DocsICP FilingConsole
官方文档
首页

Configure access to the PrivateZone service

更新时间:
复制 MD 格式
产品详情
我的收藏

PrivateZone is a private DNS management and resolution service based on the Alibaba Cloud Virtual Private Cloud (VPC) environment. After you connect a Virtual Border Router (VBR) instance, IPsec-VPN connection, or Cloud Connect Network (CCN) instance to a transit router, the associated on-premises network can use the transit router to access the PrivateZone service and resolve domain names.

image

Limits

  • On-premises networks associated with an IPsec-VPN connection can access the PrivateZone service only through an Enterprise Edition transit router.

  • When a VBR instance uses a Basic Edition transit router, its associated on-premises network can access the PrivateZone service only through the transit router and VPC instances in the same region.

    For example, if a VBR instance is in the China (Beijing) region, its associated on-premises network can access the PrivateZone service only through a Basic Edition transit router and VPC instances in the China (Beijing) region.

Prerequisites

  • The PrivateZone service is deployed. For more information, see Quick start for PrivateZone.

  • Ensure the VPC instance for the PrivateZone service and the network connection (VBR, IPsec-VPN, or CCN) for your on-premises network are connected to a transit router. For more information, see Create a VPC connection, Create a VBR connection, Create a VPN connection, or Create a CCN connection.

    If your on-premises network needs to access the PrivateZone service across regions, create an inter-region connection between the transit routers. For more information, see Inter-region connections.

  • If your on-premises network uses a CCN instance to connect to Alibaba Cloud, and the CCN instance, VPC instance, and transit router instance belong to different Alibaba Cloud accounts, you must first authorize the CCN instance. For more information, see Authorize a CCN instance.

Enterprise Edition: Configure PrivateZone access

Add access configuration

  1. Log on to the CEN console.

  2. On the CEN Instance page, click the ID of the CEN instance that you want to manage.

  3. On the Basic Settings > Transit Router tab, click the ID of the transit router that is in the same region as the VPC instance associated with the PrivateZone service.

  4. On the details page of the transit router, click the Route Table tab.

  5. On the Route Table tab, select the target route table from the left-side list. In the Route Table Details section, click the Route Entry tab and then click Add Route Entry.

  6. In the Add Route Entry dialog box, set the parameters and click OK.

    Parameter

    Description

    Route Table

    The current route table is selected by default.

    Transit Router ID

    The current transit router instance is selected by default.

    Name

    Enter a name for the route entry.

    Destination CIDR

    Enter the service IP address of PrivateZone.

    PrivateZone uses the IP addresses 100.100.2.136/32 and 100.100.2.138/32. You must add a route entry for each of these CIDR blocks.

    Blackhole Route

    Select whether to configure the route as a blackhole route. Valid values:

    • Yes: The route is a blackhole route. All traffic that matches this route is dropped.

    • No: The route is not a blackhole route. You must specify a next hop for the route.

    In this procedure, select No.

    Next Hop

    Select the next hop for the route entry.

    Select the connection ID of the VPC instance connected to the transit router.

    Description

    Enter a description for the route entry.

Delete access configuration

  1. Log on to the CEN console.

  2. On the CEN Instance page, click the ID of the CEN instance that you want to manage.

  3. On the Basic Settings > Transit Router tab, click the transit router ID for the region where the VPC instance associated with the PrivateZone service is located.

  4. On the details page of the transit router, click the Route Table tab.

  5. On the Route Table tab, select the target route table from the left-side list. In the Route Table Details section, on the Route Entry tab, find the route entries for the PrivateZone service.

  6. In the Actions column of the target route entry, click Delete. In the Delete Route Entry dialog box, click OK.

Configure PrivateZone access by using APIs: Enterprise Edition

You can use tools such as Alibaba Cloud SDKs (recommended), Alibaba Cloud CLI, Terraform, and Resource Orchestration Service (ROS) to call APIs to add and manage routes for the PrivateZone service in the route table of an Enterprise Edition transit router. For more information about the API operations, see the following topics:

Basic Edition: Configure PrivateZone access

Add access configuration

  1. Log on to the CEN console.

  2. On the CEN Instance page, click the ID of the CEN instance that you want to manage.

  3. On the Basic Settings > Transit Router tab, click the ID of the transit router that is in the same region as the VPC instance associated with the PrivateZone.

  4. For first-time configuration, on the transit router details page, click the PrivateZone tab and then click Authorization. On the RAM Quick Authorization page, click Confirm Authorization.

    image

    After authorization is complete, the on-premises network associated with the CCN instance can access the PrivateZone service on Alibaba Cloud.

  5. Return to the PrivateZone tab and click Configure PrivateZone. In the Configure PrivateZone dialog box, configure the following parameters and click OK.

    PrivateZone

    • Host Region: The region where the PrivateZone service is deployed.

    • Host VPC: The VPC instance associated with the PrivateZone service.

    • Access Region: The region where the VBR instance, IPsec-VPN connection, or CCN instance that needs to access the PrivateZone service is deployed.

Delete access configuration

  1. Log on to the CEN console.

  2. On the CEN Instance page, click the ID of the CEN instance that you want to manage.

  3. On the Basic Settings > Transit Router tab, click the ID of the transit router in the region where the PrivateZone service is deployed.

  4. On the details page of the transit router, click the PrivateZone tab. Find the configuration that you want to delete and click Delete in the Actions column.

  5. In the Delete PrivateZone dialog box, click OK.

Configure PrivateZone access by using APIs: Basic Edition

You can use tools such as Alibaba Cloud SDKs (recommended), Alibaba Cloud CLI, Terraform, and Resource Orchestration Service (ROS) to call APIs to configure access to the PrivateZone service in a Basic Edition transit router. For more information about the API operations, see the following topics:

Previous:Extend on-premises Kubernetes clusters with serverless cloud resourcesNext:Build a DeepSeek distilled model inference service on an ACK One registered cluster using ACS GPU computing power