ACK Edge clusters support both leased line and Internet connection types. Edge nodes, also known as under-cloud nodes, can establish connectivity to the Alibaba Cloud Container Service platform via the Internet or Alibaba Cloud leased lines. This topic describes the necessary endpoint configurations for edge nodes connecting to ACK Edge clusters, including internal same-region endpoints, relevant IP routing network segments, and port policies for leased line connections.
Ports that need to be exposed on edge nodes (inbound)
To enable cloud access to edge nodes, certain ports must be exposed inbound on the edge nodes. For details on ports and addresses to configure outbound on edge nodes, see Node Access Domain Name and IP Routing Configuration.
Protocol | Port | Source address or source CIDR block | Comment |
TCP | 10250 and 10255 | Virtual private cloud (VPC) CIDR block Note Optional, based on fine-grained management of the cluster switch CIDR block. | Not applicable to Internet connections.
|
9100 and 9445 | VPC CIDR block Note Optional, based on fine-grained management of the cluster switch CIDR block. | Not applicable to Internet connections. Prometheus actively initiates requests to the Node-Exporter ports 9100/9445 on the node to obtain monitoring data. | |
UDP | 8472 | VPC CIDR block and the address or CIDR block of the node Note Configuration is required only when the cluster uses the Flannel plug-in. | Flannel VXLAN uses the UDP port 8472 on the node to build a VXLAN tunnel. |
Endpoints and IP routing that edge nodes need to access (outbound)
To ensure on-premises IDC devices or edge devices can access the following domain names and IP addresses, configure the settings based on the access method.
Internet Access:
On the edge side (off-cloud), you must permit the public IP addresses or domain names specified in the following list within the outbound direction of your security policy.
Leased Line Access:
On the off-cloud edge side, you must permit the leased line addresses or Domain Names listed below in the outbound direction of your security policy.
You must configure round-trip routing within the IDC route, Virtual Border Router (VBR), Cloud Enterprise Network, Transit Router (TR), and VPC route table.
Endpoints and ports that edge nodes need to access
The
{region}in the access address denotes the Region ID of the ACK Edge cluster. For instance, the Region ID for the Hangzhou region iscn-hangzhou. Refer to Service regions for a list of Region IDs for each region.When accessing container images via the internal network, use leased line mode endpoints and configure routes to the internal network segments of the container images and OSS. For internal network endpoints and corresponding routing segments, see Endpoints and Corresponding Routing Segments in Leased Line Mode.
Public Mode Endpoint | Leased Line Mode Endpoint | Port | Description |
| cs-anony-vpc.{region}.aliyuncs.com |
| The control plane endpoint. |
aliacs-k8s-{region}.oss-{region}.aliyuncs.com | aliacs-k8s-{region}.oss-{region}-internal.aliyuncs.com |
| The endpoint for downloading files from OSS. You can download installation packages for components like edgeadm, kubelet, Container Network Interface (CNI), runtime, and edgehub from OSS. |
The public endpoint of the API server | The private endpoint of the API server | TCP 6443 | View on the Basic Information tab of the cluster. |
Address of the Internet-facing SLB instance of the tunnel-server (cluster version < 1.26) | Not available in private network mode | TCP 10262 and 10263 | View through the cluster Service resource: kube-system/x-tunnel-server-svc |
Address of the Internet-facing SLB instance of the Raven cloud gateway | Not available in private network mode |
| View through the cluster Service resource:
|
ntp1.aliyun.com cn.ntp.org.cn | ntp1.aliyun.com cn.ntp.org.cn | Related to the NTP protocol, generally UDP port 123. | The address of the NTP server. If you configure the |
|
| TCP 443 | The address required for downloading system component images. For specific IP segments corresponding to these addresses in leased line mode, see Endpoints and Corresponding Routing Segments in Leased Line Mode. |
Install the following system tools online: net-tools, iproute, chrony (or ntpdate), crontabs, pciutils, socat, ebtables, iptables, and conntrack-tools | Install the following system tools online: net-tools, iproute, chrony (or ntpdate), crontabs, pciutils, socat, ebtables, iptables, and conntrack-tools | Not available | Check whether the system tools are installed on the node to be added. If not, the system will install the tools online. The addresses of these tools are determined by the YUM or APT repositories of the node.
|
Endpoints and corresponding routing segments in leased line mode
To access private ACK component image addresses from a data center, connect to a VPC through Cloud Enterprise Network (CEN), Express Connect, leased lines, or VPN. Add routes to the private addresses of the component images. Since the images are stored in OSS, configure the OSS routing segments as well. The endpoints and corresponding routing segments in leased line mode are detailed below.
