All Products
Search

This Product

    Container Service for Kubernetes:Create an ACK Edge cluster

    Document Center

    Container Service for Kubernetes:Create an ACK Edge cluster

    Last Updated:Mar 26, 2026

    Create an ACK Edge cluster in the ACK console to enable cloud-edge collaboration.

    Prerequisites

    Before you begin, make sure that you have:

    Limits

    Resource Limit Reference
    Networks ACK clusters support only virtual private clouds (VPCs) What is a VPC?
    ECS billing Pay-as-you-go and subscription billing methods are supported. After creating an ECS instance, you can switch from pay-as-you-go to subscription in the ECS console. Change the billing method from pay-as-you-go to subscription
    VPC route entries VPCs of Flannel-based clusters support at most 200 route entries. VPCs of Terway-based clusters have no limit. Quota Center
    Security groups At most 100 security groups per account Security groups
    SLB instances At most 60 pay-as-you-go Server Load Balancer (SLB) instances per account Quota Center
    Elastic IP addresses (EIPs) At most 20 EIPs per account Quota Center

    Before you create the cluster

    Review these constraints before starting — some cannot be changed after the cluster is created:

    • EIP binding is permanent. Once you bind an EIP to the API server of an ACK Edge cluster, you cannot change or unbind it.

    • Security hardening cannot be modified after the cluster is created.

    • Edge nodes communicate with the API server over the Internet. Select Expose API Server with EIP during cluster creation. If you skip this, you can bind an EIP to the API server later — see Control public access to the API server of a cluster.

    • The on-cloud node pool requires at least two worker nodes to deploy cluster components.

    • Deleting the default Classic Load Balancer (CLB) instance makes the API server inaccessible.

    • Starting December 1, 2024, an instance fee is charged for newly created CLB instances. See CLB billing adjustments.

    Step 1: Open the cluster creation page

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. At the top of the page, hover over All Resources and select the resource group to use. Only VPCs and vSwitches in the selected resource group appear during cluster creation.

      资源组

    3. On the Clusters page, click Create Kubernetes Cluster.

    4. On the Create Cluster page, click the ACK Edge tab.

    Step 2: Configure the cluster

    Basic settings

    Parameter Description
    Cluster name 1–63 characters. Can contain letters, digits, hyphens (-), and underscores (_). Must start with a letter or digit.
    Cluster specification Professional (recommended for production and test environments) or Basic (for individual learning and testing).
    Region The region where the cluster is deployed.
    Kubernetes version See Kubernetes versions supported by ACK.
    Maintenance window The window during which ACK automatically performs O&M tasks on managed node pools, including runtime updates and CVE vulnerability fixes. Click Set to configure maintenance policies.

    Network settings

    Parameter Description
    VPC Specify a zone to auto-create a VPC, or select an existing VPC from the list.
    Configure SNAT If the VPC cannot access the Internet, select this option. ACK automatically creates a NAT gateway and configures SNAT rules. If you leave this unselected, manually configure a NAT gateway. See Create and manage an Internet NAT gateway.
    vSwitch Select an existing vSwitch or click Create vSwitch. The control plane and default node pool use the selected vSwitch. Select multiple vSwitches across different zones for high availability.
    Security group When VPC is set to Select Existing VPC, the Select Existing Security Group option becomes available. Three options are available: Create Basic Security Group, Create Advanced Security Group, or Select Existing Security Group — see Security group overview for details. Auto-created security groups allow all outbound traffic by default. Make sure traffic to 100.64.0.0/10 is allowed — this CIDR block is required to access Alibaba Cloud services for pulling images and querying ECS metadata. If you select an existing security group, manually configure security group rules. See Configure security groups for clusters.
    Access to API server Edge nodes communicate with the API server over the Internet. Select Expose API Server with EIP. See the Before you create the cluster section for constraints.
    Network plug-in Flannel or Terway-edge. See Network management overview and How to choose a network plug-in. Flannel: a stable open source CNI plug-in using VXLAN overlay networking. Terway-edge: developed by ACK — assigns elastic network interfaces (ENIs) to cloud containers, and assigns addresses from a pre-configured CIDR block to edge containers via host routing.
    Pod vSwitch Available when Terway-edge is selected. Assign vSwitches to pods in the cloud node pool. Each pod vSwitch must be in the same zone as the corresponding worker node vSwitch.
    Edge container CIDR block The CIDR block from which container IP addresses are assigned. With Flannel, both cloud and edge containers use this block. With Terway-edge, only edge containers use this block.
    Number of pods per node The maximum number of pods on a single node.
    Service CIDR The CIDR block for Services in the cluster. Must not overlap with the VPC CIDR, other cluster CIDRs in the VPC, or the pod CIDR block. Cannot be changed after creation. See Network planning of an ACK managed cluster.

