Manage service interconnection - Simple Application Server

Simple application servers are automatically assigned to virtual private clouds (VPCs), which isolate the servers from other Alibaba Cloud services. By default, simple application servers are not interconnected with other Alibaba Cloud services such as Elastic Compute Service (ECS) and ApsaraDB, even if the services reside in the same VPC as the simple application servers. To allow a simple application server to communicate with other Alibaba Cloud services in the same region as the server, you can configure the service interconnection feature for the server. This topic describes how to configure the service interconnection feature for a simple application server. This topic also describes how to manage the VPC after you configure the service interconnection feature for a simple application server.

Background information

Cloud Enterprise Network (CEN) allows you to establish private connections between VPCs in different regions and between VPCs and data centers. For more information, see What is CEN?

By default, all simple application servers that belong to the same Alibaba Cloud account and reside in the same region communicate with each other over VPCs. The service interconnection feature is mainly used in the following scenarios:

Simple application servers require access to ECS over VPCs.
Simple application servers require access to ApsaraDB over VPCs.

Note By default, simple application servers and Object Storage Service (OSS) instances that reside in the same region can communicate with each other over virtual private clouds (VPCs). You do not need to configure service interconnection in this case. For more information, see Implement service interconnection over the internal endpoint of an OSS resource.

The following figure shows the scenario that is used in this example. An enterprise purchases two VPCs in the China (Hangzhou) region and deploys their simple application servers in VPC 1 and their ECS instances in VPC 2. The enterprise wants to allow the simple application servers and the ECS instances to communicate across the VPCs. dadad

Limits

For simple application servers that belong to the same Alibaba Cloud account:
- All simple application servers in the same region are automatically added to the same VPC. The VPC can be added to only one CEN instance at a time.
- Simple application servers in different regions are added to region-specific VPCs. To allow services in different VPCs in a region to communicate with each other, you must select all the VPCs for the VPCs parameter when you configure service interconnection on the Simple Application Server console.
If you do not have simple application servers deployed in a region, you cannot enable the service interconnection feature for the region.
The Simple Application Server console allows you to only interconnect services that belong to the same account and reside in the same region. This feature is free of charge. However, if you want to interconnect services across Alibaba Cloud accounts or regions, you must perform relevant operations in the Cloud Enterprise Network console. This is a paid feature. For more information, see Billing, Grant permissions to another Alibaba Cloud account across VPCs, and Manage inter-region connections.
Operations performed in the Cloud Enterprise Network console are not synchronized to the Simple Application Server console. We recommend that you perform operations such as managing VPCs in the Simple Application Server console after you configure the service interconnection feature. For more information, see Add or remove a VPC.

Enable service interconnection

Warning The first time you enable the service interconnection feature in a region, the simple application servers in the region stop for about 1 minute. Stopping of the servers may interrupt your business. We recommend that you configure service interconnection during off-peak hours.

Log on to the Simple Application Server console.
In the left-side navigation pane, click Service Interconnection.
On the Service Interconnection page, click Service Interconnection.
The first time you enable the service interconnection feature, a message appears to prompt you to confirm authorization. Click OK. The system automatically creates a service-linked role for Simple Application Server. For more information, see Create and delete a service-linked role.

In the Configure Service Interconnection dialog box, configure the following parameters.


Parameter	Description
Region	Select the region for which you want to enable the service interconnection feature. Example: China (Hangzhou).
CEN Instance	Select a CEN instance from the drop-down list. Important Only CEN Basic Edition transit routers are supported. If you select a CEN Enterprise Edition transit router that you created, the service interconnection feature of the simple application server is unavailable. We recommend that you select Auto Create to allow the system to automatically create a CEN instance.
VPC	Select the ID of the VPC for which you want to enable the service interconnection feature. For example, you can select the ID of a VPC where ECS instances reside. If you want to select multiple VPC IDs, click Add to Batch Selection Box and select more. You can add or remove VPCs after you configure service interconnection for a region. For more information, see Add or remove a VPC.

