Gateway endpoints - Virtual Private Cloud - Alibaba Cloud Documentation Center

A gateway endpoint serves as a virtual gateway device. You can create a gateway endpoint in your virtual private cloud (VPC) for an endpoint service and associate the endpoint with a route table. Then, the system automatically adds a route that points to the gateway endpoint to the VPC route table. This way, your VPC can access the endpoint service. This topic describes how to create and manage gateway endpoints.

Background information

You can use endpoints to establish stable and secure connections between VPCs and Alibaba Cloud services. Endpoints can simplify network architectures and allow your VPCs to access other Alibaba Cloud services (endpoint services). Endpoints include interface endpoints and gateway endpoints. Endpoints are created and managed by service consumers. A service consumer can associate endpoints with an endpoint service to enable a VPC to access the endpoint service.

An interface endpoint is an elastic network interface (ENI) with a private IP address and serves as the ingress of an endpoint service or an Alibaba Cloud service. For more information, see Create interface endpoints.
A gateway endpoint is a virtual gateway device. You can create a gateway endpoint in a VPC for a cloud service and associate a route table with the gateway endpoint. Then, the system automatically adds a route to the route table. The destination CIDR block of the route is the CIDR block of the cloud service and the next hop is the gateway endpoint. The prefix of the CIDR block of the cloud service is pl and the suffix is a random string. This way, the VPC can access the cloud service.
Alibaba Cloud ensures that the CIDR block of an endpoint service in each region is unique (allocated from 100.64.0.0/10). You can use Cloud Enterprise Network (CEN), VPC peering connections, and VPN gateways to access endpoint services for gateway endpoints in different regions.

Limits

For each cloud service, each VPC can be associated with only one gateway endpoint and each VPC route table can be associated with only one gateway endpoint.
For different cloud services, each VPC can be associated with gateway endpoints of different cloud services. Each VPC route table can be associated with gateway endpoints of different cloud services.
You must add the ID of the Alibaba Cloud account to which the gateway endpoints belong to the service whitelist. For more information, see Manage account IDs in the whitelist of an endpoint service.
Only Object Storage Service (OSS) supports gateway endpoints. For more information about OSS, see What is OSS?.

The following table lists the regions where OSS supports gateway endpoints.


Area	Region
Asia Pacific - China	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), and China (Hong Kong)
Asia Pacific - Others	Malaysia (Kuala Lumpur)

Prerequisites

A VPC to be associated with a gateway endpoint is created. For more information, see Create and manage a VPC.

Create a gateway endpoint and view the route

When you create a gateway endpoint, you must specify the VPC to be associated with the gateway endpoint and the endpoint service that the VPC needs to access.

Log on to the VPC console.
In the top navigation bar, select the region where you want to create the gateway endpoint.
In the left-side navigation pane, click Endpoints.
Click the Gateway Endpoint tab and click Create Endpoint.

On the Create Endpoint page, configure the following parameters and click OK.


Parameter	Description
Endpoint Name	Enter a name for the gateway endpoint.
Endpoint Type	Select the type of endpoint to be created. In this example, Gateway Endpoint is selected.
Endpoints Service	You can associate the endpoint with an endpoint service in one of the following ways: Click Add by Service Name and enter the name of the endpoint service, such as `com.aliyun.cn-beijing.oss`. Click Select Service and select the endpoint service that your VPC needs to access.
VPC	Select the VPC where you want to create the gateway endpoint.
Route Table	Select the route table to be associated with the gateway endpoint.
Description	Enter a description for the endpoint.
Access Policies	Enter an access policy. For example, you can enter the following access policy: `{ "Statement": [ { "Action": "oss:", "Effect": "Allow", "Principal": ["174649585760xxxx"], "Resource": ["acs:oss:::examplebucket", "acs:oss:::examplebucket/"] } ], "Version": "1" }` OSS allows you to control access from VPCs by using access policies. For more information, see Tutorial: Use VPC policies and bucket policies to control data access.

Return to the Endpoints page, click the Gateway Endpoint tab, and then click the ID of the gateway endpoint that you created.
On the Associated Route Tables tab, click the ID of the route table.
Choose Route Entry List > Custom Route to view the route entry that is automatically added by the system.
After you create a gateway endpoint, the system automatically adds a route to the route table that is associated with the gateway endpoint. The destination CIDR block of the route is the CIDR block of the cloud service and the next hop is the gateway endpoint.

Delete a gateway endpoint

You can delete a gateway endpoint that you no longer need. Before you delete a gateway endpoint, you must first disassociate the route tables that are associated with the gateway endpoint. After you disassociate the route tables, the system automatically deletes the routes that point to the gateway endpoint from the route tables.

Log on to the VPC console.
In the left-side navigation pane, choose Endpoints > Gateway Endpoint.
In the top navigation bar, select the region to which the gateway endpoint belongs.
Click the Gateway Endpoint tab, find the ID of the gateway endpoint, and then click Delete in the Actions column.
In the Delete Endpoint message, click OK.

More operations


Operation	Step
Associate a route table with a gateway endpoint	On the Gateway Endpoint tab, find the gateway endpoint that you want to manage and click its ID. On the Associated Route Tables tab, click Associate with Route Table. In the Associate with Route Table dialog box, select the route table that you want to associate and click OK. The system automatically adds a route to the route table. The destination CIDR block of the route is the CIDR block of the cloud service and the next hop is the gateway endpoint.
Disassociate a route table from a gateway endpoint	On the Gateway Endpoint tab, find the gateway endpoint that you want to manage and click its ID. On the Associated Route Tables tab, find the ID of the route table and click Disassociate in the Actions column. In the Disassociate message, click OK. Then, the system automatically deletes the routes that point to the gateway endpoint from the route table.
Modify the access policy of a gateway endpoint	On the Gateway Endpoint tab, find the gateway endpoint that you want to manage and click its ID. Click the Access Policies tab and click Modify Access Policy. In the Modify Access Policy dialog box, modify the access policy and click OK.
Modify the name of a gateway endpoint	On the Gateway Endpoint tab, find the gateway endpoint that you want to manage and click its ID. In the Basic Information section, find the name of the gateway endpoint and click Edit. In the dialog box that appears, enter a new name and click OK.

References

CreateVpcGatewayEndpoint: creates a gateway endpoint.
AssociateRouteTablesWithVpcGatewayEndpoint: associates a route table with a gateway endpoint.
DissociateRouteTablesFromVpcGatewayEndpoint: disassociates a route table from a gateway endpoint.
DeleteVpcGatewayEndpoint: deletes a gateway endpoint.
GetVpcGatewayEndpointAttribute: queries the attributes of a gateway endpoint.
UpdateVpcGatewayEndpointAttribute: modifies the configurations of a gateway endpoint.