    Advanced settings

    Click Advanced Options (Optional) to configure additional settings.

    Forwarding mode

    Mode Description
    iptables A stable kube-proxy mode. Uses iptables rules for service discovery and load balancing. Performance depends on the number of Services. Suitable for clusters with fewer Services.
    IPVS A high-performance kube-proxy mode. Uses the Linux IP Virtual Server (IPVS) module for service discovery and load balancing. Suitable for clusters with many Services or high-performance load balancing requirements.

    Other advanced settings

    Parameter Description
    Deletion protection Enable to prevent accidental cluster deletion from the console or via API.
    Resource group The resource group the cluster belongs to. Each resource belongs to one resource group.
    Labels Key-value pairs for identifying cloud resources. Key: required, unique, max 64 characters. Value: optional, max 128 characters. Keys and values cannot start with aliyun, acs:, https://, or http://. Max 20 labels per resource — exceeding this limit invalidates all labels.
    Secret encryption Select Select Key to encrypt Kubernetes Secrets using a key from Key Management Service (KMS). See Use KMS to encrypt secrets in an ACK Edge cluster.
    RRSA OIDC Enable RAM Roles for Service Accounts (RRSA) to apply fine-grained API permissions to individual pods. See Use RRSA to authorize different pods to access different cloud services.

    Step 3: Configure the node pool

    Important

    The on-cloud node pool must contain at least two worker nodes for deploying cluster components.

    Node pool settings

    Parameter Description
    Node pool name The name of the node pool.
    Container runtime Select based on the Kubernetes version. containerd (recommended): supports all Kubernetes versions. docker: supports Kubernetes 1.22 and earlier.
    Managed node pool Enable to activate auto repair and auto CVE patching, reducing O&M workload. Click Set to configure maintenance policies.
    Auto recovery rule Available after enabling managed node pools. ACK monitors node health and automatically runs repair tasks when exceptions occur. With Restart Faulty Node selected, ACK may drain and replace system disks on faulty nodes. See Enable auto repair for nodes.
    Auto update rule Available after enabling managed node pools. With Automatically Update Kubelet and Containerd selected, the system updates kubelet when a new version is available. See Update a node pool.
    Auto CVE patching (OS) Available after enabling managed node pools. Configure automatic patching for high-risk, medium-risk, and low-risk CVE vulnerabilities. Some patches require a node restart. With Restart Nodes if Necessary to Patch CVE Vulnerabilities selected, ACK restarts nodes automatically. See Patch OS CVE vulnerabilities for node pools.
    Maintenance window Available after enabling managed node pools. Image updates, runtime updates, and Kubernetes version updates run during this window. Click Set, then configure Cycle, Started At, and Duration.

