Alibaba Cloud Container Service for Kubernetes (ACK) Edge allows you to integrate servers from your on-premises data center as nodes in your cluster, connecting them over a dedicated private connection. Before these servers can be joined to the cluster, you must correctly configure your underlying network infrastructure. This topic describes how to configure the necessary network devices in a dedicated connection environment. Following these steps will help you establish a reliable, secure, and high-speed private communication channel between your on-premises data center and your cloud virtual private cloud (VPC).
Network architecture
Network topology of the data center
The data center network in the preceding figure is built on a three-tier network architecture where servers and switches constitute Layer 2 LANs. Multiple Layer 2 LANs are then aggregated into a Layer 3 routing domain, creating a unified on-premises network environment. In this case, the private CIDR block of the data center is 10.0.0.0/8.
VPC topology
VPCs are deployed on top of virtualized networks. Compute instances such as Elastic Compute Service (ECS) instances and elastic container instances in a VPC communicate with each other through vSwitches in the VPC. Specific Alibaba Cloud services use 100.0.0.0/8, which is accessible through vSwitches in VPCs by default.
Dedicated connection network
Alibaba Cloud provides a network of dedicated access points across various regions. To minimize latency, select the access point that is physically closest to your data center. See Access point locations for details. The connection routes from your data center core switch, through a network firewall, to a virtual border router (VBR) at an Alibaba Cloud Express Connect access point. You can then use either a Express Connect Router (ECR) or Cloud Enterprise Network (CEN) to link this access point to your Alibaba Cloud VPC, establishing a secure and high-speed private network.
Configure network
Assume that Layer 3 network configurations are completed for the data center core switch and the subnets of the core switch and communication is established between the core switch and its subnets.
Inbound route: allows access to the VPC or cloud services from the data center.
Outbound route: allows access to the data center from the VPC.
Sample network configurations
VPC CIDR block: 192.168.0.0/16.
Data center CIDR block: 10.0.0.0/8.
CIDR block of cloud services and products: 100.0.0.0/8.
CIDR block of edge containers: 172.16.0.0/12. You must specify the CIDR block of edge containers if the ACK Edge cluster uses the Terway Edge plug-in.
ACK Edge clusters have the following dependencies in the China (Hangzhou) region:
Object Storage Service (OSS): 100.118.28.0/24,100.114.102.0/24,100.98.170.0/24, and 100.118.31.0/24.
Container Registry: 100.103.9.188/32 and 100.103.7.181/32.
ACK Management: The domain name is cs-anony-vpc.cn-hangzhou.aliyuncs.com. We recommend that you resolve the domain name in the VPC. In this example, the resolution result is 100.103.42.233.
The following sections describe how to configure your network based on the example topology above, using the 100.0.0.0/8 CIDR block to represent Alibaba Cloud services. If you find this IP range to be too broad, you can replace it with the specific IP ranges required by ACK Edge. For a complete list of these ranges, see Endpoints and corresponding route CIDR blocks in dedicated connection mode. The remainder of this topic will continue to use the 100.0.0.0/8 range for demonstration purposes.
Configure the data center core switch
Parameter | Description | Usage notes |
Inbound route | Specify the CIDR blocks of the VPC and cloud service that you want to access and associate an ECR with a VBR.
| If your ACK Edge cluster uses the Terway Edge plug-in, you must configure Border Gateway Protocol (BGP) on the data center core switch and switches to allow Terway Edge to advertise container routes to the core switch and switches. For more information, see Usage guide for Terway Edge and Use Terway Edge to implement container communication. |
Outbound route | Configure an outbound route to route packets from a VBR to the data center servers. Make sure that server network configurations are already completed on the core switch. |
Configure the data center network firewall
Parameter | Description | Usage notes |
Outbound | Specify the CIDR blocks of the VPC and cloud service that you want to access:
If you require fine-grained configurations, you can specify the following CIDR blocks in the China (Hangzhou) region:
| If your ACK Edge cluster uses the Flannel plug-in, you must configure the data center network firewall to allow outbound and inbound traffic through UDP port 8472.
