accepts the request to connect the endpoint and the endpoint service.

Endpoint connections can be in one of the following statuses: Connecting, Connected, Disconnecting, Disconnected, Modifying, Deleting, and Service Deleted.

Disconnected status can occur in the following situations:

• The endpoint service does not support auto-accept. Newly created endpoints are in the Disconnected state.

• The endpoint service rejects the endpoint connection or has not yet allowed the endpoint connection.

• The endpoint has an overdue payment.

• The endpoint service has an overdue payment.

Endpoint service domain names

When the consumer creates an interface endpoint, domain names are automatically generated for accessing the service:

• Endpoint service domain name: endpoint_id.endpoint_service_id.service_region.privatelink.aliyuncs.com

• Zone domain name: endpoint_id-endpoint_zone.endpoint_service_id.service_region.privatelink.aliyuncs.com

When accessing Alibaba Cloud services in your VPC, you typically use a specific service domain name. If the service has a custom service domain name configured, enable the custom service domain for the interface endpoint you created. Your application can continue using the existing domain to access the service over PrivateLink. No application changes are required.

The custom domain name takes effect only in the VPC where the interface endpoint is created. Only that VPC can resolve the domain to the endpoint's private IP. Other VPCs or data centers must connect to this VPC and configure domain name resolution before using the same custom domain.

IP versions

Service providers can offer endpoint services in IPv4 or dual-stack (IPv4 and IPv6) mode:

• Select dual-stack only when all service resources added to the endpoint service support dual-stack.

• When the endpoint service is dual-stack, configure a dual-stack endpoint so that clients can access the service using both IPv4 and IPv6 addresses.

To achieve high availability for your PrivateLink connections, follow these steps:

1. Configure service resources, such as load balancers, across zones:

   • For NLB or ALB: add instances that span multiple zones.

   • For CLB: add multiple instances with different primary zones.

2. Select multiple zones for your endpoint. When creating an interface endpoint, choose vSwitches in at least two zones. This ensures traffic can fail over if one zone becomes unavailable.

3. Use endpoint domain names for access. Alibaba Cloud continuously monitors the health of ENI IP addresses in each endpoint zone. If an anomaly is detected, the DNS record is automatically removed to redirect traffic to healthy zones. After the zone recovers, the DNS record is restored.

Elastic bandwidth

PrivateLink supports automatic elastic scaling:

• It provides zone-level automatic elasticity. The bandwidth supported by each endpoint in each zone automatically scales with business usage growth.

• It provides corresponding elasticity limits based on different endpoint types and service resource types.

• The current elastic bandwidth metric only represents the capacity supported by the endpoint zone's network interface controller (NIC). The full link's actual capacity depends on the backend service resource type and application processing capability.

If your application requires higher throughput, contact your account manager to apply.

Relationship between elastic bandwidth and throttling

• Elastic bandwidth: Zone-level automatic elasticity provided by the system. It represents the maximum bandwidth supported by each endpoint within each zone. No pre-configuration is needed.

• Throttling: A throttling policy configured by the service provider for endpoint connections to prevent backend service overload. Service providers can set different throttling values for different endpoint connections.

  • Inheritance mechanism: After the service provider sets a throttling limit for an endpoint connection, the ENIs in each zone for that endpoint automatically inherit and enforce this throttling value, enabling precise traffic control.

  • To view the current throttling value:

    • Call GetVpcEndpointAttribute and check the Bandwidth field in the response.

    • In the console, open the endpoint details page and find the Bandwidth Limit parameter.

Throttling is not an SLA-backed metric. Because PrivateLink uses a distributed architecture, the throttling value is spread across multiple devices in each zone. The bandwidth limit is shared across devices and only reached when using multiple connections. Actual throughput may vary and can occasionally exceed the limit.