    Instance and image settings

    Parameter Description
    Billing method Pay-As-You-Go, Subscription, or Preemptible Instance. For Subscription, configure Duration and optionally enable Auto Renewal. For Preemptible Instance, configure Upper Price Limit of Current Instance Spec. If the market price drops below this value, a preemptible instance is created; after the 1-hour protection period, the system checks price and availability every 5 minutes and releases the instance if the price exceeds your bid. See Best practices for preemptible instance-based node pools. Billing methods cannot be switched between pay-as-you-go or subscription and preemptible instances within the same node pool.
    Instance type Select ECS instance types by filtering on vCPU, memory, instance family, and architecture. Select multiple types to improve scale-out success rates. See ECS specification recommendations for ACK clusters. For GPU-only instances, select Enable GPU Sharing if needed. See cGPU overview.
    Note

    To use advanced features such as logging, monitoring, and reverse tunneling in ACK Edge clusters, you must deploy the related components in the cloud. Therefore, you must create at least one ECS instance as a worker node.
    Operating system Public Image: Alibaba Cloud Linux 3 ACK-optimized, ContainerOS, Alibaba Cloud Linux 3, Ubuntu, and other ACK-provided public images. See OS images. Custom Image: Use custom OS images. See How do I create a custom image from an ECS instance? Image type cannot be changed after creation; only the image version can be updated.
    Security hardening Cannot be modified after cluster creation. Disable: no hardening. MLPS Security Hardening: applies Multi-Level Protection Scheme (MLPS) 2.0 level-3 standards to Alibaba Cloud Linux 2/3 images. After enabling, SSH root logon is disabled — use Virtual Network Computing (VNC) to access the OS and create non-root users. See ACK security hardening based on MLPS. OS Security Hardening: available for Alibaba Cloud Linux 2 or 3 images.
    Logon type Key Pair: SSH key pairs for Linux instances. Configure Username (root or ecs-user) and Key Pair. Password: 8–30 characters, can contain letters, digits, and special characters. Configure Username and password.

    Volume settings

    Parameter Description
    System disk ESSD AutoPL, Enterprise SSD (ESSD), ESSD Entry, standard SSD, and Ultra Disk are supported. Available types vary by instance family. For ESSD, set the performance level (PL): PL2 for capacities above 460 GiB, PL3 for capacities above 1,260 GiB. ESSD encryption uses the default service customer master key (CMK) or an existing Bring Your Own Key (BYOK) CMK from KMS. Select More System Disk Types to specify fallback disk types.
    Data disk ESSD AutoPL, Enterprise SSD (ESSD), ESSD Entry, SSD, and Ultra Disk are supported. ESSD AutoPL supports performance provisioning and burst. ESSD supports custom performance levels. Encryption is available for all data disk types. Mount a data disk to /var/lib/container on each node; /var/lib/kubelet and /var/lib/containerd are mounted under /var/lib/container. Up to 64 data disks per ECS instance (varies by instance type — query the DescribeInstanceTypes API for the DiskQuantity parameter).

    Number of instances

    Parameter Description
    Expected number of nodes The target node count for the node pool. The node pool requires at least two nodes.

    Advanced options

    Click Advanced Options (Optional) to configure scaling and node settings.

    Scaling policy

    Policy Description
    Priority Scales based on vSwitch priority (highest priority first). If the highest-priority zone lacks capacity, the next zone is tried.
    Cost optimization Creates instances in ascending order of vCPU unit price. Preemptible instances are created first; if unavailable, pay-as-you-go instances supplement. Configure Percentage of Pay-as-you-go Instances to set the fallback ratio.
    Distribution balancing Distributes instances evenly across zones. Requires multiple vSwitches. Run a rebalancing operation if instances become unevenly distributed.

    Preemptible instance options

    Parameter Description
    Use pay-as-you-go instances when preemptible instances are insufficient When enabled, ACK creates pay-as-you-go instances if preemptible instances cannot be provisioned due to price or inventory constraints. Requires Billing Method set to Preemptible Instance.
    Enable supplemental preemptible instances When enabled, ACK attempts to replace reclaimed preemptible instances with new ones. Requires Billing Method set to Preemptible Instance.