|
Inbound | Specify the CIDR blocks of the VPC and cloud service that you want to access:
If you require fine-grained configurations, you need to allow the preceding CIDR blocks to access TCP ports 10250 and 10255 of the kubelet and TCP ports 9100 and 9445 of Node-Exporter. |
Configure the VBR
Parameter | Description | Usage notes |
Inbound route | Specify an inbound route to route packets to the VPC CIDR block (192.168.0.0/16) and the cloud service CIDR block (100.0.0.0/8). You can configure VPC direct connection, ECRs, or CEN instances. For more information, see Express Connect. | None. |
Outbound route | Configure an outbound route to route packets to the data center CIDR block (10.0.0.0/8) and the data center core switch by using Express Connect and the network firewall of the data center. | If your ACK Edge cluster uses the Terway Edge plug-in, you must specify an outbound route on the VBR and specify the CIDR block of edge containers (172.16.0.0/12) in the outbound route. |
Configure the ECR or CEN instance
Parameter | Description | Usage notes |
Inbound route | Add an inbound route to the transit router route table of the ECR or CEN instance to route packets to the VPC CIDR block (192.168.0.0/16) and the cloud service CIDR block (100.0.0.0/8). | None. |
Outbound route | Add an outbound route to the transit router route table of the ECR or CEN instance to route packets to the data center CIDR block (10.0.0.0/8) through the VBR. | If your ACK Edge cluster uses the Terway Edge plug-in, you must specify an outbound route for the ECR or CEN instance to route packets to the CIDR block of edge containers (172.16.0.0/12). |
Configure the VPC route table
Parameter | Description | Usage notes |
Inbound route | By default, network configurations are completed on the VPC. The VPC automatically routes requests received from the data center. | None. |
Outbound route | Add an outbound route to the VPC route table to route packets to the data center CIDR block (10.0.0.0/8) through the CEN instance, ECR, and VBR. | If your ACK Edge cluster uses the Terway Edge plug-in, you must add an outbound route to the VPC route table to route packets to the CIDR block of edge containers (172.16.0.0/12). |
Configure the VPC security group
Parameter | Description | Usage notes |
Outbound | You must allow outbound traffic to the data center CIDR block (10.0.0.0/8). You can configure fine-grained control for specific ports. For example, you can allow outbound traffic to TCP ports 10250 and 10255 of the kubelet and TCP ports 9100 and 9445 of Node-Exporter. | If your ACK Edge cluster uses the Flannel plug-in, you must configure the VPC security group to allow outbound and inbound traffic through UDP port 8472.
|
Inbound | You must allow inbound traffic to the data center CIDR block (10.0.0.0/8). You can configure fine-grained control for specific ports. For example, you can allow inbound traffic to TCP port 6443 of the API server. |
Inbound port requirements for edge nodes
The following table lists the ports that must be opened for inbound traffic on your edge nodes to allow access from the cloud-side VPC.
Protocol | Ports | Source | Description |
TCP | 10250, 10255 | The CIDR block of your VPC. Note (Optional) For fine-grained control, you can restrict the source to the specific vSwitch CIDR blocks used by your cluster. |
|
9100, 9445 | The CIDR block of your VPC. Note (Optional) For fine-grained control, you can restrict the source to the specific vSwitch CIDR blocks used by your cluster. | Prometheus scrapes monitoring data from the Node-Exporter service on each node via ports 9100 and 9445. | |
UDP | 8472 | The CIDR blocks of your VPC and your nodes. Note Required only if you are using the Flannel network plugin. | Flannel uses UDP port 8472 on each node to build its VXLAN overlay network for cross-node pod communication. |
Outbound domain names and ports for edge nodes
For edge nodes in dedicated connection mode, you must allow access to specific domain names and ports. In the endpoints, {region} represents the ID of the region where the cluster is located. For example, the region ID for the Hangzhou region is cn-hangzhou. For a list of region IDs, see Supported regions.
