A gateway endpoint serves as a virtual gateway device. You can create a gateway endpoint in your virtual private cloud (VPC) for an endpoint service and associate the endpoint with a route table. Then, the system automatically adds a route that points to the gateway endpoint to the VPC route table. This way, your VPC can access the endpoint service. This topic describes how to create and manage gateway endpoints.
Background information
You can use endpoints to establish stable and secure connections between VPCs and Alibaba Cloud services. Endpoints can simplify network architectures and allow your VPCs to access other Alibaba Cloud services (endpoint services). Endpoints include interface endpoints and gateway endpoints. Endpoints are created and managed by service consumers. A service consumer can associate endpoints with an endpoint service to enable a VPC to access the endpoint service.- An interface endpoint is an elastic network interface (ENI) with a private IP address and serves as the ingress of an endpoint service or an Alibaba Cloud service. For more information, see Create interface endpoints.
- A gateway endpoint is a virtual gateway device. You can create a gateway endpoint in a VPC for a cloud service and associate a route table with the gateway endpoint. Then, the system automatically adds a route to the route table. The destination CIDR block of the route is the CIDR block of the cloud service and the next hop is the gateway endpoint. The prefix of the CIDR block of the cloud service is pl and the suffix is a random string. This way, the VPC can access the cloud service.
Alibaba Cloud ensures that the CIDR block of an endpoint service in each region is unique (allocated from 100.64.0.0/10). You can use Cloud Enterprise Network (CEN), VPC peering connections, and VPN gateways to access endpoint services for gateway endpoints in different regions.
Limits
- For each cloud service, each VPC can be associated with only one gateway endpoint and each VPC route table can be associated with only one gateway endpoint.
- For different cloud services, each VPC can be associated with gateway endpoints of different cloud services. Each VPC route table can be associated with gateway endpoints of different cloud services.
- You must add the ID of the Alibaba Cloud account to which the gateway endpoints belong to the service whitelist. For more information, see Manage account IDs in the whitelist of an endpoint service.
- Only Object Storage Service (OSS) supports gateway endpoints. For more information about OSS, see What is OSS?.
- The following table lists the regions where OSS supports gateway endpoints.
Area Region Asia Pacific - China China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), and China (Hong Kong) Asia Pacific - Others Malaysia (Kuala Lumpur)
Prerequisites
A VPC to be associated with a gateway endpoint is created. For more information, see Create and manage a VPC.
Create a gateway endpoint and view the route
When you create a gateway endpoint, you must specify the VPC to be associated with the gateway endpoint and the endpoint service that the VPC needs to access.
- Log on to the VPC console.
- In the top navigation bar, select the region where you want to create the gateway endpoint.
- In the left-side navigation pane, click Endpoints.
- Click the Gateway Endpoint tab and click Create Endpoint.
- On the Create Endpoint page, configure the following parameters and click OK.
Parameter Description Endpoint Name Enter a name for the gateway endpoint. Endpoint Type Select the type of endpoint to be created. In this example, Gateway Endpoint is selected. Endpoints Service You can associate the endpoint with an endpoint service in one of the following ways: - Click Add by Service Name and enter the name of the endpoint service, such as com.aliyun.cn-beijing.oss.
- Click Select Service and select the endpoint service that your VPC needs to access.
VPC Select the VPC where you want to create the gateway endpoint. Route Table Select the route table to be associated with the gateway endpoint. Description Enter a description for the endpoint. Access Policies Enter an access policy. For example, you can enter the following access policy: { "Statement": [ { "Action": "oss:*", "Effect": "Allow", "Principal": ["174649585760xxxx"], "Resource": ["acs:oss:*:*:examplebucket", "acs:oss:*:*:examplebucket/*"] } ], "Version": "1" }
OSS allows you to control access from VPCs by using access policies. For more information, see Tutorial: Use VPC policies and bucket policies to control data access.
- Return to the Endpoints page, click the Gateway Endpoint tab, and then click the ID of the gateway endpoint that you created.
- On the Associated Route Tables tab, click the ID of the route table.
- Choose to view the route entry that is automatically added by the system.
After you create a gateway endpoint, the system automatically adds a route to the route table that is associated with the gateway endpoint. The destination CIDR block of the route is the CIDR block of the cloud service and the next hop is the gateway endpoint.
Delete a gateway endpoint
You can delete a gateway endpoint that you no longer need. Before you delete a gateway endpoint, you must first disassociate the route tables that are associated with the gateway endpoint. After you disassociate the route tables, the system automatically deletes the routes that point to the gateway endpoint from the route tables.
- Log on to the VPC console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select the region to which the gateway endpoint belongs.
- Click the Gateway Endpoint tab, find the ID of the gateway endpoint, and then click Delete in the Actions column.
- In the Delete Endpoint message, click OK.
More operations
Operation | Step |
---|---|
Associate a route table with a gateway endpoint |
|
Disassociate a route table from a gateway endpoint |
|
Modify the access policy of a gateway endpoint |
|
Modify the name of a gateway endpoint |
|
References
- CreateVpcGatewayEndpoint: creates a gateway endpoint.
- AssociateRouteTablesWithVpcGatewayEndpoint: associates a route table with a gateway endpoint.
- DissociateRouteTablesFromVpcGatewayEndpoint: disassociates a route table from a gateway endpoint.
- DeleteVpcGatewayEndpoint: deletes a gateway endpoint.
- GetVpcGatewayEndpointAttribute: queries the attributes of a gateway endpoint.
- UpdateVpcGatewayEndpointAttribute: modifies the configurations of a gateway endpoint.