    Other node settings

    Parameter Description
    ECS tags Tags added to ECS instances during auto scaling. Keys must be unique, max 128 characters, and cannot start with aliyun or acs:. Max 20 tags per instance. ACK automatically adds 2 tags (ack.aliyun.com:<Cluster ID> and ack.alibabacloud.com/nodepool-id:<Node pool ID>), and Auto Scaling adds 1 tag (acs:autoscaling:scalingGroupId:<Scaling group ID>), leaving at most 17 tags for manual addition.
    Taints Taints consist of a key, value, and effect. Key: 1–63 characters, must start and end with a letter or digit. If prefixed, use a DNS subdomain prefix (max 253 characters) followed by /. Value: max 63 characters. Effects: NoSchedule (blocks scheduling), NoExecute (evicts non-tolerating pods), PreferNoSchedule (avoids scheduling when possible). See Taints and tolerations.
    Node labels Key-value pairs added to nodes. Key: 1–63 characters, must start and end with a letter or digit. Reserved prefixes (kubernetes.io/, k8s.io/) cannot be used except for kubelet.kubernetes.io/ and node.kubernetes.io. Value: max 63 characters.
    Set to unschedulable New nodes are added as unschedulable. Change status in the node list. Applies only to new nodes.
    CPU policy None (default) or Static (grants enhanced CPU affinity and exclusivity to eligible pods). See CPU management policies.
    Custom node name Renames the node, ECS instance name, and ECS hostname using a prefix + IP substring + optional suffix pattern. Name: 2–64 characters, must start and end with a lowercase letter or digit. Prefix and suffix: letters, digits, hyphens, and periods; cannot end with a hyphen or period or contain consecutive hyphens or periods.
    Pre-join script Nodes automatically run predefined scripts before they are added to the cluster. To use this feature, submit an application in the Quota Center console. For example, if you enter echo "hello world", the node runs the following script: #!/bin/bash, then echo "hello world", then [Node initialization script]. See User-data scripts.
    User data Scripts that run automatically after nodes join the cluster. See User-data scripts. If a script fails, log on to the node and run grep cloud-init /var/log/messages to check the execution log.
    CloudMonitor agent After installation, view node monitoring data in the CloudMonitor console. Takes effect only on new nodes. To install on existing nodes, go to the CloudMonitor console directly.
    Public IP Assigns a public IPv4 address to each node. If enabled, configure Bandwidth Billing Method and Peak Bandwidth. Takes effect only on new nodes. To enable public access for an existing node, create an EIP and associate it with the node. See Associate an EIP with an ECS instance.
    Custom security group Select Basic Security Group or Advanced Security Group. Security group type cannot be changed after selection. Each ECS instance supports up to 5 security groups. If you select an existing security group, manually configure security group rules. See Configure security group rules to enforce access control on ACK clusters.
    RDS whitelist Adds node IP addresses to the whitelist of an ApsaraDB RDS instance.
    Private pool type Open: uses an open private pool if available, falls back to the public pool. Do Not Use: uses only the public pool. Specified: uses a specific private pool by ID; if unavailable, instances fail to start. See Private pools.

    Step 4: Configure components

    Click Next: Component Configurations.

    Component Description
    Cloud-edge communication component The Raven component builds a network tunnel over the Internet for cross-region cloud-edge communication and supports edge node O&M. If your cluster uses an Express Connect circuit for cloud-edge networking, uninstall Raven. See Cross-region O&M communication component Raven.
    CloudMonitor agent After installation, view node monitoring data in the CloudMonitor console. Takes effect only on new nodes.
    Log Service Select an existing Simple Log Service (SLS) project or create one to collect cluster logs. See Collect log data from containers by using Simple Log Service.

    Step 5: Confirm and create the cluster

    On the Confirm Order page, review the cluster configurations, including feature settings, billing details, cloud service dependency checks, and service agreements. To review the total estimated costs for your cluster, navigate to the bottom of the cluster creation page.

    Click Generate API Request Parameters (top-left corner) to export Terraform or SDK parameters matching your current configuration.

    Billing

    ACK Edge clusters incur cluster management fees (Pro edition only) and cloud service fees. For details, see ACK edge clusters billing.

    What's next

    After the cluster is created, add edge nodes and configure node pools: