This topic applies to ACK Edge clusters where edge nodes (on-premises nodes) connect to the Alibaba Cloud Container Service platform over the public network. It lists the ports and domains that must be allowed on your firewall or security group.
In the tables below, {region} is the region ID of your cluster — for example, cn-hangzhou for the China (Hangzhou) region. For a full list of region IDs, see Regions and zones.
Inbound ports on edge nodes
The control plane and monitoring components access edge nodes from the cloud or from other nodes in the cluster. Allow the following inbound ports in the host CIDR block of each edge node.
| Protocol | Port | Source | Purpose |
|---|---|---|---|
| TCP | 10250, 10255 | Host CIDR block of the edge node | API Server and Metrics Server access the kubelet port. Traffic is proxied to the edge node by the Raven component. |
| TCP | 9100, 9445 | Host CIDR block of the edge node | Prometheus accesses the Node-Exporter port. Traffic is proxied by the Raven component. |
| UDP | 8472 | Host CIDR block of the edge node | Flannel VXLAN uses this port to build a VXLAN tunnel. |
Outbound access from edge nodes
Edge nodes must reach the following endpoints. The required access varies depending on whether the node is being installed or already running.
During node installation and upgrade
Allow access to the following endpoints when installing or upgrading edge node components. These endpoints are only needed during the installation process.
| Access object | Public endpoint | Port | Description |
|---|---|---|---|
| Component packages | aliacs-k8s-{region}.oss-{region}.aliyuncs.com |
TCP 443 (v1.26 or later)<br>TCP 80 and 443 (earlier than v1.26) | Downloads installation packages from OSS, including edgeadm, kubelet, CNI, runtime, and edgehub. |
| System tools | No extra domains required | N/A | Installs prerequisite tools if they are not already present on the node: net-tools, iproute, chrony (or ntpdate), crontabs, pciutils, socat, ebtables, iptables, and conntrack-tools. Ubuntu uses apt-get; CentOS uses yum. The endpoint depends on your node's package manager source configuration. |
During ongoing cluster operations
Allow access to the following endpoints at all times while the cluster is running.
| Access object | Public endpoint | Port | Description |
|---|---|---|---|
| Container Service control plane | cs-anony.aliyuncs.com<br>cs-anony.{region}.aliyuncs.com |
TCP 443 (v1.26 or later)<br>TCP 80 (earlier than v1.26) | Container Service management endpoint. |
| API Server | See Find the API Server endpoint | TCP 6443 | Used for all interaction with kube-apiserver. |
| Raven cloud gateway SLB | See Find the Raven cloud gateway endpoints | TCP 10280–10284<br>UDP 4500 | Raven tunnel. |
| Tunnel server SLB (clusters earlier than v1.26 only) | See Find the tunnel server endpoint | TCP 10262, 10263 | Edge tunnel (deprecated in v1.26 and later). |
| System component images | dockerauth.{region}.aliyuncs.com<br>dockerauth-ee.{region}.aliyuncs.com<br>registry-{region}.ack.aliyuncs.com |
TCP 443 | Required to pull system component images. |
| NTP | ntp1.aliyun.com<br>cn.ntp.org.cn |
Typically UDP 123 | Clock synchronization. Not required if you set selfHostNtpServer to true during node registration (this setting indicates that you have already synchronized the clock manually). |
For the China (Zhangjiakou) region, replace dockerauth.{region}.aliyuncs.com with dockerauth-{region}.aliyuncs.com (hyphen instead of dot before the region).
Find dynamic endpoints
The API Server endpoint, Raven cloud gateway SLB addresses, and tunnel server SLB address are assigned per cluster. Use the following methods to look them up.
Find the API Server endpoint
On the cluster details page in the ACK console, go to the Basic Information tab. The public API Server endpoint is listed there.
Find the Raven cloud gateway endpoints
Run the following commands to look up the Raven cloud gateway Services in the kube-system namespace:
kubectl get svc -n kube-system x-raven-proxy-svc-gw-cloud-xxx
kubectl get svc -n kube-system x-raven-tunnel-svc-gw-cloud-xxxThe EXTERNAL-IP column shows the SLB address to allow.
Find the tunnel server endpoint (clusters earlier than v1.26)
kubectl get svc -n kube-system x-tunnel-server-svcThe EXTERNAL-IP column shows the SLB address to allow.