Design and Implementation of PrivateLink and ClassicLink in Cloud VPC Networks

With the rapid expansion of overlay network coverage and the promotion of Virtual Private Cloud (VPC) across all major data centers, many services are moving to the cloud, requiring isolated internal networks and the ability to manage cloud resources such as servers and load balancers.

Because VPCs are isolated, external services need public IPs, which can be inefficient and insecure; meanwhile, many workloads exist in a transition phase between classic and private networks. To address this, multiple solutions are offered, including PrivateLink for intra‑region VPC communication and ClassicLink for classic‑VPC inter‑access.

The overall architecture includes five gateway types: SNAT (outbound internet access only), EIP (bidirectional internet and classic network access), CCN (cloud‑to‑cloud and classic‑VPC connectivity), SLB in VPC (load balancing with optional PrivateLink or ClassicLink), and fullnat gateways that underpin PrivateLink.

PrivateLink Implementation

PrivateLink enables VPC instances to access services in other VPCs via internal network, avoiding public internet exposure. The service usage flow involves creating a load balancer (SLB1) in the provider VPC, registering a endpoint service, configuring security groups, creating an endpoint in the consumer VPC, and using the returned endpoint IP for private access.

The control plane consists of an API Server that creates endpoints and services, and an Agent that registers gateway nodes to ETCD every 10 seconds and watches for configuration changes. When an endpoint is created, the API Server selects an available gateway and writes a record to ETCD; the Agent receives it and pushes the configuration to the forwarding plane.

The forwarding plane relies on fullnat gateways; traffic from the consumer VPC is encapsulated, routed through the fullnat gateway, and delivered to the provider VPC.

ClassicLink Implementation

ClassicLink allows classic network instances to access VPC resources via internal network, while VPC instances can only reach classic instances that are explicitly linked. This functionality is provided by the CCN gateway.

The control plane mirrors PrivateLink’s API Server and Agent architecture, but the CCN gateway stores full configuration data for all VMs and load balancers. When a classic network is linked to a VPC, the Agent announces the VPC subnets via BGP, enabling traffic from classic IDC to be routed to the CCN gateway and then to the target VPC.

The forwarding plane encapsulates traffic using VXLAN, decapsulates it in the cloud‑connect cluster, looks up routing tables (CCSI), and forwards it to the appropriate host or VPC. ClassicLink treats the IDC network as a special VPC, avoiding VXLAN encapsulation.

Future work includes optimizing metadata lookup structures in the CCN gateway for higher forwarding efficiency, migrating all gateway types to 100 Gbps NICs, adding DSCP traffic labeling for priority flows, and enhancing fine‑grained traffic monitoring and visualization.

In summary, while EIP gateways initially handled most traffic, the adoption of PrivateLink and ClassicLink has redistributed load, improved security, and paved the way for more stable and scalable cloud networking solutions.