Simple application servers are automatically assigned to virtual private clouds (VPCs), which isolate the servers from other Alibaba Cloud services. By default, simple application servers are not interconnected with other Alibaba Cloud services such as Elastic Compute Service (ECS) and ApsaraDB, even if the services reside in the same VPC as the simple application servers. To allow a simple application server to communicate with other Alibaba Cloud services in the same region as the server, you can configure the service interconnection feature for the server. This topic describes how to configure the service interconnection feature for a simple application server. This topic also describes how to manage the VPC after you configure the service interconnection feature for a simple application server.
Background information
Cloud Enterprise Network (CEN) allows you to establish private connections between VPCs in different regions and between VPCs and data centers. For more information, see What is CEN?
- Simple application servers require access to ECS over VPCs.
- Simple application servers require access to ApsaraDB over VPCs.

Limits
- For simple application servers that belong to the same Alibaba Cloud account:
- All simple application servers in the same region are automatically added to the same VPC. The VPC can be added to only one CEN instance at a time.
- Simple application servers in different regions are added to region-specific VPCs. To allow services in different VPCs in a region to communicate with each other, you must select all the VPCs for the VPCs parameter when you configure service interconnection on the Simple Application Server console.
- If you do not have simple application servers deployed in a region, you cannot enable the service interconnection feature for the region.
- The Simple Application Server console allows you to only interconnect services that belong to the same account and reside in the same region. This feature is free of charge. However, if you want to interconnect services across Alibaba Cloud accounts or regions, you must perform relevant operations in the Cloud Enterprise Network console. This is a paid feature. For more information, see Billing, Grant permissions to another Alibaba Cloud account across VPCs, and Manage inter-region connections.
- Operations performed in the Cloud Enterprise Network console are not synchronized to the Simple Application Server console. We recommend that you perform operations such as managing VPCs in the Simple Application Server console after you configure the service interconnection feature. For more information, see Add or remove a VPC.
Enable service interconnection
- Log on to the Simple Application Server console.
- In the left-side navigation pane, click Service Interconnection.
- On the Service Interconnection page, click Service Interconnection. The first time you enable the service interconnection feature, a message appears to prompt you to confirm authorization. Click OK. The system automatically creates a service-linked role for Simple Application Server. For more information, see Create and delete a service-linked role.
- In the Configure Service Interconnection dialog box, configure the following parameters.
Parameter Description Region Select the region for which you want to enable the service interconnection feature. Example: China (Hangzhou). CEN Instance Select a CEN instance from the drop-down list. Important Only CEN Basic Edition transit routers are supported. If you select a CEN Enterprise Edition transit router that you created, the service interconnection feature of the simple application server is unavailable. We recommend that you select Auto Create to allow the system to automatically create a CEN instance.VPC Select the ID of the VPC for which you want to enable the service interconnection feature. For example, you can select the ID of a VPC where ECS instances reside. If you want to select multiple VPC IDs, click Add to Batch Selection Box and select more. You can add or remove VPCs after you configure service interconnection for a region. For more information, see Add or remove a VPC. - Click OK. On the Service Interconnection page, you can view the VPCs that you added.
- Test interconnectivity. In this example, a simple application server in VPC 1 and an ECS instance in VPC 2 that belong to the same account and reside in the same region are used to test the interconnectivity. This example assumes that you selected VPC 2 for the VPCs parameter in Step 5.
Add or remove a VPC
- Add a VPC: After you add a VPC, the simple application server is interconnected with other cloud services in the VPC.
- Remove a VPC: After you remove a VPC, the simple application server is disconnected from other cloud services in the VPC.
- Log on to the Simple Application Server console.
- In the left-side navigation pane, click Service Interconnection.
- In the Region section of the Service Interconnection page, select a region.
- Add or remove a VPC.
- Add a VPC
- On the Service Interconnection page, click Service Interconnection.
- In the Configure Service Interconnection dialog box, select a region, CEN instance, and VPC. For more information, see Parameters for configuring service interconnection.
- Click OK.
- Remove a VPC
- Find the VPC that you want to remove. Click Remove in the Actions column. Note
- After you remove a VPC, the simple application server is disconnected from other cloud services in the VPC.
- If you have deleted the service-linked role AliyunServiceRoleForSwas for Simple Application Server, after you click Remove, a dialog box appears to prompt you to re-authorize Simple Application Server to obtain the IDs of your VPCs and CEN instances. Click OK. Then, you can remove the VPC.
- In the message that appears, click OK.
- Find the VPC that you want to remove. Click Remove in the Actions column.
- Add a VPC
Create and delete a service-linked role
AliyunServiceRoleForSwas is a service-linked role that is provided by RAM and allows Simple Application Server to access other Alibaba Cloud resources. Simple Application Server can obtain access to resources in CEN and VPC by using an AliyunServiceRoleForSwas. This enables service interconnection. For more information, see Service-linked roles.
Permission description
- Role name: AliyunServiceRoleForSwas.
- Policy: AliyunServiceRolePolicyForSwas.
- Description: The first time you use the service interconnection feature that is provided by Simple Application Server, you must authorize Simple Application Server to access resources of other Alibaba Cloud services such as CEN and VPC.
{ "Version": "1", "Statement": [ { "Action": [ "vpc:DescribeVpcs", "vpc:DescribeVSwitches" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cen:CreateCen", "cen:DescribeCens", "cen:DescribeCenAttachedChildInstanceAttribute", "cen:DescribeChildInstanceRegions", "cen:DescribeGrantRulesToCen", "cen:ModifyCenAttribute", "cen:AttachCenChildInstance", "cen:DetachCenChildInstance", "cen:DeleteCen" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "swas.aliyuncs.com" } } } ] }
Create a service-linked role
The first time you use the service interconnection feature that is provided by Simple Application Server, the system checks whether an AliyunServiceRoleForSwas is created in your Alibaba Cloud account. If no AliyunServiceRoleForSwas exists, you must authorize the system to create an AliyunServiceRoleForSwas before the system creates the service-linked role.
The AliyunServiceRoleForSwas service-linked role is attached with the AliyunServiceRolePolicyForSwas policy. The policies that are attached to service-linked roles are defined and used by the linked Alibaba Cloud services. You cannot add, modify, or remove permissions for service-linked roles.