DocsICP FilingConsole
官方文档
首页

PrivateLink overview

更新时间:
复制 MD 格式
产品详情
我的收藏

PrivateLink enables you to securely and reliably access services deployed in other VPCs from your Alibaba Cloud VPCs and on-premises data centers over a private network, simplifying network architecture and eliminating security risks from internet exposure.

Introduction

PrivateLink provides secure, flexible, and highly available private network connections for cross-account and cross-VPC services. Users fall into two roles:

  • As a service consumer, you can connect your VPC or on-premises data center to services in another VPC without configuring IPv4 gateways, IPv6 gateways, NAT gateways, elastic IP addresses, transit routers, or Express Connect gateways.

  • As a service provider, you can focus on service development. PrivateLink handles connectivity for consumers, removing the need for complex route and security rule configuration.

Supported connection scenarios:

  • Same-region connection: The endpoint and endpoint service are deployed in the same region.

  • Cross-region connection: The endpoint and endpoint service are deployed in different regions.

PrivateLink allows you to establish private connections between accounts on the Alibaba Cloud China site and International site. For example, an account on the China site can use an endpoint to connect to an endpoint service in an account on the International site. However, cross-site connections between regions in the Chinese mainland and regions outside the Chinese mainland are not supported.
image

Use cases

Scenario 1: Access Alibaba Cloud services

PrivateLink enables private access to Alibaba Cloud services, where Alibaba Cloud acts as the service provider.

For a list of Alibaba Cloud services that are integrated with PrivateLink, see Alibaba Cloud services integrated with PrivateLink.

To access Alibaba Cloud services from a VPC, specify the service name when creating an endpoint. All requests to this endpoint are forwarded to the corresponding service via PrivateLink. On-premises clients can connect to the VPC through a networking product and access services through the endpoint.

  • When you use an interface endpoint to access an Alibaba Cloud service, configure endpoint policies and security groups to control which clients can access the service.

  • When you use a reverse endpoint to access an Alibaba Cloud service, configure security groups to control which client resources the service can access.

  • When you use a GWLB endpoint (GWLBe) to access an Alibaba Cloud service, define custom VPC route policies to control which clients can access the service.

    A gateway endpoint does not rely on PrivateLink and supports access to a limited number of Alibaba Cloud services. Configure endpoint policies on gateway endpoints to control access.

Scenario 2: Share user-created services

As a service provider, you can build a service on Alibaba Cloud and share it with service consumers.

Create an endpoint service in your VPC and associate it with a service resource such as a Network Load Balancer (NLB), Classic Load Balancer (CLB), or Application Load Balancer (ALB). Configure a service whitelist to grant other users access. Those users create an interface endpoint by specifying your service name, and all requests are forwarded to your service through PrivateLink.

Scenario 3: Access virtual network devices

As a service provider, you can deploy virtual network devices—firewalls, intrusion detection systems, traffic mirroring appliances, or deep packet inspection systems—behind a Gateway Load Balancer (GWLB) and share them with other users.

Create an endpoint service in your VPC with a GWLB as the service resource. Configure a service whitelist to grant other users access. Those users create a GWLB endpoint (GWLBe) by specifying your service name, and all traffic is forwarded to your virtual network devices through PrivateLink.

As a service consumer, configure the GWLBe as the next hop in a VPC route table. VPC route policies control which traffic is routed to the GWLBe. PrivateLink forwards traffic to the GWLB in the same zone, which encapsulates packets in a Geneve tunnel and distributes them to healthy backend devices based on its scheduling algorithm.

Benefits

  • Secure network transmission

    Traffic flows over a private network instead of the internet. PrivateLink provides fine-grained access control through endpoint policies and security groups.

  • Simplified network management

    • Provider and consumer networks are isolated, allowing overlapping IP addresses and eliminating complex route and security rule configuration.

    • Consumers access services using private IP addresses within their VPCs, integrating seamlessly with existing network architectures for cross-VPC and on-premises access.

  • High availability and auto-scaling

    • Access requests are forwarded between clients and servers within the same zone, ensuring minimal latency. When used with Alibaba Cloud DNS, interface endpoints provide multi-zone disaster recovery.

    • PrivateLink auto-scales to accommodate traffic fluctuations, with scaling limits that vary by service resource type.

  • Cross-region connectivity

    • Endpoints and endpoint services can be deployed in different regions, enabling private access across multi-region architectures without deploying services in every region.

Accessing PrivateLink

You can access and manage PrivateLink through:

  • PrivateLink console: Web-based UI for managing private service access.

  • Alibaba Cloud SDKs: SDKs for multiple programming languages, including Java, Go, PHP, Python, C#, and C++.

  • OpenAPI Explorer: Allows you to quickly search for, call, and debug APIs, and dynamically generate SDK example code.

  • Terraform: Open-source infrastructure-as-code tool for provisioning and managing resources on Alibaba Cloud and other supported platforms.

References

Previous:Getting StartedNext:How it works