All Products
Search

This Product

    Virtual Private Cloud:Gateway endpoints

    Document Center

    Virtual Private Cloud:Gateway endpoints

    Last Updated:Jan 23, 2025

    If you want to use an endpoint to establish a secure and stable private connection between a virtual private cloud (VPC) and an Alibaba Cloud service, you can create a gateway endpoint in the VPC and specify a route table to be associated with the gateway endpoint. The next hop of the route destined for the service is automatically set to the gateway endpoint. This allows you to access the service through private connections. This topic describes how to create and manage gateway endpoints.

    Background information

    Endpoints include interface endpoints and gateway endpoints. Endpoints are created and managed by service consumers. A service consumer can associate endpoints with an endpoint service to enable a VPC to access the endpoint service.

    • An interface endpoint is an elastic network interface (ENI) with a private IP address and serves as the ingress of an endpoint service or an Alibaba Cloud service. For more information, see Create interface endpoints.

    • A gateway endpoint is a virtual gateway device. You can create a gateway endpoint in a VPC for a cloud service and associate a route table with the gateway endpoint. Then, the system automatically adds a route to the route table. The destination CIDR block of the route is the CIDR block of the cloud service and the next hop is the gateway endpoint. The prefix of the CIDR block of the cloud service is pl and the suffix is a random string. This way, the VPC can access the cloud service.网关终端节点

      Alibaba Cloud ensures that the CIDR block of an endpoint service in each region is unique (allocated from 100.64.0.0/10). You can use Cloud Enterprise Network (CEN), VPC peering connections, and VPN gateways to access endpoint services for gateway endpoints in different regions.

    Limits

    • For each cloud service, each VPC can be associated with only one gateway endpoint and each VPC route table can be associated with only one gateway endpoint.

    • For different cloud services, each VPC can be associated with gateway endpoints of different cloud services. Each VPC route table can be associated with gateway endpoints of different cloud services.

    • When you create gateway endpoints for different cloud service types in a region for the first time, the system automatically creates a system prefix list. The system prefix list cannot be modified or deleted. For more information, see View a prefix list.

    • You must add the ID of the Alibaba Cloud account to which the gateway endpoints belong to the service whitelist. For more information, see Manage account IDs in the whitelist of an endpoint service.

    • Only Object Storage Service (OSS) supports gateway endpoints. For more information about OSS, see What is OSS?

    • The following table lists the regions where OSS supports gateway endpoints.

      Area

      Region

      Asia Pacific - China

      China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Ulanqab), China (Heyuan), China (Guangzhou), China (Chengdu), and China (Hong Kong)

      Asia Pacific - Others

      Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta)

      Europe & Americas

      Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)

    Prerequisites

    A VPC to be associated with a gateway endpoint is created. For more information, see Create and manage a VPC.

    Create a gateway endpoint and view the route

    When you create a gateway endpoint, you must specify the VPC to be associated with the gateway endpoint and the endpoint service that the VPC needs to access.

    1. Log on to the VPC console.

    2. In the top navigation bar, select the region where you want to create the gateway endpoint.

    3. In the left-side navigation pane, click Endpoints.

    4. Click the Gateway Endpoint tab and click Create Endpoint.

    5. On the Create Endpoint page, configure the parameters and click OK. The following table describes the parameters.

      Parameter

      Description

      Region

      Select the region where you want to create the gateway endpoint.

      Endpoint Name

      Enter a name for the gateway endpoint.

      Endpoint Type

      Select the type of endpoint to be created. In this example, Gateway Endpoint is selected.

      Endpoint Service

      You can associate the endpoint with an endpoint service by using one of the following methods:

      • Click Other Endpoint Services and enter a service name, such as com.aliyun.cn-beijing.oss.

      • Click Select Service and select the endpoint service that your VPC needs to access.

      VPC

      Select the VPC where you want to create the gateway endpoint.

      Route Table

      Select the route table to be associated with the gateway endpoint.

      Resource Group

      Select the resource group of the gateway endpoint.

      Tag Key

      Select or enter a tag key. You can specify up to 20 tag keys.

      A tag key can be up to 128 characters in length and cannot contain http:// or https://. It cannot start with acs: or aliyun.

      Tag Value

      Select or enter a tag value. You can specify at most 20 tag values.

      A tag value can be up to 128 characters in length and cannot contain http:// or https://. It cannot start with acs: or aliyun.

      Description

      Enter a description for the interface endpoint.

      Access Policies

      Enter an access policy. For example, you can enter the following access policy:

      {
  "Statement":
    [
      {
        "Action": "oss:*",
        "Effect": "Allow",
        "Principal": ["174649585760xxxx"],
        "Resource": ["acs:oss:*:*:examplebucket",
                     "acs:oss:*:*:examplebucket/*"]
      }
    ],
  "Version": "1"
}

      OSS allows you to control access from VPCs by using access policies. For more information, see Use VPC policies and bucket policies to control data access.

    6. Return to the Endpoints page, click the Gateway Endpoint tab, and then click the ID of the gateway endpoint that you created.

    7. On the Associated Route Tables tab, click the ID of the route table.

    8. Choose Route Entry List > Custom Route to view the route entry that is automatically added by the system.

      路由条目列表

      After you create a gateway endpoint, the system automatically adds a route to the route table that is associated with the gateway endpoint. The destination CIDR block of the route is the CIDR block of the cloud service and the next hop is the gateway endpoint.

    Delete a gateway endpoint

    You can delete a gateway endpoint that you no longer need. Before you delete a gateway endpoint, you must first disassociate the route tables that are associated with the gateway endpoint. After you disassociate the route tables, the system automatically deletes the routes that point to the gateway endpoint from the route tables.

    1. Log on to the VPC console.

    2. In the left-side navigation pane, choose Endpoints > Gateway Endpoint.

    3. In the top navigation bar, select the region to which the gateway endpoint belongs.

    4. Click the Gateway Endpoint tab, find the ID of the gateway endpoint, and then click Delete in the Actions column.

    5. In the Delete Endpoint message, click OK.

    More operations

    Operation

    Procedure

    Associate a route table with a gateway endpoint

    1. On the Gateway Endpoint tab, find the gateway endpoint that you want to manage and click its ID.

    2. On the Associated Route Tables tab, click Associate with Route Table.

    3. In the Associate with Route Table dialog box, select the route table that you want to associate and click OK.

      The system automatically adds a route to the route table. The destination CIDR block of the route is the CIDR block of the cloud service and the next hop is the gateway endpoint.

    Disassociate a route table from a gateway endpoint

    1. On the Gateway Endpoint tab, find the gateway endpoint that you want to manage and click its ID.

    2. On the Associated Route Tables tab, find the ID of the route table and click Disassociate in the Actions column.

    3. In the Disassociate message, click OK.

      Then, the system automatically deletes the routes that point to the gateway endpoint from the route table.

    Modify the access policy of a gateway endpoint

    1. On the Gateway Endpoint tab, find the gateway endpoint that you want to manage and click its ID.

    2. Click the Access Policies tab and click Modify Access Policy.

    3. In the Modify Access Policy dialog box, modify the access policy and click OK.

    Modify the name of a gateway endpoint

    1. On the Gateway Endpoint tab, find the gateway endpoint that you want to manage and click its ID.

    2. In the Basic Information section, find the name of the gateway endpoint and click Edit.

    3. In the dialog box that appears, enter a new name and click OK.

    References