All Products
Search

This Product

    Container Service for Kubernetes:Configure PrivateLink for leased line access

    Document Center

    Container Service for Kubernetes:Configure PrivateLink for leased line access

    Last Updated:Sep 12, 2025

    This topic describes how to use PrivateLink to establish secure and efficient private connections from your ACK Edge nodes to cloud services, such as Container Service for Kubernetes (ACK) and Container Registry (ACR). This solution resolves issues such as IP address conflicts and the lack of a fixed IP for the control plane.

    Background

    When connecting an ACK Edge cluster to the cloud via a dedicated connection, edge nodes in your on-premises data center need to access various cloud services. This often leads to two common challenges:

    • IP address conflicts: Many cloud services use IP addresses in the 100.64.0.0/10 range. If your on-premises data center uses the same IP range, address conflicts will occur, disrupting network traffic.

    • No fixed IP for control plane: The control plane of an ACK managed cluster does not have a fixed IP address, making it difficult to configure firewall rules for direct access.

    PrivateLink solves these problems by allowing you to create a private endpoint within your virtual private cloud (VPC). This endpoint provides secure and stable access to cloud services without exposing them to the public Internet or requiring complex network routing.

    image

    All cloud services relevant to ACK Edge support PrivateLink. This topic describes how to configure PrivateLink for ACR and ACK. For other services, refer to the following table:

    Cloud service

    Use case

    Documentation

    ACR

    Edge nodes need to pull system component images from ACR.

    Create an endpoint for ACR

    ACK Edge cluster

    Edge nodes need to connect to the ACK control plane.

    Create an endpoint for the ACK cluster control plane

    Object Storage Service (OSS)

    • Edge nodes download dependencies from OSS during setup.

    • ACR relies on OSS for image storage.

    Access OSS by using PrivateLink

    Simple Log Service (SLS)

    If the logging component is installed, nodes need to access the SLS control plane.

    You can use PrivateLink to securely access SLS.

    Access Simple Log Service using PrivateLink

    Prerequisite

    You have an ACK Edge cluster connected to your on-premises data center via a leased line connection. For billing details, see PrivateLink billing.

    Note

    The PrivateLink feature for ACK and ACR is only available to whitelisted users. To enable this feature, submit a ticket. After your request is approved, the endpoint services for ACK and ACR will be visible when you create an endpoint.

    Procedure

    Create an endpoint for ACR

    Perform the following steps to create an endpoint for system component container images. Once created, you can get the domain name and IP address for the corresponding zone.

    Note

    The endpoint you configure in this section does not proxy requests to OSS. To use PrivateLink to access OSS resources, see Access OSS by using PrivateLink.

    1. Log on to the Endpoints console.

    2. In the top navigation bar, select the region where the endpoint service is deployed.

      Note

      The selected region must match that of the ACK Edge cluster. This topic uses China (Hangzhou) as an example.

    3. On the Endpoints page, click the Interface Endpoint tab, then click Create Endpoint.

    4. On the Create Endpoint page, configure the following parameters and click OK.

      Parameter

      Description

      Example

      Endpoint Name

      Enter a name for the interface endpoint.

      test1

      Endpoint Type

      Select Interface Endpoint.

      Interface Endpoint

      Endpoint Service

      Configure the endpoint service in one of the following ways:

      • Click Other Endpoint Services, enter the endpoint service name, and click Verify to verify the service.

      • Click Select Service and select the ID of the endpoint service.

      Click Select Service, select Endpoint Service ID from the drop-down list, then enter the ID to search for the service.

      Note

      To obtain the endpoint service ID for the system ACR, submit a ticket.

      VPC

      Select the VPC where you want to create the interface endpoint.

      The VPC of your target ACK Edge cluster.

      Security Groups

      Select the security group that you want to associate with the elastic network interface (ENI) of the endpoint. The security group is used to control data transfer from the VPC to the endpoint ENI.

      The security group associated with your target endpoint ENI.

      Zone and vSwitch

      Select the zone of the endpoint service and select a vSwitch in the zone. The system automatically creates an endpoint ENI in the vSwitch.

      Zones:

      • Hangzhou Zone G

      • Hangzhou Zone K

      vSwitches:

      • A vSwitch in Hangzhou Zone G

      • A vSwitch in Hangzhou Zone K

      Resource Group

      Select the resource group to which the endpoint belongs.

      The target resource group.

    Create an endpoint for the ACK cluster control plane

    Perform the following steps. After the endpoint is created, you can retrieve the domain name and IP address of the endpoint for the corresponding zone.

    1. On the Endpoints page, click the Interface Endpoint tab, then click Create Endpoint.

    2. On the Create Endpoint page, configure the following parameters and click OK.

      Parameter

      Description

      Example

      Endpoint Name

      Enter a name for the interface endpoint.

      test2

      Endpoint Type

      Select Interface Endpoint.

      Interface Endpoint

      Endpoint Service

      Configure the endpoint service in one of the following ways:

      • Click Other Endpoint Services, enter the endpoint service name, and click Verify to verify the service.

      • Click Select Service and select the ID of the endpoint service.

      Click Select Service, select Endpoint Service ID from the drop-down list, and enter the ID to search for the service.

      Note

      To obtain the endpoint service ID for the ACK Edge cluster control plane, submit a ticket.

      VPC

      Select the VPC where you want to create the interface endpoint.

      The VPC of the target ACK Edge cluster.

      Security Groups

      Select the security group that you want to associate with the elastic network interface (ENI) of the endpoint. The security group is used to control data transfer from the VPC to the endpoint ENI.

      The security group associated with the target endpoint ENI.

      Zone and vSwitch

      Select the zone of the endpoint service and select a vSwitch in the zone. The system automatically creates an endpoint ENI in the vSwitch.

      Zone:

      • Hangzhou Zone G

      • Hangzhou Zone K

      vSwitch:

      • A vSwitch in Hangzhou Zone G

      • A vSwitch in Hangzhou Zone K

      Resource Group

      Select the resource group to which the endpoint belongs.

      The target resource group.

    Configure DNS resolution

    After creating the endpoints, you must configure your on-premises DNS infrastructure to resolve the required cloud service hostnames to the IP addresses or domain names of your new endpoints.

    For a list of domain names that edge nodes need to access, see Outbound traffic from edge nodes.

    If you have an on-premises DNS server, you can configure a canonical name (CNAME) record to point the target domain name to the domain provided by the endpoint. Alternatively, you can use PrivateZone to manage DNS resolution for hybrid cloud environments. See Use an on-premises server to access Alibaba Cloud DNS.