DocsICP FilingConsole
官方文档
首页

Access VPC OpenAPI privately over PrivateLink

更新时间:
复制 MD 格式
产品详情
我的收藏

Create a PrivateLink interface endpoint to call VPC OpenAPI and VPC Peering Connection OpenAPI from your VPC over the Alibaba Cloud internal network, without public IP addresses.

Access Alibaba Cloud services over PrivateLink.

Create an interface endpoint

  • The VPC OpenAPI service name is com.aliyuncs.privatelink.{RegionId}.vpc. You must request whitelist access.

    No request is required for the China (Beijing) region.

  • The VPC Peering Connection OpenAPI service name is com.aliyuncs.privatelink.{RegionId}.vpcpeer.

  • Activate the PrivateLink service and create a VPC, vSwitch, and a security group in the target region.

Console

  1. Go to the Endpoint - Create Endpoint page.

  2. Configure the Interface Endpoint:

    • Basic Settings:

      • Region: Select the region where the Alibaba Cloud service is located.

      • Name and description: Enter a name and description for the endpoint.

    • Type: Select Alibaba Cloud Service.

    • Available Services: Select the Alibaba Cloud service by service name.

      Only services deployed in the selected region that you have permission to access are listed.

      • VPC OpenAPI: com.aliyuncs.privatelink.{RegionId}.vpc

      • VPC peering connection OpenAPI: com.aliyuncs.privatelink.{RegionId}.vpcpeer

    • Network Settings:

      • For high availability, select vSwitches in at least two zones. You can assign a vSwitch IP address to the elastic network interface (ENI) in each zone. If unspecified, the system assigns one automatically.

        You cannot assign a system-reserved address from the vSwitch to the elastic network interface.

      • IP Version: Dual-stack is not supported. Clients access these services only over IPv4.

    • Security Group: Associate a security group to control inbound traffic to the ENIs across all endpoint zones.

    • Advanced Settings:

      • Enable Custom Domain Name?: Enables access to the service through a custom domain name.

        • VPC OpenAPI: vpc-vpc.cn-beijing.aliyuncs.com (This example is for the China (Beijing) region)

        • VPC peering connection OpenAPI: vpcpeer.vpc-proxy.aliyuncs.com

      • Endpoint policy: Keep the Default endpoint policy, which allows full access.

  3. After creation, run these commands from an ECS instance in the same VPC to test connectivity.

    ping <IP address of the ENI in the endpoint's availability zone>
# Find the ENI's IP address on the Zone and ENI tab of the Instance Details page.
# For HTTP/HTTPS services, we recommend directly accessing the service port.
curl -sI http://<endpoint domain name>
# Find the endpoint domain name on the Instance List page.
# The security group's inbound rules must allow traffic on ports 80 (HTTP) and 443 (HTTPS) for access from the endpoint's VPC.
# Whether HTTPS is supported depends on the service.

API

Call the CreateVpcEndpoint operation to create an interface endpoint.

Previous:Monitoring and loggingNext:Support