When ACK Edge clusters connect to the cloud over a leased line, edge nodes in your on-premises data center need to reach cloud services such as ACK and ACR. Two problems commonly arise in this configuration:
IP address conflicts: Many cloud services use IP addresses in the
100.64.0.0/10range. If your on-premises network uses the same range, conflicts disrupt traffic.No fixed IP for the control plane: The ACK managed cluster control plane does not have a fixed IP address, which makes it difficult to configure firewall rules for direct access.
PrivateLink solves both problems by creating a private endpoint within your virtual private cloud (VPC). The endpoint provides stable, secure access to cloud services without exposing them to the public internet or requiring complex routing changes.
All cloud services relevant to ACK Edge support PrivateLink. This topic covers ACR and ACK. For other services, see the following table:
| Cloud service | Use case | Documentation |
|---|---|---|
| ACR | Edge nodes pull system component images from ACR. | Create an endpoint for ACR |
| ACK Edge cluster | Edge nodes connect to the ACK control plane. | Create an endpoint for the ACK cluster control plane |
| Object Storage Service (OSS) | Edge nodes download dependencies from OSS during setup. ACR relies on OSS for image storage. | Access OSS by using PrivateLink |
| Simple Log Service (SLS) | If the logging component is installed, nodes access the SLS control plane. | Access Simple Log Service using PrivateLink |
Prerequisites
Before you begin, make sure that you have:
An ACK Edge cluster connected to your on-premises data center via a leased line
PrivateLink access enabled for ACK and ACR — this feature is available to whitelisted users only. Submit a ticket to request access. After approval, the endpoint services for ACK and ACR appear when you create an endpoint.
For billing details, see PrivateLink billing.
Create an endpoint for ACR
Create an interface endpoint to give edge nodes access to system component container images. After the endpoint is created, you can retrieve the domain name and IP address for each zone.
This endpoint does not proxy requests to OSS. To use PrivateLink to access OSS resources, see Access OSS by using PrivateLink.
Log on to the Endpoints console.
In the top navigation bar, select the region where the endpoint service is deployed.
The selected region must match the region of the ACK Edge cluster. This topic uses China (Hangzhou) as an example.
On the Endpoints page, click the Interface Endpoint tab, then click Create Endpoint.
On the Create Endpoint page, configure the following parameters and click OK.
Parameter Description Example Endpoint name Enter a name for the interface endpoint. test1 Endpoint type Select Interface Endpoint. Interface Endpoint Endpoint service Specify the endpoint service in one of the following ways: click Other Endpoint Services, enter the endpoint service name, and click Verify; or click Select Service and select the endpoint service by ID. To get the endpoint service ID for the system ACR, submit a ticket. Click Select Service, select Endpoint Service ID from the drop-down list, then enter the ID to search for the service. VPC Select the VPC where you want to create the interface endpoint. The VPC of the ACK Edge cluster. Security groups Select the security group to associate with the elastic network interface (ENI) of the endpoint. The security group controls data transfer from the VPC to the endpoint ENI. The security group associated with the target endpoint ENI. Zone and vSwitch Select the zone of the endpoint service and a vSwitch in that zone. The system automatically creates an endpoint ENI in the selected vSwitch. Zones: Hangzhou Zone G, Hangzhou Zone K. vSwitches: one vSwitch per zone. Resource group Select the resource group to which the endpoint belongs. The target resource group.
Create an endpoint for the ACK cluster control plane
Create an interface endpoint to connect edge nodes to the ACK cluster control plane. After the endpoint is created, you can retrieve the domain name and IP address for each zone.
On the Endpoints page, click the Interface Endpoint tab, then click Create Endpoint.
On the Create Endpoint page, configure the following parameters and click OK.
Parameter Description Example Endpoint name Enter a name for the interface endpoint. test2 Endpoint type Select Interface Endpoint. Interface Endpoint Endpoint service Specify the endpoint service in one of the following ways: click Other Endpoint Services, enter the endpoint service name, and click Verify; or click Select Service and select the endpoint service by ID. To get the endpoint service ID for the ACK Edge cluster control plane, submit a ticket. Click Select Service, select Endpoint Service ID from the drop-down list, then enter the ID to search for the service. VPC Select the VPC where you want to create the interface endpoint. The VPC of the ACK Edge cluster. Security groups Select the security group to associate with the ENI of the endpoint. The security group controls data transfer from the VPC to the endpoint ENI. The security group associated with the target endpoint ENI. Zone and vSwitch Select the zone of the endpoint service and a vSwitch in that zone. The system automatically creates an endpoint ENI in the selected vSwitch. Zones: Hangzhou Zone G, Hangzhou Zone K. vSwitches: one vSwitch per zone. Resource group Select the resource group to which the endpoint belongs. The target resource group.
Configure DNS resolution
After creating the endpoints, configure your on-premises DNS infrastructure to resolve the required cloud service hostnames to the IP addresses or domain names of the endpoints.
For the full list of domain names that edge nodes must reach, see Outbound traffic from edge nodes.
Choose one of the following options:
Option 1: Configure a CNAME record on your on-premises DNS server
On your on-premises DNS server, add a canonical name (CNAME) record that points the target cloud service domain name to the domain provided by the endpoint.
Option 2: Use PrivateZone
Use PrivateZone to manage DNS resolution for your hybrid cloud environment. See Use an on-premises server to access Alibaba Cloud DNS.