Internal network image addresses and routing segments of ACK components
Public cloud regions
Region | Region ID | VPC endpoint | Route |
China (Hangzhou) | cn-hangzhou | registry-cn-hangzhou-vpc.ack.aliyuncs.com | 100.103.9.188/32 100.103.7.181/32 |
China (Shanghai) | cn-shanghai | registry-cn-shanghai-vpc.ack.aliyuncs.com | 100.103.94.158/32 100.103.7.57/32 100.100.80.231/32 |
China (Fuzhou - Local Region) | cn-fuzhou | registry-cn-fuzhou-vpc.ack.aliyuncs.com | 100.100.0.43/32 100.100.0.28/32 |
China (Qingdao) | cn-qingdao | registry-cn-qingdao-vpc.ack.aliyuncs.com | 100.100.0.172/32 100.100.0.207/32 |
China (Beijing) | cn-beijing | registry-cn-beijing-vpc.ack.aliyuncs.com | 100.103.99.73/32 100.103.0.251/32 100.103.6.63/32 |
China (Zhangjiakou) | cn-zhangjiakou | registry-cn-zhangjiakou-vpc.ack.aliyuncs.com | 100.100.1.179/32 100.100.80.152/32 |
China (Hohhot) | cn-huhehaote | registry-cn-huhehaote-vpc.ack.aliyuncs.com | 100.100.0.194/32 100.100.80.55/32 |
China (Ulanqab) | cn-wulanchabu | registry-cn-wulanchabu-vpc.ack.aliyuncs.com | 100.100.0.122/32 100.100.0.58/32 |
China (Shenzhen) | cn-shenzhen | registry-cn-shenzhen-vpc.ack.aliyuncs.com | 100.103.96.139/32 100.103.6.153/32 100.103.26.52/32 |
China (Heyuan) | cn-heyuan | registry-cn-heyuan-vpc.ack.aliyuncs.com | 100.100.0.150/32 100.100.0.193/32 |
China (Guangzhou) | cn-guangzhou | registry-cn-guangzhou-vpc.ack.aliyuncs.com | 100.100.0.101/32 100.100.0.21/32 |
China (Chengdu) | cn-chengdu | registry-cn-chengdu-vpc.ack.aliyuncs.com | 100.100.0.48/32 100.100.0.64/32 |
Zhengzhou (CUCC Joint Venture) | cn-zhengzhou-jva | registry-cn-zhengzhou-jva-vpc.ack.aliyuncs.com | 100.100.0.111/32 100.100.0.84/32 |
China (Hong Kong) | cn-hongkong | registry-cn-hongkong-vpc.ack.aliyuncs.com | 100.103.85.19/32 100.100.80.157/32 |
US (Silicon Valley) | us-west-1 | registry-us-west-1-vpc.ack.aliyuncs.com | 100.103.13.55/32 100.100.80.93/32 |
US (Virginia) | us-east-1 | registry-us-east-1-vpc.ack.aliyuncs.com | 100.103.12.19/32 100.100.80.11/32 |
Japan (Tokyo) | ap-northeast-1 | registry-ap-northeast-1-vpc.ack.aliyuncs.com | 100.100.0.167/32 100.100.80.198/32 |
South Korea (Seoul) | ap-northeast-2 | registry-ap-northeast-2-vpc.ack.aliyuncs.com | 100.100.0.71/32 100.100.0.33/32 |
Singapore | ap-southeast-1 | registry-ap-southeast-1-vpc.ack.aliyuncs.com | 100.103.103.254/32 100.100.80.136/32 |
Malaysia (Kuala Lumpur) | ap-southeast-3 | registry-ap-southeast-3-vpc.ack.aliyuncs.com | 100.100.0.17/32 100.100.80.137/32 |
Indonesia (Jakarta) | ap-southeast-5 | registry-ap-southeast-5-vpc.ack.aliyuncs.com | 100.100.0.226/32 100.100.80.200/32 |
Philippines (Manila) | ap-southeast-6 | registry-ap-southeast-6-vpc.ack.aliyuncs.com | 100.100.0.75/32 100.100.0.24/32 |
Thailand (Bangkok) | ap-southeast-7 | registry-ap-southeast-7-vpc.ack.aliyuncs.com | 100.100.0.62/32 100.100.0.34/32 |
Germany (Frankfurt) | eu-central-1 | registry-eu-central-1-vpc.ack.aliyuncs.com | 100.100.0.92/32 100.100.80.155/32 |
UK (London) | eu-west-1 | registry-eu-west-1-vpc.ack.aliyuncs.com | 100.100.0.175/32 100.100.0.18/32 |
SAU (Riyadh - Partner Region) | me-central-1 | registry-me-central-1-vpc.ack.aliyuncs.com | 100.100.0.109/32 100.100.0.18/32 |
Alibaba Finance Cloud regions
Region | Region ID | VPC endpoint | Route |
China East 2 Finance | cn-shanghai-finance-1 | registry-cn-shanghai-finance-1-vpc.ack.aliyuncs.com | 100.100.0.54/32 100.100.80.227/32 |
OSS internal domain names and VIP segments
Public cloud regions
Region | Region ID | OSS region ID | Internal endpoint for access over VPCs | VIP range |
China (Hangzhou) | cn-hangzhou | oss-cn-hangzhou | oss-cn-hangzhou-internal.aliyuncs.com |
|
China (Shanghai) | cn-shanghai | oss-cn-shanghai | oss-cn-shanghai-internal.aliyuncs.com |
|
China (Nanjing - Local Region) | cn-nanjing | oss-cn-nanjing | oss-cn-nanjing-internal.aliyuncs.com | 100.114.142.0/24 |
China (Qingdao) | cn-qingdao | oss-cn-qingdao | oss-cn-qingdao-internal.aliyuncs.com |
|
China (Beijing) | cn-beijing | oss-cn-beijing | oss-cn-beijing-internal.aliyuncs.com |
|
China (Zhangjiakou) | cn-zhangjiakou | oss-cn-zhangjiakou | oss-cn-zhangjiakou-internal.aliyuncs.com |
|
China (Hohhot) | cn-huhehaote | oss-cn-huhehaote | oss-cn-huhehaote-internal.aliyuncs.com |
|
China (Ulanqab) | cn-wulanchabu | oss-cn-wulanchabu | oss-cn-wulanchabu-internal.aliyuncs.com |
|
China (Shenzhen) | cn-shenzhen | oss-cn-shenzhen | oss-cn-shenzhen-internal.aliyuncs.com |
|
China (Heyuan) | cn-heyuan | oss-cn-heyuan | oss-cn-heyuan-internal.aliyuncs.com |
|
China (Guangzhou) | cn-guangzhou | oss-cn-guangzhou | oss-cn-guangzhou-internal.aliyuncs.com |
|
China (Chengdu) | cn-chengdu | oss-cn-chengdu | oss-cn-chengdu-internal.aliyuncs.com |
|
China (Hong Kong) | cn-hongkong | oss-cn-hongkong | oss-cn-hongkong-internal.aliyuncs.com |
|
US (Silicon Valley) * | us-west-1 | oss-us-west-1 | oss-us-west-1-internal.aliyuncs.com | 100.115.107.0/24 |
US (Virginia) * | us-east-1 | oss-us-east-1 | oss-us-east-1-internal.aliyuncs.com |
|
Japan (Tokyo) * | ap-northeast-1 | oss-ap-northeast-1 | oss-ap-northeast-1-internal.aliyuncs.com |
|
South Korea (Seoul) | ap-northeast-2 | oss-ap-northeast-2 | oss-ap-northeast-2-internal.aliyuncs.com | 100.99.119.0/24 |
Singapore * | ap-southeast-1 | oss-ap-southeast-1 | oss-ap-southeast-1-internal.aliyuncs.com |
|
Malaysia (Kuala Lumpur) * | ap-southeast-3 | oss-ap-southeast-3 | oss-ap-southeast-3-internal.aliyuncs.com |
|
Indonesia (Jakarta) * | ap-southeast-5 | oss-ap-southeast-5 | oss-ap-southeast-5-internal.aliyuncs.com | 100.114.98.0/24 |
Philippines (Manila) | ap-southeast-6 | oss-ap-southeast-6 | oss-ap-southeast-6-internal.aliyuncs.com | 100.115.16.0/24 |
Thailand (Bangkok) | ap-southeast-7 | oss-ap-southeast-7 | oss-ap-southeast-7-internal.aliyuncs.com | 100.98.249.0/24 |
Germany (Frankfurt) * | eu-central-1 | oss-eu-central-1 | oss-eu-central-1-internal.aliyuncs.com | 100.115.154.0/24 |
UK (London) | eu-west-1 | oss-eu-west-1 | oss-eu-west-1-internal.aliyuncs.com | 100.114.114.128/25 |
UAE (Dubai) * | me-east-1 | oss-me-east-1 | oss-me-east-1-internal.aliyuncs.com | 100.99.235.0/24 |
SAU (Riyadh) | me-central-1 | oss-me-central-1 | oss-me-central-1-internal.aliyuncs.com | 100.99.121.0/24 |
Alibaba Finance Cloud regions
Region | Region ID | OSS Region ID | Internal endpoint for access over VPCs | VIP range |
China East 1 Finance | cn-hangzhou-finance | oss-cn-hzjbp |
|
|
China East 2 Finance | cn-shanghai-finance-1 | oss-cn-shanghai-finance-1 | oss-cn-shanghai-finance-1-internal.aliyuncs.com |
|
China North 2 Finance (Preview) | cn-beijing-finance-1 | oss-cn-beijing-finance-1 | oss-cn-beijing-finance-1-internal.aliyuncs.com | 100.112.52.0/24 |
China South 1 Finance | cn-shenzhen-finance-1 | oss-cn-shenzhen-finance-1 | oss-cn-shenzhen-finance-1-internal.aliyuncs.com | 100.112.15.0/24 |
China East 1 Finance Public | cn-hangzhou-finance | oss-cn-hzfinance | oss-cn-hzfinance-internal.aliyuncs.com |
|
China East 2 Finance Public | cn-shanghai-finance-1 | oss-cn-shanghai-finance-1-pub | oss-cn-shanghai-finance-1-pub-internal.aliyuncs.com |
|
China South 1 Finance Public | cn-shenzhen-finance-1 | oss-cn-szfinance | oss-cn-szfinance-internal.aliyuncs.com |
|
China North 2 Finance Public | cn-beijing-finance-1 | oss-cn-beijing-finance-1-pub | oss-cn-beijing-finance-1-pub-internal.aliyuncs.com | 100.112.52.0/24 |