All Products
Search

This Product

    Simple Application Server:Manage service interconnection

    Document Center

    Simple Application Server:Manage service interconnection

    Last Updated:Nov 16, 2023

    Simple application servers are automatically assigned to virtual private clouds (VPCs), which isolate the servers from other Alibaba Cloud services. By default, simple application servers are not interconnected with other Alibaba Cloud services such as Elastic Compute Service (ECS) and ApsaraDB, even if the services reside in the same VPC as the simple application servers. The service interconnection feature allows simple application servers to interconnect with other Alibaba Cloud services in the same VPC. This topic describes how to configure the service interconnection feature for a simple application server. This topic also describes how to manage the VPC after you configure the service interconnection feature for a simple application server.

    Background information

    Cloud Enterprise Network (CEN) allows you to establish private connections between VPCs in different regions and between VPCs and data centers. For more information, see What is CEN?

    By default, all simple application servers that belong to the same Alibaba Cloud account and reside in the same region communicate with each other over the VPC. The service interconnection feature is mainly used in the following scenarios:

    • Simple application servers require access to ECS over VPCs.

    • Simple application servers require access to ApsaraDB over VPCs.

    Note

    By default, simple application servers and Object Storage Service (OSS) instances that reside in the same region can communicate with each other over VPCs. You do not need to configure service interconnection in this case. For more information, see Implement service interconnection over the internal endpoint of an OSS resource.

    In this example, the scenario shown in the following figure is used. An enterprise purchases two VPCs in the China (Hangzhou) region and deploys their simple application servers in VPC 1 and their ECS instances in VPC 2. The enterprise wants to build connections between the simple application servers and the ECS instances across the VPCs. dadad

    Limits

    • For simple application servers that belong to the same Alibaba Cloud account:

      • All simple application servers in the same region are automatically added to the same VPC. The VPC can be added to only one CEN instance at a time.

      • Simple application servers in different regions are added to region-specific VPCs. To allow services in different VPCs in a region to communicate with each other, you must select all the VPCs for the VPCs parameter when you configure service interconnection on the Simple Application Server console.

    • If you do not have simple application servers deployed in a region, you cannot enable the service interconnection feature for the region.

    • In the Simple Application Server console, you can enable service interconnection. This way, your simple application server is interconnected with other services that belong to the same Alibaba Cloud account and reside in the same region as the simple application server. This feature is provided free of charge. If you want to make your simple application server interconnected with other services that belong to different Alibaba Cloud accounts or reside in different regions from your server, you must perform relevant operations in the CEN console. You are charged for the feature. For more information, see Billing, Grant permissions on a network instance that belongs to another account, and Manage inter-region connections.

    • Operations performed in the CEN console are not synchronized to the Simple Application Server console. We recommend that you perform operations such as managing VPCs in the Simple Application Server console after you configure the service interconnection feature. For more information, see Add or remove a VPC.

    Enable service interconnection

    Warning

    The first time you enable the service interconnection feature in a region, the simple application servers in the region stop for about 1 minute. Stopping the servers may interrupt your business. We recommend that you configure service interconnection during off-peak hours.

    1. Log on to the Simple Application Server console.

    2. In the left-side navigation pane, click Service Interconnection.

    3. In the upper-right corner of the Service Interconnection page, click Service Interconnection.

      The first time you enable the service interconnection feature, a message appears to prompt you to confirm authorization. Click OK. The system automatically creates a service-linked role for Simple Application Server. For more information, see Create and delete the service-linked role.

    4. In the Configure Service Interconnection dialog box, configure parameters.

      The following table describes the parameters.

      Parameter

      Description

      Region

      Select the region for which you want to enable the service interconnection feature. Example: China (Hangzhou).

      CEN Instance

      Select a CEN instance from the drop-down list. If no CEN instance is available in the drop-down list, click Auto Create. The system automatically creates a CEN instance.

      Warning

      Simple Application Server supports only CEN Basic Edition transit routers. If you select a CEN Enterprise Edition transit router that you created in the CEN console, the service interconnection feature of the simple application server is unavailable. For more information about CEN Basic Edition and CEN Enterprise Edition, see Transit router editions.

      VPC

      Select the ID of the VPC for which you want to enable the service interconnection feature. For example, you can select the ID of a VPC where ECS instances reside. If you want to select multiple VPC IDs, click Add to Batch Selection Box and select more. You can also add or remove VPCs after you configure service interconnection for a region. For more information, see Add or remove a VPC.

