PrivateLink allows you to securely and reliably connect your Virtual Private Cloud (VPC) or on-premises data center to Alibaba Cloud services, partner SaaS applications, and custom services in other VPCs. This connection is established over the Alibaba Cloud internal network, which simplifies your network architecture and enhances security by keeping traffic off the public internet.
For example, to access a user-created service, a service consumer creates an endpoint to connect to an endpoint service provided by a service provider. The service consumer and service provider can be in the same Alibaba Cloud account or in different accounts.
Key concepts
Service provider
As the service owner, a service provider uses Alibaba Cloud resources to build and provide an endpoint service to service consumers. A service consumer accesses the service by connecting to an endpoint that is linked to the endpoint service.
Service resources: An endpoint service can use load balancers deployed across multiple availability zones as service resources. Supported service resource types include Network Load Balancer (NLB), Application Load Balancer (ALB), Classic Load Balancer (CLB), and Gateway Load Balancer (GWLB).
Endpoint service name: This is the unique identifier for an endpoint service. When creating an endpoint, the service consumer uses this name to identify the target service.
Service whitelist: An endpoint service is not visible to all service consumers by default. To grant access to a VPC in another Alibaba Cloud account, the service provider must add the consumer's account ID to the service whitelist.
After an endpoint service is created, the service provider's account ID is automatically added to the service whitelist.
Endpoint service status: Creating, Modifying, Available, Deleting.
Service consumer
A service consumer creates an endpoint to access an endpoint service from a VPC or an on-premises data center.
Endpoint type: The service consumer creates a specific type of endpoint based on the endpoint service they need to access.
A gateway endpoint is a separate feature that does not rely on PrivateLink. It acts as a virtual gateway when a VPC accesses specific cloud services. It uses the reserved IP address space 100.64.0.0/10 and provides more secure access through endpoint policies. Currently, the only cloud service that supports gateway endpoints is Object Storage Service (OSS).
Interface endpoint: A service consumer uses an interface endpoint to access an endpoint service that uses NLB, CLB, or ALB instances as service resources.
Gateway load balancer endpoint: A service consumer uses a gateway load balancer endpoint to access an endpoint service that uses GWLB instances as service resources. A gateway load balancer endpoint can be configured as the next hop in a VPC route table to steer traffic.
Reverse endpoint: Allows a service provider to initiate connections to cloud services within the service consumer's VPC. The service consumer can restrict the provider's access by configuring security groups on the reverse endpoint. Reverse endpoints can connect only to endpoint services for Alibaba Cloud services.
Endpoint availability zone: When a service consumer creates an endpoint, PrivateLink creates an elastic network interface in the specified endpoint availability zone. This interface serves as the local entry point for service traffic.
Endpoint policy: You can configure an endpoint policy for an interface endpoint only when it accesses an Alibaba Cloud service. By default, any user or service within the VPC with valid Alibaba Cloud credentials can access any resource in the corresponding service.
Endpoint status: Creating, Modifying, Available, Deleting.
Endpoint connection
When a service consumer creates an endpoint, the service provider's endpoint service receives a connection request. After the service provider accepts the request, an endpoint connection is established between the endpoint and the endpoint service.
An endpoint connection can be in one of the following states: Connecting, Connected, Disconnecting, Disconnected, Modifying, Deleting, or EndpointServiceDeleted.
The Disconnected state can occur in the following situations:
If the endpoint service is not configured to automatically accept connections, the endpoint's initial state is Disconnected.
The endpoint service has rejected the connection request or has not yet approved it.
The endpoint has an overdue payment.
The endpoint service has an overdue payment.
Core attributes
Endpoint service domain name
When a service consumer creates an interface endpoint, Alibaba Cloud generates the following region-level and zone-level domain names for the service connection:
Endpoint service domain name:
endpoint_id.endpoint_service_id.service_region.privatelink.aliyuncs.comendpoint_id: The ID of the endpoint, which is automatically generated after the endpoint is created.endpoint_service_id: The ID of the endpoint service.service_region: The ID of the region where the service is deployed, such as cn-hangzhou.privatelink.aliyuncs.com: The fixed domain suffix.
Zone-specific domain name:
endpoint_id-endpoint_zone.endpoint_service_id.service_region.privatelink.aliyuncs.comendpoint_zone: The ID of the endpoint's availability zone, such as cn-hangzhou-j.-: A hyphen that separates the endpoint ID and the availability zone ID.