Click OK.
On the Service Interconnection page, you can view the VPCs that you added.
Test interconnectivity.
In this example, a simple application server in VPC 1 and an ECS instance in VPC 2 that belong to the same account and reside in the same region are used to test the interconnectivity. This example assumes that you selected VPC 2 for the VPCs parameter in Step 5.
1. Connect to the simple application server.
  For more information, see (Recommended) Connect to a Linux server by using Workbench in the Simple Application Server console.
2. Run the ping command to ping the IP address of the ECS instance in VPC 2.
  If the system returns a message that is similar to the following figure, the connection between the simple application server and ECS instance is established.

Add or remove a VPC

After you enable the service interconnection feature for a region, you can continue to add and remove VPCs.

Add a VPC: After you add a VPC, the simple application server is interconnected with other cloud services in the VPC.
Remove a VPC: After you remove a VPC, the simple application server is disconnected from other cloud services in the VPC.

Log on to the Simple Application Server console.
In the left-side navigation pane, click Service Interconnection.
In the Region section of the Service Interconnection page, select a region.
Add or remove a VPC.
- Add a VPC
  1. On the Service Interconnection page, click Service Interconnection.
  2. In the Configure Service Interconnection dialog box, select a region, CEN instance, and VPC. For more information, see Parameters for configuring service interconnection.
  3. Click OK.
- Remove a VPC
  1. Find the VPC that you want to remove. Click Remove in the Actions column.
    Note
    After you remove a VPC, the simple application server is disconnected from other cloud services in the VPC.
    If you have deleted the service-linked role AliyunServiceRoleForSwas for Simple Application Server, after you click Remove, a dialog box appears to prompt you to re-authorize Simple Application Server to obtain the IDs of your VPCs and CEN instances. Click OK. Then, you can remove the VPC.
  2. In the message that appears, click OK.

Create and delete a service-linked role

AliyunServiceRoleForSwas is a service-linked role that is provided by RAM and allows Simple Application Server to access other Alibaba Cloud resources. Simple Application Server can obtain access to resources in CEN and VPC by using an AliyunServiceRoleForSwas. This enables service interconnection. For more information, see Service-linked roles.

Permission description

The following list describes the permissions of the service-linked role of Simple Application Server:

Role name: AliyunServiceRoleForSwas.
Policy: AliyunServiceRolePolicyForSwas.

Description: The first time you use the service interconnection feature that is provided by Simple Application Server, you must authorize Simple Application Server to access resources of other Alibaba Cloud services such as CEN and VPC.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cen:CreateCen",
                "cen:DescribeCens",
                "cen:DescribeCenAttachedChildInstanceAttribute",
                "cen:DescribeChildInstanceRegions",
                "cen:DescribeGrantRulesToCen",
                "cen:ModifyCenAttribute",
                "cen:AttachCenChildInstance",
                "cen:DetachCenChildInstance",
                "cen:DeleteCen"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "swas.aliyuncs.com"
                }
            }
        }
    ]
}

Create a service-linked role

The first time you use the service interconnection feature that is provided by Simple Application Server, the system checks whether an AliyunServiceRoleForSwas is created in your Alibaba Cloud account. If no AliyunServiceRoleForSwas exists, you must authorize the system to create an AliyunServiceRoleForSwas before the system creates the service-linked role.

The AliyunServiceRoleForSwas service-linked role is attached with the AliyunServiceRolePolicyForSwas policy. The policies that are attached to service-linked roles are defined and used by the linked Alibaba Cloud services. You cannot add, modify, or remove permissions for service-linked roles.

Delete a service-linked role

Before you delete an AliyunServiceRoleForSwas, make sure that no simple application servers in your Alibaba Cloud account are assuming the role. For more information, see Delete a RAM role.

Note If you want to continue to use the service interconnection feature after you delete an AliyunServiceRoleForSwas, you can click Service Interconnection on the Service Interconnection page. After you follow the on-screen instructions to grant the required permissions, the system automatically creates an AliyunServiceRoleForSwas again.