This topic applies to edge nodes in an ACK Edge cluster that connect to the Container Service for Kubernetes (ACK) platform over the public network. It lists the public endpoints and ports that you must permit.
Required inbound ports for edge nodes
In an ACK Edge cluster, the control plane and monitoring components access edge nodes from the cloud or other nodes. You must open the following ports in the host CIDR block of the edge nodes.
Protocol | Port | Source address or source CIDR block | Notes |
TCP | 10250, 10255 | The host CIDR block of the edge nodes. | The API Server and Metrics Server access kubelet ports. Because requests are proxied to edge nodes through the Raven component, allow access from the host CIDR block of the edge nodes. |
9100, 9445 | The host CIDR block of the edge nodes. | Prometheus accesses Node-Exporter ports. Because requests are proxied through the Raven component, allow access from the host CIDR block of the edge nodes. | |
UDP | 8472 | The host CIDR block of the edge nodes. | Flannel VXLAN uses UDP port 8472 on nodes to build a VXLAN tunnel. Allow access from the host CIDR block of the edge nodes. |
Required outbound public endpoints for edge nodes
You must add the public endpoints in the following table to an allowlist to ensure that your Internet Data Center (IDC) or edge devices can connect to the ACK Edge cluster. In these endpoints, {region} is the region ID of your cluster. For example, the region ID for Hangzhou is cn-hangzhou. For a list of region IDs, see Available regions.
Accessed object | Public endpoint | Port | Description |
Container service control plane |
|
| Container service management endpoint. |
Component installation packages | aliacs-k8s-{region}.oss-{region}.aliyuncs.com |
| The OSS download endpoint. Use OSS to download installation packages such as edgeadm, kubelet, CNI, runtime, and edgehub. |
API Server public endpoint | View this on the Basic Information tab of the cluster details page. | TCP 6443 | Interacts with the kube-apiserver. |
Tunnel-server public SLB (for cluster versions earlier than 1.26) | View this in the cluster Service resources: kube-system/x-tunnel-server-svc | TCP 10262, 10263 | Edge tunnel. |
Raven cloud gateway SLB | View this in the cluster Service resources:
|
| Raven tunnel. |
NTP | ntp1.aliyun.com cn.ntp.org.cn | UDP 123, which is the standard port for NTP. | The address of the clock synchronization server. This address is not required if you set the |
System component image addresses |
| TCP 443 | Addresses required for system component images. |
System tools | System tools are installed online (no extra domain names required). net-tools, iproute, chrony (or ntpdate), crontabs, pciutils, socat, ebtables, iptables, conntrack-tools | Not applicable | The system checks if the required tools are installed on the node. If not, the tools are installed online. The endpoint used for installation depends on the node's yum or apt source configuration.
|