This topic describes how to pull images from Alibaba Cloud Container Registry and create a container group. You can use default values and minimal configurations in certain settings.


The Elastic Container Instance (ECI) and Resource Access Management (RAM) services are activated. A RAM role related to ECI is assigned to your account, including the permission to access your private image repository. Then, ECI can automatically pull your private images from Alibaba Cloud Container Registry without using a password.

Specifically, you can pull images from Alibaba Cloud Container Registry by using the Virtual Private Cloud (VPC) endpoint of an image repository.
Note When you create an ECI in the console, the system automatically uses the VPC endpoint to pull images without your intervention.


  1. Go to the ECI purchase page.
  2. Select a region and a zone.

    Select the region and zone where you want to deploy the ECI. For more information about the supported regions and zones, see Regions and zones.

    Note We recommend that you select the latest zone that has sufficient resources to meet your business needs.
  3. Select a VPC and a VSwitch.

    Select a VPC and a VSwitch in the selected region and zone. The information about the network, such as the Classless Inter-Domain Routing (CIDR) block, appears on the page. If no VPC or VSwitch is available in the selected region and zone, create a VPC on the VPCs page or create a VSwitch on the VSwitches page in the VPC console. For more information about how to create a VPC, see Create a VPC. For more information about how to create a VSwitch, see Create a VSwitch.

  4. Select a security group.

    If no security group is available, create one on the Security Groups page in the Elastic Compute Service (ECS) console. A security group acts as a virtual firewall that provides the stateful packet inspection (SPI) and packet filtering features and is used to isolate security domains on the cloud. You can configure security group rules to enable or disable the access to the Internet or internal network and the access between ECIs for ECIs in the security group.

    To enable the access from the Internet to an ECI in a VPC, you must expose the corresponding ports in security group rules. For example, when you deploy the NGINX service, you must expose port 80 to the Internet in a security group rule.

    For more information about security groups, see Security group overview.

  5. Select an image.
    After you specify the name of the container group and the name of a container, select an image from the Common Image repository and select the image version.
  6. Select the CPU and memory specifications for the container group.
    Select appropriate CPU and memory specifications for each container. A container supports a minimum of 0.25 vCPU and 0.5 GB memory.
  7. Confirm the configuration.
    Click Preview on the purchase page. On the configuration preview page that appears, verify that the configuration is correct and click Create ECI to submit the order.