A gateway endpoint serves as a virtual gateway device. You can create a gateway endpoint in your virtual private cloud (VPC) for an endpoint service and associate the endpoint with a route table. Then, the system automatically adds a route that points to the gateway endpoint to the VPC route table. This way, your VPC can access the endpoint service. This topic describes how to create and manage gateway endpoints.

Background information

You can use endpoints to establish stable and secure connections between VPCs and Alibaba Cloud services. Endpoints can simplify network architectures and allow your VPCs to access other Alibaba Cloud services (endpoint services). Endpoints include interface endpoints and gateway endpoints. Endpoints are created and managed by service consumers. A service consumer can associate endpoints with an endpoint service to enable a VPC to access the endpoint service.
  • An interface endpoint is an elastic network interface (ENI) with a private IP address and serves as the ingress of an endpoint service or an Alibaba Cloud service. For more information, see Create interface endpoints.
  • A gateway endpoint is a virtual gateway device. You can create a gateway endpoint in a VPC for a cloud service and associate a route table with the gateway endpoint. Then, the system automatically adds a route to the route table. The destination CIDR block of the route is the CIDR block of the cloud service and the next hop is the gateway endpoint. The prefix of the CIDR block of the cloud service is pl and the suffix is a random string. This way, the VPC can access the cloud service. Gateway endpoints

    Alibaba Cloud ensures that the CIDR block of an endpoint service in each region is unique (allocated from 100.64.0.0/10). You can use Cloud Enterprise Network (CEN), VPC peering connections, and VPN gateways to access endpoint services for gateway endpoints in different regions.

Limits

  • For each cloud service, each VPC can be associated with only one gateway endpoint and each VPC route table can be associated with only one gateway endpoint.
  • For different cloud services, each VPC can be associated with gateway endpoints of different cloud services. Each VPC route table can be associated with gateway endpoints of different cloud services.
  • You must add the ID of the Alibaba Cloud account to which the gateway endpoints belong to the service whitelist. For more information, see Manage account IDs in the whitelist of an endpoint service.
  • Only Object Storage Service (OSS) supports gateway endpoints. For more information about OSS, see What is OSS?.
  • The following table lists the regions where OSS supports gateway endpoints.
    AreaRegion
    Asia Pacific - ChinaChina (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), and China (Hong Kong)
    Asia Pacific - OthersMalaysia (Kuala Lumpur)

Prerequisites

A VPC to be associated with a gateway endpoint is created. For more information, see Create and manage a VPC.

Create a gateway endpoint and view the route

When you create a gateway endpoint, you must specify the VPC to be associated with the gateway endpoint and the endpoint service that the VPC needs to access.

  1. Log on to the VPC console.
  2. In the top navigation bar, select the region where you want to create the gateway endpoint.
  3. In the left-side navigation pane, click Endpoints.
  4. Click the Gateway Endpoint tab and click Create Endpoint.
  5. On the Create Endpoint page, configure the following parameters and click OK.
    ParameterDescription
    Endpoint NameEnter a name for the gateway endpoint.
    Endpoint TypeSelect the type of endpoint to be created. In this example, Gateway Endpoint is selected.
    Endpoints ServiceYou can associate the endpoint with an endpoint service in one of the following ways:
    • Click Add by Service Name and enter the name of the endpoint service, such as com.aliyun.cn-beijing.oss.
    • Click Select Service and select the endpoint service that your VPC needs to access.
    VPCSelect the VPC where you want to create the gateway endpoint.
    Route TableSelect the route table to be associated with the gateway endpoint.
    DescriptionEnter a description for the endpoint.
    Access PoliciesEnter an access policy. For example, you can enter the following access policy:
    {
      "Statement":
        [
          {
            "Action": "oss:*",
            "Effect": "Allow",
            "Principal": ["174649585760xxxx"],
            "Resource": ["acs:oss:*:*:examplebucket",
                         "acs:oss:*:*:examplebucket/*"]
          }
        ],
      "Version": "1"
    }

    OSS allows you to control access from VPCs by using access policies. For more information, see Tutorial: Use VPC policies and bucket policies to control data access.

  6. Return to the Endpoints page, click the Gateway Endpoint tab, and then click the ID of the gateway endpoint that you created.
  7. On the Associated Route Tables tab, click the ID of the route table.
  8. Choose Route Entry List > Custom Route to view the route entry that is automatically added by the system.
    Route entry list

    After you create a gateway endpoint, the system automatically adds a route to the route table that is associated with the gateway endpoint. The destination CIDR block of the route is the CIDR block of the cloud service and the next hop is the gateway endpoint.

Delete a gateway endpoint

You can delete a gateway endpoint that you no longer need. Before you delete a gateway endpoint, you must first disassociate the route tables that are associated with the gateway endpoint. After you disassociate the route tables, the system automatically deletes the routes that point to the gateway endpoint from the route tables.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose Endpoints > Gateway Endpoint.
  3. In the top navigation bar, select the region to which the gateway endpoint belongs.
  4. Click the Gateway Endpoint tab, find the ID of the gateway endpoint, and then click Delete in the Actions column.
  5. In the Delete Endpoint message, click OK.

More operations

OperationStep
Associate a route table with a gateway endpoint
  1. On the Gateway Endpoint tab, find the gateway endpoint that you want to manage and click its ID.
  2. On the Associated Route Tables tab, click Associate with Route Table.
  3. In the Associate with Route Table dialog box, select the route table that you want to associate and click OK.

    The system automatically adds a route to the route table. The destination CIDR block of the route is the CIDR block of the cloud service and the next hop is the gateway endpoint.

Disassociate a route table from a gateway endpoint
  1. On the Gateway Endpoint tab, find the gateway endpoint that you want to manage and click its ID.
  2. On the Associated Route Tables tab, find the ID of the route table and click Disassociate in the Actions column.
  3. In the Disassociate message, click OK.

    Then, the system automatically deletes the routes that point to the gateway endpoint from the route table.

Modify the access policy of a gateway endpoint
  1. On the Gateway Endpoint tab, find the gateway endpoint that you want to manage and click its ID.
  2. Click the Access Policies tab and click Modify Access Policy.
  3. In the Modify Access Policy dialog box, modify the access policy and click OK.
Modify the name of a gateway endpoint
  1. On the Gateway Endpoint tab, find the gateway endpoint that you want to manage and click its ID.
  2. In the Basic Information section, find the name of the gateway endpoint and click Edit.
  3. In the dialog box that appears, enter a new name and click OK.

References