When you access an Alibaba Cloud service from a VPC, you typically use a specific service domain name. If the service is configured with a custom service domain name, you can enable this feature for the interface endpoint. Once enabled, you can continue to use the same domain name to access the service through PrivateLink without changing the service address in your application.
A custom service domain name is effective only within the VPC where the interface endpoint resides, and only this VPC can resolve it to a private IP address. Other VPCs and on-premises data centers can use the custom service domain name to access the service provided they are connected to the interface endpoint's VPC and DNS resolution is configured.
IP version
A service provider can offer an endpoint service over IPv4 or dual-stack.
You can select dual-stack only when all service resources added to the endpoint service support dual-stack.
If an endpoint service supports dual-stack, the service consumer can configure a dual-stack endpoint, allowing clients to access the service using both IPv4 and IPv6 addresses.
High availability for service access
The service provider configures service resources for the endpoint service across multiple availability zones.
If the service resources are NLB, ALB, or GWLB instances, add instances that span multiple availability zones.
If the service resource is a CLB instance, add multiple CLB instances that have different primary availability zones.
The service consumer selects vSwitches in at least two availability zones when creating an interface endpoint.
The service consumer uses the endpoint domain name to access the service. Alibaba Cloud provides fully managed health checks to ensure rapid failover if an availability zone becomes unavailable:
The availability of the elastic network interface IPs in different endpoint availability zones is monitored in real time. If an anomaly is detected, the corresponding DNS record is removed to prevent service interruptions or data loss.
After the failure is resolved, PrivateLink automatically restores the corresponding DNS record.
Elasticity and throttling
Elastic performance
PrivateLink supports automatic elastic scaling:
The bandwidth for each endpoint in an availability zone scales automatically with your traffic.
It provides different scaling limits based on the endpoint type and service resource type.
The elastic bandwidth metric reflects only the capability of the endpoint's network interface in an availability zone. The actual end-to-end capacity depends on the backend service resource type and the processing power of the application.
If your application requires higher throughput, contact your account manager to apply.
Endpoint type | Service resource type | Elastic bandwidth |
interface endpoint | NLB | The default initial bandwidth is 10 Gbps. For interface endpoints created from February 1, 2026, the maximum bandwidth can scale up to 50 Gbps. If an endpoint spans multiple availability zones, its maximum bandwidth is |
interface endpoint | ALB | The default initial bandwidth is 5 Gbps and can scale up to a maximum of 25 Gbps. If an endpoint spans multiple availability zones, its maximum bandwidth is |
interface endpoint | CLB | PrivateLink supports a maximum bandwidth of up to 5 Gbps for each endpoint in each availability zone. If an endpoint spans multiple availability zones, its maximum bandwidth is If the service resource type is CLB, the default connection throttling for an endpoint connection is 3,072 Mbps. The maximum bandwidth of the connection does not exceed this limit. If the service provider does not change the throttling value for the endpoint connection, each endpoint supports a bandwidth of no more than 3,072 Mbps in each availability zone. |
gateway load balancer endpoint | GWLB | The default initial bandwidth is 5 Gbps and can scale up to a maximum of 25 Gbps. If an endpoint spans multiple availability zones, its maximum bandwidth is |
Elastic bandwidth and throttling
Elastic bandwidth: The automatic bandwidth scaling that the system provides at the availability zone level. It represents the maximum bandwidth supported by each endpoint within each availability zone and requires no pre-configuration.
Throttling: A traffic control policy configured by the service provider for an endpoint connection to prevent backend service resources from being overloaded. The service provider can set different throttling values for different endpoint connections.
Inheritance mechanism: When the service provider sets a throttling limit on an endpoint connection, the elastic network interfaces of that endpoint in each availability zone automatically inherit and enforce this limit, enabling precise traffic control.
How to view the limit:
Call the GetVpcEndpointAttribute operation and check the
Bandwidthvalue.On the endpoint details page, view the Bandwidth Limit in the Basic Information section.
Note that throttling is not a service level agreement (SLA) commitment. Due to the distributed architecture, the throttling value for an endpoint is distributed across multiple devices within an availability zone. Reaching the configured limit requires multiple connections. The actual throttling performance may vary and can occasionally exceed the set limit.