If you want to use an endpoint to establish a secure and stable private connection between a virtual private cloud (VPC) and an Alibaba Cloud service, you can create a gateway endpoint in the VPC and specify a route table to be associated with the gateway endpoint. The next hop of the route destined for the service is automatically set to the gateway endpoint. This allows you to access the service through private connections. This topic describes how to create and manage gateway endpoints.
Background information
Endpoints include interface endpoints and gateway endpoints. Endpoints are created and managed by service consumers. A service consumer can associate endpoints with an endpoint service to enable a VPC to access the endpoint service.
An interface endpoint is an elastic network interface (ENI) with a private IP address and serves as the ingress of an endpoint service or an Alibaba Cloud service. For more information, see Create interface endpoints.
A gateway endpoint is a virtual gateway device. You can create a gateway endpoint in a VPC for a cloud service and associate a route table with the gateway endpoint. Then, the system automatically adds a route to the route table. The destination CIDR block of the route is the CIDR block of the cloud service and the next hop is the gateway endpoint. The prefix of the CIDR block of the cloud service is pl and the suffix is a random string. This way, the VPC can access the cloud service.
Alibaba Cloud ensures that the CIDR block of an endpoint service in each region is unique (allocated from 100.64.0.0/10). You can use Cloud Enterprise Network (CEN), VPC peering connections, and VPN gateways to access endpoint services for gateway endpoints in different regions.
Limits
For each cloud service, each VPC can be associated with only one gateway endpoint and each VPC route table can be associated with only one gateway endpoint.
For different cloud services, each VPC can be associated with gateway endpoints of different cloud services. Each VPC route table can be associated with gateway endpoints of different cloud services.
When you create gateway endpoints for different cloud service types in a region for the first time, the system automatically creates a system prefix list. The system prefix list cannot be modified or deleted. For more information, see View a prefix list.
You must add the ID of the Alibaba Cloud account to which the gateway endpoints belong to the service whitelist. For more information, see Manage account IDs in the whitelist of an endpoint service.
Only Object Storage Service (OSS) supports gateway endpoints. For more information about OSS, see What is OSS?
The following table lists the regions where OSS supports gateway endpoints.
Area
Region
Asia Pacific - China
China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), and China (Hong Kong)
Asia Pacific - Other regions
Malaysia (Kuala Lumpur)
Prerequisites
A VPC to be associated with a gateway endpoint is created. For more information, see Create and manage a VPC.
Create a gateway endpoint and view the route
When you create a gateway endpoint, you must specify the VPC to be associated with the gateway endpoint and the endpoint service that the VPC needs to access.
Log on to the VPC console.
In the top navigation bar, select the region where you want to create the gateway endpoint.
In the left-side navigation pane, click Endpoints.
Click the Gateway Endpoint tab and click Create Endpoint.
On the Create Endpoint page, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Region
Select the region where you want to create the gateway endpoint.
Endpoint Name
Enter a name for the gateway endpoint.
Endpoint Type
Select the type of endpoint to be created. In this example, Gateway Endpoint is selected.
Endpoints Service
You can associate the endpoint with an endpoint service by using one of the following methods:
Click Other Endpoint Services and enter a service name, such as com.aliyun.cn-beijing.oss.
Click Select Service and select the endpoint service that your VPC needs to access.
VPC
Select the VPC where you want to create the gateway endpoint.
Route Table
Select the route table to be associated with the gateway endpoint.
Resource Group
Select the resource group of the gateway endpoint.
Tag Key
Select or enter a tag key. You can specify up to 20 tag keys.
A tag key can be up to 128 characters in length and cannot contain
http://orhttps://. It cannot start withacs:oraliyun.Tag Value
Select or enter a tag value. You can specify up to 20 tag values.
A tag value can be up to 128 characters in length and cannot contain
http://orhttps://. It cannot start withacs:oraliyun.Description
Enter a description for the endpoint.
Access Policies
Enter an access policy. For example, you can enter the following access policy:
{ "Statement": [ { "Action": "oss:*", "Effect": "Allow", "Principal": ["174649585760xxxx"], "Resource": ["acs:oss:*:*:examplebucket", "acs:oss:*:*:examplebucket/*"] } ], "Version": "1" }OSS allows you to control access from VPCs by using access policies. For more information, see Tutorial: Use VPC policies and bucket policies to control data access.
Return to the Endpoints page, click the Gateway Endpoint tab, and then click the ID of the gateway endpoint that you created.
On the Associated Route Tables tab, click the ID of the route table.
Choose to view the route entry that is automatically added by the system.
After you create a gateway endpoint, the system automatically adds a route to the route table that is associated with the gateway endpoint. The destination CIDR block of the route is the CIDR block of the cloud service and the next hop is the gateway endpoint.
Delete a gateway endpoint
You can delete a gateway endpoint that you no longer need. Before you delete a gateway endpoint, you must first disassociate the route tables that are associated with the gateway endpoint. After you disassociate the route tables, the system automatically deletes the routes that point to the gateway endpoint from the route tables.
Log on to the VPC console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region to which the gateway endpoint belongs.
Click the Gateway Endpoint tab, find the ID of the gateway endpoint, and then click Delete in the Actions column.
In the Delete Endpoint message, click OK.
More operations
Operation | Procedure |
Associate a route table with a gateway endpoint |
|
Disassociate a route table from a gateway endpoint |
|
Modify the access policy of a gateway endpoint |
|
Modify the name of a gateway endpoint |
|
References
CreateVpcGatewayEndpoint: creates an endpoint.
AssociateRouteTablesWithVpcGatewayEndpoint: associates a route table with a gateway endpoint.
DissociateRouteTablesFromVpcGatewayEndpoint: disassociates a route table from a gateway endpoint.
DeleteVpcGatewayEndpoint: deletes a gateway endpoint.
GetVpcGatewayEndpointAttribute: queries a gateway endpoint.
UpdateVpcGatewayEndpointAttribute: modifies the configuration of a gateway endpoint.