Access Alibaba Cloud services from a VPC over a private network - Virtual Private Cloud

When an instance in a virtual private cloud (VPC) accesses an Alibaba Cloud service, such as Object Storage Service (OSS), over the Internet, this can introduce security risks, unstable network quality, and additional Internet traffic fees.

To resolve these issues, Alibaba Cloud lets you access Alibaba Cloud services from a VPC over a private network. This ensures that access requests are transmitted within the Alibaba Cloud internal network, which provides higher security, more stable network performance, and better cost control.

This topic describes two common solutions for accessing Alibaba Cloud services from a VPC over a private network: gateway endpoints and PrivateLink.

How it works

Gateway endpoint

PrivateLink

A gateway endpoint is a virtual gateway that a VPC uses to access a specific Alibaba Cloud service.

Take OSS as an example. The following procedure describes how a gateway endpoint works:

When you create a gateway endpoint, you must select a VPC, a route table, and the Alibaba Cloud service that you want to access.
After the gateway endpoint is created, the system automatically adds a custom route entry to the selected route table. The destination CIDR block of the route entry is a system prefix list that contains the VIP CIDR block of OSS in the region, and the next hop is the gateway endpoint.
When an Elastic Compute Service (ECS) instance in a vSwitch associated with the route table accesses the internal same-region endpoint of OSS, the VPC routes the access request to the gateway endpoint. The request then reaches OSS directly through the Alibaba Cloud internal network without traversing the Internet.

PrivateLink establishes a private tunnel between a VPC and a destination service.

Take OSS as an example. The following procedure describes how PrivateLink works:

To use PrivateLink, you must first create an interface endpoint. When you create an interface endpoint, you must select a VPC, a security group, a zone, a vSwitch, and the Alibaba Cloud service that you want to access.
After the interface endpoint is created, the system automatically creates an endpoint elastic network interface (ENI) with a private IP address in each selected vSwitch. The ENI serves as the entry point to the service.
When an ECS instance accesses the domain name of the endpoint, if the security group rules are met, all access requests are routed through the endpoint ENI and reach OSS directly through the Alibaba Cloud internal network without traversing the Internet.

The following table summarizes the main differences between the two solutions to help you make a choice:

Attribute	Gateway endpoint	PrivateLink
Scenarios	You can use endpoint policies for gateway endpoints and bucket policies for OSS to reduce the risk of unauthorized access and implement bidirectional authentication: Source control: The VPC is allowed to access only specified buckets. Destination control: The OSS bucket allows access only from the specified VPC.	This is the standard solution for securely accessing Alibaba Cloud services from a VPC over a private network. Compared with gateway endpoints, PrivateLink supports more types of Alibaba Cloud services and provides more advanced features.
Applicable service types	Currently, gateway endpoints support only OSS.	PrivateLink supports a wide range of Alibaba Cloud services and user-created services, including services provided by independent software vendors (ISVs).
Security features on the VPC side	Only endpoint policies are supported.	Security groups, network ACLs, and endpoint policies are supported.
Networking capabilities	Complex networking is not supported. IP address conflicts may occur with the CIDR blocks of Alibaba Cloud services (100.x.x.x/8).	Complex networking is supported. You can use PrivateLink with VPC peering connections, Cloud Enterprise Network (CEN), Express Connect circuits, or VPN gateways to implement cross-region and hybrid cloud networking.
O&M capabilities	None	Flow logs are supported for auditing and troubleshooting.
Fees	Free of charge	Instance fees and data transfer fees are charged. For user-created services, you can choose whether the service consumer or the service provider pays the fees.

Gateway endpoint

You can use endpoint policies for gateway endpoints and bucket policies for OSS to reduce the risk of unauthorized access and implement bidirectional authentication:

Source control: The VPC is allowed to access only specified buckets.
Destination control: The OSS bucket allows access only from the specified VPC.

Console

Create a gateway endpoint and configure an authorization policy

The VPC where the gateway endpoint is enabled, the authorized bucket, and the user that accesses OSS from within the VPC can belong to different Alibaba Cloud accounts.

Note that gateway endpoints are supported only in some regions.

