ACK Edge clusters support public network and leased line access. Configure endpoints, routing CIDR blocks, and port policies to ensure communication between edge nodes and cloud services. - Container Service for Kubernetes

This topic applies to edge nodes in an ACK Edge cluster that connect to the Container Service for Kubernetes (ACK) platform over the public network. It lists the public endpoints and ports that you must permit.

Required inbound ports for edge nodes

In an ACK Edge cluster, the control plane and monitoring components access edge nodes from the cloud or other nodes. You must open the following ports in the host CIDR block of the edge nodes.

Protocol	Port	Source address or source CIDR block	Notes
TCP	10250, 10255	The host CIDR block of the edge nodes.	The API Server and Metrics Server access kubelet ports. Because requests are proxied to edge nodes through the Raven component, allow access from the host CIDR block of the edge nodes.
TCP	9100, 9445	The host CIDR block of the edge nodes.	Prometheus accesses Node-Exporter ports. Because requests are proxied through the Raven component, allow access from the host CIDR block of the edge nodes.
UDP	8472	The host CIDR block of the edge nodes.	Flannel VXLAN uses UDP port 8472 on nodes to build a VXLAN tunnel. Allow access from the host CIDR block of the edge nodes.

Required outbound public endpoints for edge nodes

You must add the public endpoints in the following table to an allowlist to ensure that your Internet Data Center (IDC) or edge devices can connect to the ACK Edge cluster. In these endpoints, {region} is the region ID of your cluster. For example, the region ID for Hangzhou is cn-hangzhou. For a list of region IDs, see Available regions.

Accessed object	Public endpoint	Port	Description
Container service control plane	cs-anony.aliyuncs.com cs-anony.{region}.aliyuncs.com	TCP 443 (for cluster versions 1.26 and later) TCP 80 (for cluster versions earlier than 1.26)	Container service management endpoint.
Component installation packages	aliacs-k8s-{region}.oss-{region}.aliyuncs.com	TCP 443 (for cluster versions 1.26 and later) TCP 80 and 443 (for cluster versions earlier than 1.26)	The OSS download endpoint. Use OSS to download installation packages such as edgeadm, kubelet, CNI, runtime, and edgehub.
API Server public endpoint	View this on the Basic Information tab of the cluster details page.	TCP 6443	Interacts with the kube-apiserver.
Tunnel-server public SLB (for cluster versions earlier than 1.26)	View this in the cluster Service resources: kube-system/x-tunnel-server-svc	TCP 10262, 10263	Edge tunnel.
Raven cloud gateway SLB	View this in the cluster Service resources: kube-system/x-raven-proxy-svc-gw-cloud-xxx kube-system/x-raven-tunnel-svc-gw-cloud-xxx	TCP 10280 to 10284 UDP 4500	Raven tunnel.
NTP	ntp1.aliyun.com cn.ntp.org.cn	UDP 123, which is the standard port for NTP.	The address of the clock synchronization server. This address is not required if you set the `selfHostNtpServer` parameter to `true` when you add the node, which indicates that you have already synchronized the time manually.
System component image addresses	dockerauth.{region}.aliyuncs.com Important If the region is cn-zhangjiakou, the corresponding Docker public endpoint must be changed to dockerauth-{region}.aliyuncs.com. dockerauth-ee.{region}.aliyuncs.com registry-{region}.ack.aliyuncs.com	TCP 443	Addresses required for system component images.



System tools	System tools are installed online (no extra domain names required). net-tools, iproute, chrony (or ntpdate), crontabs, pciutils, socat, ebtables, iptables, conntrack-tools	Not applicable	The system checks if the required tools are installed on the node. If not, the tools are installed online. The endpoint used for installation depends on the node's yum or apt source configuration. For Ubuntu systems, `apt-get` is used. For CentOS systems, `yum` is used.