If your Elastic Compute Service (ECS) instances reside in one or more virtual private clouds (VPCs), you must configure access to a Container Registry Enterprise Edition instance over the VPCs. Then, connections can be established between the ECS instances in the VPCs and the Container Registry Enterprise Edition instance. This topic describes how to configure access to a Container Registry Enterprise Edition instance over VPCs.

Prerequisites

VPCs and vSwitches are created in the region where the Container Registry Enterprise Edition instance resides. For more information, see Work with VPCs.

Background information

By default, you can add up to three VPCs when you configure access over VPCs. If you want to add more than three VPCs, submit a ticket in the .

Scenario 1: Configure access over a single VPC

By default, the domain name of a Container Registry Enterprise Edition instance is resolved to the access IP address of the first VPC that is added. If all your ECS instances reside in the same VPC, you do not need to manually configure domain name resolution.

  1. Log on to the Container Registry console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click Instances.
  4. On the Instances page, click the required Container Registry Enterprise Edition instance.
  5. On the management page of the Container Registry Enterprise Edition instance, choose Repositories > Access Control in the left-side navigation pane.
    Note If you want to configure access control for Helm charts, choose Helm Chart > Access Control.
  6. On the VPC tab, click Add VPC.
  7. In the Add VPC dialog box, select an existing VPC and an existing vSwitch, and click OK.
    The first VPC is added. ECS instances in the VPC can access the Container Registry Enterprise Edition instance after the status of the VPC changes from Creating to Running.

Scenario 2: Configure access over multiple VPCs

If your ECS instances reside in multiple VPCs, you must resolve the domain name of a Container Registry Enterprise Edition instance to the access IP addresses of all the VPCs. Then, connections can be established between the ECS instances in all the VPCs and the Container Registry Enterprise Edition instance.

  1. Repeat the steps described in Scenario 1 to add the second VPC or more VPCs.

    By default, the domain name of a Container Registry Enterprise Edition instance is resolved to the access IP address of the first VPC that is added. You must use Alibaba Cloud DNS PrivateZone to resolve the domain name of the Container Registry Enterprise Edition instance to the access IP addresses of other VPCs.

  2. Log on to the Alibaba Cloud DNS console. In the left-side navigation pane, click PrivateZone.
  3. On the Hosted Zones tab, click Add Zone.
  4. In the Add PrivateZone dialog box, enter cr.aliyuncs.com in the Zone Name field, select Subdomain recursive resolution proxy, and then click OK.
  5. Find the added private zone and click Configure in the Actions column. Configure
  6. On the Resolution Settings cr.aliyuncs.com page, click Add Record.
  7. In the Add Record dialog box, set the following parameters and click OK:
    • Record Type: Retain the default value.
    • Resource Records: Enter the prefix in the domain name of the Container Registry Enterprise Edition instance. For example, if the domain name is abc-registry-vpc.cn-shanghai.cr.aliyuncs.com, the prefix is abc-registry-vpc.cn-shanghai.
    • Record Value: Enter the access IP address of the second VPC.
    • TTL Value: Retain the default value.
    On the Resolution Settings tab, you can view the added record.
  8. Return to the PrivateZone page, find the private zone that you want to bind to the second VPC, and then click Bind VPC. Bind VPC
  9. In the Bind VPC dialog box, select the second VPC and click Confirm.

    After Unbound changes to Bind in the Bind VPC Status column, ECS instances in the second VPC can access the Container Registry Enterprise Edition instance.