    5. Click Ok.

      On the Service Interconnection page, you can view the VPCs that you added.2558

    6. Verify the network connectivity.

      In this example, a simple application server in VPC 1 and an ECS instance in VPC 2 that belong to the same account and reside in the same region are used to verify the network connectivity. This example assumes that you selected VPC 2 for the VPC parameter in Step 5.

      1. Connect to the simple application server.

        For more information, see the "(Recommended) Connect to a Linux server by using Workbench in the Simple Application Server console" section of the Connect to a Linux server topic.

      2. Run the ping command to ping the IP address of the ECS instance in VPC 2.

        If the system returns a message that is similar to the following figure, the connection between the simple application server and ECS instance is established.adasa

    Add or remove a VPC

    After you enable the service interconnection feature for a region, you can continue to add VPCs to the region or remove VPCs from the region.

    • Add a VPC: After you add a VPC, the simple application server is interconnected with other cloud services in the VPC.

    • Remove a VPC: After you remove a VPC, the simple application server is disconnected from other cloud services in the VPC.

    1. Log on to the Simple Application Server console.

    2. In the left-side navigation pane, click Service Interconnection.

    3. In the Region section, select a region.

    4. Add or remove a VPC.

      • Add a VPC

        1. On the Service Interconnection page, click Service Interconnection.

        2. In the Configure Service Interconnection dialog box, select a region, CEN instance, and VPC. For more information, see Table: Parameters for configuring service interconnection.

        3. click OK.

      • Remove a VPC

        1. Find the VPC that you want to remove. Click Remove in the Actions column.1258

          Note

          • After you remove a VPC, the simple application server is disconnected from other cloud services in the VPC.

          • If you have deleted the service-linked role AliyunServiceRoleForSwas for Simple Application Server, after you click Remove in the Actions column that corresponds to a VPC, a dialog box appears to prompt you to re-authorize Simple Application Server to obtain the IDs of your VPCs and CEN instances. Click OK. Then, you can remove the VPC.

        2. In the message that appears, click OK.

    Create and delete the service-linked role

    AliyunServiceRoleForSwas is a service-linked role that is provided by Resource Access Management (RAM). The service-linked role allows Simple Application Server to access other Alibaba Cloud resources. Simple Application Server can obtain access to resources in CEN and VPC by using an AliyunServiceRoleForSwas. This enables service interconnection. For more information, see Service-linked roles.

    Permission description

    The following list describes the permissions of the service-linked role of Simple Application Server:

    • Role name: AliyunServiceRoleForSwas.

    • Policy: AliyunServiceRolePolicyForSwas.

    • Description: The first time you enable the service interconnection feature for a region, you must authorize Simple Application Server to access resources of other Alibaba Cloud services such as CEN and VPC. 

      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cen:CreateCen",
                "cen:DescribeCens",
                "cen:DescribeCenAttachedChildInstanceAttribute",
                "cen:DescribeChildInstanceRegions",
                "cen:DescribeGrantRulesToCen",
                "cen:ModifyCenAttribute",
                "cen:AttachCenChildInstance",
                "cen:DetachCenChildInstance",
                "cen:DeleteCen"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "swas.aliyuncs.com"
                }
            }
        }
    ]
}

    Create the service-linked role

    The first time you enable the service interconnection feature for a region, the system checks whether the AliyunServiceRoleForSwas service-linked role is created in your Alibaba Cloud account. If the service-linked role does not exist, you must authorize Simple Application Server to access resources of other Alibaba Cloud services. Then, the system creates the service-linked role.

    The AliyunServiceRoleForSwas service-linked role is attached with the AliyunServiceRolePolicyForSwas system policy. System policies that are attached to service-linked roles are defined and used by the linked Alibaba Cloud services. You cannot add, modify, or remove permissions for service-linked roles.

    Delete the service-linked role

    Before you delete the AliyunServiceRoleForSwas service-linked role, make sure that no simple application servers in your Alibaba Cloud account are assuming the role. For more information, see Delete a RAM role.

    Note

    If you want to continue to use the service interconnection feature after you delete the AliyunServiceRoleForSwas service-linked role, you can click Service Interconnection on the Service Interconnection page. After you follow the on-screen instructions to authorize Simple Application Server to access resources of other Alibaba Cloud services, the system re-creates the AliyunServiceRoleForSwas service-linked role.