Destination | Endpoint for dedicated connection | Port | Description |
Container Service control plane | cs-anony-vpc.{region}.aliyuncs.com |
| The control plane endpoint. |
OSS installation package | aliacs-k8s-{region}.oss-{region}-internal.aliyuncs.com |
| The OSS download endpoint. You can download installation packages for add-ons such as edgeadm, kubelet, Container Network Interface (CNI), runtime, and edgehub from OSS. |
API server internal endpoint | You can find it on the Basic Information tab of the cluster details page. | TCP 6443 | View on the Basic Information tab of the cluster. |
NTP | ntp1.aliyun.com cn.ntp.org.cn | Related to the NTP protocol, generally UDP port 123. | The address of the NTP server. If you configure the |
System add-on image registry endpoint |
| TCP 443 | Endpoints for system add-on images. For the CIDR blocks corresponding to these endpoints, see Endpoints and corresponding route CIDR blocks in dedicated connection mode. |
System tools | System tools for online installation (no extra domain names required): net-tools, iproute, chrony (or ntpdate), crontabs, pciutils, socat, ebtables, iptables, conntrack-tools | Not available | Check whether the system tools are installed on the node to be added. If not, the system will install the tools online. The addresses of these tools are determined by the YUM or APT repositories of the node.
|
Endpoints and corresponding route CIDR blocks in dedicated connection mode
Devices in a data center can access ACK add-on image registry endpoints over an internal network. Connect your data center to the VPC internal network using CEN, Express Connect, dedicated connection, or VPN. After the connection is established, configure routes to the ACK add-on image registry endpoints. Since images are stored in OSS, you must also configure routes for the OSS CIDR blocks. The following tables list the mappings between endpoints and route CIDR blocks in the dedicated connection mode.
ACK add-on internal image registry endpoints and route CIDR blocks
Public cloud
Region | Region ID | VPC endpoint | Route |
China (Hangzhou) | cn-hangzhou | registry-cn-hangzhou-vpc.ack.aliyuncs.com | 100.103.9.188/32 100.103.7.181/32 |
China (Shanghai) | cn-shanghai | registry-cn-shanghai-vpc.ack.aliyuncs.com | 100.103.94.158/32 100.103.7.57/32 100.100.80.231/32 |
China (Fuzhou - Local Region) | cn-fuzhou | registry-cn-fuzhou-vpc.ack.aliyuncs.com | 100.100.0.43/32 100.100.0.28/32 |
China (Qingdao) | cn-qingdao | registry-cn-qingdao-vpc.ack.aliyuncs.com | 100.100.0.172/32 100.100.0.207/32 |
China (Beijing) | cn-beijing | registry-cn-beijing-vpc.ack.aliyuncs.com | 100.103.99.73/32 100.103.0.251/32 100.103.6.63/32 |
China (Zhangjiakou) | cn-zhangjiakou | registry-cn-zhangjiakou-vpc.ack.aliyuncs.com | 100.100.1.179/32 100.100.80.152/32 |
China (Hohhot) | cn-huhehaote | registry-cn-huhehaote-vpc.ack.aliyuncs.com | 100.100.0.194/32 100.100.80.55/32 |
China (Ulanqab) | cn-wulanchabu | registry-cn-wulanchabu-vpc.ack.aliyuncs.com | 100.100.0.122/32 100.100.0.58/32 |