Create a gateway endpoint and configure an endpoint policy.
1. Go to the VPC console, choose Endpoints > Gateway Endpoints, and then click Create Endpoint.
2. Select a region, enter a name for the endpoint, and make sure that the endpoint type is Gateway Endpoint.
3. For Endpoint Service, select Select Service and then select the endpoint service whose Service Resource Type is OSS.
4. Select a VPC and a route table.
  After the gateway endpoint is created, the system automatically adds a custom route entry to the selected route table. The destination CIDR block of the route entry is a system prefix list that contains the VIP CIDR block of OSS in the region, and the next hop is the gateway endpoint.
5. Configure an endpoint policy. The syntax is the same as the policy language of Resource Access Management (RAM).
  Policy example
  The following example policy indicates that only the user with the account ID 1746xxxxxx is allowed to perform OSS operations on the bucket named examplebucket from the VPC.
  { "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:*", "Resource": ["acs:oss:*:*:examplebucket", "acs:oss:*:*:examplebucket/*"], "Principal": ["1746xxxxxx"] } ] }
6. After the gateway endpoint is created, you can find a route entry that is automatically added by the system in the custom route entries of the associated route table. The next hop of the route entry points to the gateway endpoint.
Configure a bucket policy for OSS.
1. Go to the OSS console, click Buckets, and then click the name of the bucket for which you want to configure an authorization policy.
2. In the navigation pane on the left, choose Access Control > Bucket Policy. Click Add Policy By Syntax and then click Edit.
3. Configure a bucket policy. The syntax is the same as the policy language of RAM.
  Policy example
  The following example policy indicates that:
  Policy 1: Denies all accounts from accessing the bucket named examplebucket and performing OSS operations from VPCs other than the VPC with the ID vpc-bp******.
  For a list of OSS actions, see RAM Policy. We recommend that you do not set Action to * in a Deny policy. Otherwise, the bucket owner cannot access the bucket in the OSS console.
  Policy 2: Allows only the user with the account ID 1746xxxxxx to access the bucket named examplebucket and perform OSS operations from the VPC with the ID vpc-bp******.
  { "Version": "1", "Statement": [ { "Effect": "Deny", "Action": ["oss:ListObjects","oss:GetObject","oss:PutObject","oss:DeleteObject"], "Resource": ["acs:oss:*:*:examplebucket", "acs:oss:*:*:examplebucket/*"], "Principal": ["*"], "Condition": { "StringNotEquals": { "acs:SourceVpc": [ "vpc-bp******" ] } } },{ "Effect": "Allow", "Action": ["oss:*"], "Resource": ["acs:oss:*:*:examplebucket", "acs:oss:*:*:examplebucket/*"], "Principal": ["1746xxxxxx"], "Condition": { "StringEquals": { "acs:SourceVpc": [ "vpc-bp******" ] } } } ] }
4. After you configure the policy, click Save.
Verify the access policy.
Note: If a RAM user is used to access OSS, you must grant the RAM user permissions to perform operations on the relevant OSS bucket. Otherwise, access may fail.
1. Access the authorized bucket from the authorized VPC using an authorized account. The access attempt is successful.
2. If the account, VPC, or bucket is not authorized, the access attempt fails.

Modify the access policy

You can modify the access policy to adjust the scope of authorized VPCs, buckets, or accounts.

To adjust the scope of authorized VPCs, go to the OSS console, click Buckets, and then click the name of the destination bucket. In the navigation pane on the left, choose Access Control > Bucket Policy. Modify the Condition field in the existing authorization policy to add or remove VPCs that can access the bucket.
To adjust the scope of authorized buckets:
1. Go to the VPC console, choose Endpoints > Gateway Endpoints, and click the ID of the destination gateway endpoint. On the Endpoint Policy tab, modify the Resource field in the existing authorization policy to add or remove buckets that the VPC can access.
2. Go to the OSS console, click Buckets, and then click the name of the destination bucket. In the navigation pane on the left, choose Access Control > Bucket Policy. Modify the Resource field in the existing authorization policy to add or remove bucket resources that can be accessed. If multiple buckets are involved, you must perform this operation for each bucket.
To adjust the scope of authorized accounts:
Note: If a RAM user is used to access OSS, you must grant the RAM user permissions to perform operations on the relevant OSS bucket. Otherwise, access may fail.
1. Go to the VPC console, choose Endpoints > Gateway Endpoints, and click the ID of the destination gateway endpoint. On the Endpoint Policy tab, modify the Principal field in the existing authorization policy to add or remove accounts that can access the bucket from within the VPC.
2. Go to the OSS console, click Buckets, and then click the name of the destination bucket. In the navigation pane on the left, choose Access Control > Bucket Policy. Modify the Principal field in the existing authorization policy to add or remove accounts that can access the bucket from within the VPC. If multiple buckets are involved, you must perform this operation for each bucket.

Associate or dissociate a route table

You can associate a gateway endpoint with or dissociate a gateway endpoint from a route table to control which vSwitches in the VPC can access Alibaba Cloud services through the gateway endpoint.

Go to the VPC console, choose Endpoints > Gateway Endpoints, and click the ID of the destination gateway endpoint.
On the Associated Route Tables tab:
1. To associate a new route table, click Associate Route Table. After the association is complete, you can find a route entry that is automatically added by the system in the custom route entries of the associated route table. The next hop of the route entry points to the gateway endpoint.
2. To dissociate an existing route table, click Dissociate to the right of the associated route table. After the route table is dissociated, the route entry added by the system is automatically removed.

