If your Elastic Compute Service (ECS) instances reside in one or more Virtual Private Clouds (VPCs), you must configure access to a Container Registry Enterprise Edition instance over the VPCs. Then, connections can be established between the ECS instances in the VPCs and the Container Registry Enterprise Edition instance. This topic describes how to configure access to a Container Registry Enterprise Edition instance over VPCs.

Prerequisites

VPCs and VSwitches are created in the region where the Container Registry Enterprise Edition instance resides. For more information, see Create a VPC.

Background information

By default, you can add up to three VPCs when configuring access over VPCs. To add more VPCs, log on to Ticket System and submit a ticket.

Scenario 1: Configure access over a single VPC

By default, the domain name of a Container Registry Enterprise Edition instance is resolved to the access IP address of the first VPC that is added. If all your ECS instances reside in the same VPC, you do not need to manually configure domain name resolution.

  1. Log on to the Container Registry console. In the top navigation bar, select the target region.
  2. In the left-side navigation pane, choose Enterprise Instances > Instances.
  3. On the Instances page, click the Container Registry Enterprise Edition instance to be configured.
  4. In the left-side navigation pane, choose Repositories > Access Control.
    Note If you want to configure access control for Helm charts, choose Helm Chart > Access Control.
  5. On the VPC tab, click Add VPC.
  6. In the Add VPC dialog box that appears, select an existing VPC and an existing VSwitch, and click OK.
    The first VPC is added. ECS instances in the VPC can access the Container Registry Enterprise Edition instance after the status of the VPC changes from Creating to Running.

Scenario 2: Configure access over multiple VPCs

If your ECS instances reside in multiple VPCs, you must resolve the domain name of a Container Registry Enterprise Edition instance to the access IP addresses of all the VPCs. Then, connections can be established between the ECS instances in all the VPCs and the Container Registry Enterprise Edition instance.

  1. Repeat the steps described in Scenario 1 to add a second or more VPCs.

    By default, the domain name of a Container Registry Enterprise Edition instance is resolved to the access IP address of the first VPC that is added. You must use PrivateZone to resolve the domain name of the Container Registry Enterprise Edition instance to the access IP addresses of other VPCs. The following steps use the second VPC as an example to describe the procedure.

  2. Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
  3. On the All Zones tab, click Add Zone.
  4. In the Add PrivateZone dialog box that appears, enter cr.aliyuncs.com in Zone Name, select Subdomain recursive resolution proxy, and then click OK.
  5. In the Actions column of the newly added private zone, click Configure.DNS settings
  6. On the Resolution Settings cr.aliyuncs.com page, click Add Record.
  7. In the Add Record dialog box that appears, set the following parameters and click OK:
    • Record Type: Retain the default value.
    • Resource Records: Enter the prefix in the domain name of the Container Registry Enterprise Edition instance. For example, if the domain name is abc-registry-vpc.cn-shanghai.cr.aliyuncs.com, the prefix is abc-registry-vpc.cn-shanghai.
    • Record Value: Enter the access IP address of the second VPC.
    • TTL Value: Retain the default value.
    On the Resolution Settings tab, you can view the newly added record.
  8. Return to the PrivateZone page, find the target private zone, and then click Bind VPC.Associate a private zone with VPCs
  9. In the Bind VPC dialog box that appears, select the second VPC and click Confirm.

    After Unbound changes to Bind in the Bind VPC Status column, ECS instances in the second VPC can access the Container Registry Enterprise Edition instance.