China (Shenzhen) | cn-shenzhen | registry-cn-shenzhen-vpc.ack.aliyuncs.com | 100.103.96.139/32 100.103.6.153/32 100.103.26.52/32 |
China (Heyuan) | cn-heyuan | registry-cn-heyuan-vpc.ack.aliyuncs.com | 100.100.0.150/32 100.100.0.193/32 |
China (Guangzhou) | cn-guangzhou | registry-cn-guangzhou-vpc.ack.aliyuncs.com | 100.100.0.101/32 100.100.0.21/32 |
China (Chengdu) | cn-chengdu | registry-cn-chengdu-vpc.ack.aliyuncs.com | 100.100.0.48/32 100.100.0.64/32 |
Zhengzhou (CUCC Joint Venture) | cn-zhengzhou-jva | registry-cn-zhengzhou-jva-vpc.ack.aliyuncs.com | 100.100.0.111/32 100.100.0.84/32 |
China (Hong Kong) | cn-hongkong | registry-cn-hongkong-vpc.ack.aliyuncs.com | 100.103.85.19/32 100.100.80.157/32 |
US (Silicon Valley) | us-west-1 | registry-us-west-1-vpc.ack.aliyuncs.com | 100.103.13.55/32 100.100.80.93/32 |
US (Virginia) | us-east-1 | registry-us-east-1-vpc.ack.aliyuncs.com | 100.103.12.19/32 100.100.80.11/32 |
Japan (Tokyo) | ap-northeast-1 | registry-ap-northeast-1-vpc.ack.aliyuncs.com | 100.100.0.167/32 100.100.80.198/32 |
South Korea (Seoul) | ap-northeast-2 | registry-ap-northeast-2-vpc.ack.aliyuncs.com | 100.100.0.71/32 100.100.0.33/32 |
Singapore | ap-southeast-1 | registry-ap-southeast-1-vpc.ack.aliyuncs.com | 100.103.103.254/32 100.100.80.136/32 |
Malaysia (Kuala Lumpur) | ap-southeast-3 | registry-ap-southeast-3-vpc.ack.aliyuncs.com | 100.100.0.17/32 100.100.80.137/32 |
Indonesia (Jakarta) | ap-southeast-5 | registry-ap-southeast-5-vpc.ack.aliyuncs.com | 100.100.0.226/32 100.100.80.200/32 |
Philippines (Manila) | ap-southeast-6 | registry-ap-southeast-6-vpc.ack.aliyuncs.com | 100.100.0.75/32 100.100.0.24/32 |
Thailand (Bangkok) | ap-southeast-7 | registry-ap-southeast-7-vpc.ack.aliyuncs.com | 100.100.0.62/32 100.100.0.34/32 |
Germany (Frankfurt) | eu-central-1 | registry-eu-central-1-vpc.ack.aliyuncs.com | 100.100.0.92/32 100.100.80.155/32 |
UK (London) | eu-west-1 | registry-eu-west-1-vpc.ack.aliyuncs.com | 100.100.0.175/32 100.100.0.18/32 |
SAU (Riyadh - Partner Region) | me-central-1 | registry-me-central-1-vpc.ack.aliyuncs.com | 100.100.0.109/32 100.100.0.18/32 |
OSS internal endpoints and VIP CIDR blocks
Public cloud
The names of some regions outside the Chinese mainland may differ between the OSS pricing page and the resource plan purchase page. However, these different names refer to the same physical location. For example, the US (Silicon Valley) region may be displayed as US West 1 or US West. For more information, see OSS Pricing or Purchase a resource plan.
Due to a policy change to improve compliance and security, starting March 20, 2025, new OSS users must use a custom domain name (CNAME) to perform data API operations on OSS buckets located in Chinese mainland regions. Default public endpoints are restricted for these operations. Refer to the official announcement for a complete list of the affected operations. If you access your data via HTTPS, you must bind a valid SSL Certificate to your custom domain. This is mandatory for OSS Console access, as the console enforces HTTPS.