Delete a gateway endpoint

Before you delete a gateway endpoint, you must dissociate all associated route tables.

Dissociate all associated route tables.
Go to the VPC console, choose Endpoints > Gateway Endpoints, and click Delete to the right of the destination gateway endpoint.
(Optional) The bucket policy remains in the bucket, which prevents other VPCs from accessing the bucket. To adjust the policy, go to the OSS console, click Buckets, and then click the name of the destination bucket. In the navigation pane on the left, choose Access Control > Bucket Policy to modify or delete the policy that allows access only from the specified VPC.

API

Gateway endpoint:
1. To create a gateway endpoint and configure an endpoint policy, call the CreateVpcGatewayEndpoint operation.
  1. When you call this operation, you must specify the ServiceName parameter. You can call the ListVpcEndpointServicesByEndUser operation to query available endpoint services.
  2. The PolicyDocument parameter is used to configure an endpoint policy. The syntax is the same as the policy language of RAM.
2. To modify a gateway endpoint policy, call the UpdateVpcGatewayEndpointAttribute operation and specify the PolicyDocument parameter.
3. To associate a route table, call the AssociateRouteTablesWithVpcGatewayEndpoint operation.
4. To dissociate a route table, call the DissociateRouteTablesFromVpcGatewayEndpoint operation.
5. To delete a gateway endpoint, call the DeleteVpcGatewayEndpoint operation.
OSS bucket:
1. To configure a bucket policy for OSS, call the PutBucketPolicy operation.
2. To modify a bucket policy, call the PutBucketPolicy operation and specify the access policy in the JSON format.
3. To delete a bucket policy, call the DeleteBucketPolicy operation.

Terraform

Configure a gateway endpoint:

Resources: alicloud_vpc_gateway_endpoint

Note: Before you delete a gateway endpoint, you must dissociate all associated route tables.

provider "alicloud" { region = "cn-hangzhou" } resource "alicloud_vpc_gateway_endpoint" "default" { gateway_endpoint_name = "gateway-endpoint-name" # The name of the gateway endpoint. service_name = "com.aliyun.cn-hangzhou.oss" # The name of the OSS service. vpc_id = "vpc-bp******" # The VPC to which the gateway endpoint belongs. route_tables = ["vtb-bp******","vtb-bp******"] # The ID of the associated route table. # The endpoint policy. policy_document = <<EOF { "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:*", "Resource": ["acs:oss:*:*:examplebucket","acs:oss:*:*:examplebucket/*"], "Principal": ["1746******"] } ] } EOF }

Configure a bucket policy for OSS:

Resources: alicloud_oss_bucket_policy

provider "alicloud" { region = "cn-hangzhou" } resource "alicloud_oss_bucket_policy" "default" { bucket = "examplebucket" # The name of the bucket. policy = jsonencode({ Version = "1" Statement = [ { Effect = "Deny" Action = [ "oss:ListObjects", "oss:GetObject", "oss:PutObject", "oss:DeleteObject" ] Principal = [ "*" ] Resource = [ "acs:oss:*:*:examplebucket", "acs:oss:*:*:examplebucket/*" ] Condition = { StringNotEquals = { "acs:SourceVpc" = [ "vpc-bp******" # Replace the value with the actual VPC ID. ] } } },{ Effect = "Allow" Action = [ "oss:*" ] Principal = [ "1746xxxxxx" # Replace the value with the actual Alibaba Cloud account ID. ] Resource = [ "acs:oss:*:*:examplebucket", "acs:oss:*:*:examplebucket/*" ] Condition = { StringEquals = { "acs:SourceVpc" = [ "vpc-bp******" # Replace the value with the actual VPC ID. ] } } } ] }) }

PrivateLink

For more information, see the following PrivateLink topics:

Access Alibaba Cloud services: Access OSS resources over a private network using PrivateLink.
Access user-created services (including services provided by ISVs): Access an ALB instance across VPCs over a private network using PrivateLink and Access an NLB instance across VPCs over a private network using PrivateLink.
Access network virtual appliances: Use a GWLB to perform security inspection on IPv4 traffic.

More information

Billing

Gateway endpoints are free of charge.

For information about the billing of PrivateLink, see PrivateLink billing.

Supported regions

Area	Regions
Asia Pacific - China	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Ulanqab), China (Heyuan), China (Guangzhou), China (Chengdu), and China (Hong Kong)
Asia Pacific - Others	Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta)
Europe & Americas	Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)
Middle East	UAE (Dubai)

For information about the regions and zones that support PrivateLink, see Regions and zones that support PrivateLink.

Quotas

Gateway endpoint quotas:

A VPC can be associated with only one gateway endpoint for a specific Alibaba Cloud service, and a VPC route table can be associated with only one gateway endpoint.
A gateway endpoint can be associated with multiple VPC route tables.

For information about the quotas of PrivateLink, see Service quotas.