Asia-Pacific - China
Region | Region ID | Public endpoint | Internal endpoint | Dual-stack endpoint | Internal VIP CIDR blocks |
China (Hangzhou) | cn-hangzhou | oss-cn-hangzhou.aliyuncs.com | oss-cn-hangzhou-internal.aliyuncs.com | cn-hangzhou.oss.aliyuncs.com |
|
China (Shanghai) | cn-shanghai | oss-cn-shanghai.aliyuncs.com | oss-cn-shanghai-internal.aliyuncs.com | cn-shanghai.oss.aliyuncs.com |
|
China (Nanjing - Local Region) (Closing Down) | cn-nanjing | oss-cn-nanjing.aliyuncs.com | oss-cn-nanjing-internal.aliyuncs.com | 100.114.142.0/24 | |
China (Qingdao) | cn-qingdao | oss-cn-qingdao.aliyuncs.com | oss-cn-qingdao-internal.aliyuncs.com | cn-qingdao.oss.aliyuncs.com |
|
China (Beijing) | cn-beijing | oss-cn-beijing.aliyuncs.com | oss-cn-beijing-internal.aliyuncs.com | cn-beijing.oss.aliyuncs.com |
|
China (Zhangjiakou) | cn-zhangjiakou | oss-cn-zhangjiakou.aliyuncs.com | oss-cn-zhangjiakou-internal.aliyuncs.com | cn-zhangjiakou.oss.aliyuncs.com |
|
China (Hohhot) | cn-huhehaote | oss-cn-huhehaote.aliyuncs.com | oss-cn-huhehaote-internal.aliyuncs.com | cn-huhehaote.oss.aliyuncs.com |
|
China (Ulanqab) | cn-wulanchabu | oss-cn-wulanchabu.aliyuncs.com | oss-cn-wulanchabu-internal.aliyuncs.com | cn-wulanchabu.oss.aliyuncs.com |
|
China (Shenzhen) | cn-shenzhen | oss-cn-shenzhen.aliyuncs.com | oss-cn-shenzhen-internal.aliyuncs.com | cn-shenzhen.oss.aliyuncs.com |
|
China (Heyuan) | cn-heyuan | oss-cn-heyuan.aliyuncs.com | oss-cn-heyuan-internal.aliyuncs.com | cn-heyuan.oss.aliyuncs.com |
|
China (Guangzhou) | cn-guangzhou | oss-cn-guangzhou.aliyuncs.com | oss-cn-guangzhou-internal.aliyuncs.com | cn-guangzhou.oss.aliyuncs.com |
|
China (Chengdu) | cn-chengdu | oss-cn-chengdu.aliyuncs.com | oss-cn-chengdu-internal.aliyuncs.com | cn-chengdu.oss.aliyuncs.com |
|
China (Hong Kong) | cn-hongkong | oss-cn-hongkong.aliyuncs.com | oss-cn-hongkong-internal.aliyuncs.com | cn-hongkong.oss.aliyuncs.com |
|
Asia-Pacific - Other
Region | Region ID | Public endpoint | Internal endpoint | Dual-stack endpoint | Internal VIP CIDR blocks |
Japan (Tokyo) | ap-northeast-1 | oss-ap-northeast-1.aliyuncs.com | oss-ap-northeast-1-internal.aliyuncs.com |
| |
South Korea (Seoul) | ap-northeast-2 | oss-ap-northeast-2.aliyuncs.com | oss-ap-northeast-2-internal.aliyuncs.com | 100.99.119.0/24 | |
Singapore | ap-southeast-1 | oss-ap-southeast-1.aliyuncs.com | oss-ap-southeast-1-internal.aliyuncs.com |
| |
Malaysia (Kuala Lumpur) | ap-southeast-3 | oss-ap-southeast-3.aliyuncs.com | oss-ap-southeast-3-internal.aliyuncs.com |
| |
Indonesia (Jakarta) | ap-southeast-5 | oss-ap-southeast-5.aliyuncs.com | oss-ap-southeast-5-internal.aliyuncs.com | 100.114.98.0/24 | |
Philippines (Manila) | ap-southeast-6 | oss-ap-southeast-6.aliyuncs.com | oss-ap-southeast-6-internal.aliyuncs.com | 100.115.16.0/24 | |
Thailand (Bangkok) | ap-southeast-7 | oss-ap-southeast-7.aliyuncs.com | oss-ap-southeast-7-internal.aliyuncs.com | 100.98.249.0/24 |
Europe and Americas
Region | Region ID | Public endpoint | Internal endpoint | Dual-stack endpoint | Internal VIP CIDR blocks |
Germany (Frankfurt) | eu-central-1 | oss-eu-central-1.aliyuncs.com | oss-eu-central-1-internal.aliyuncs.com | eu-central-1.oss.aliyuncs.com | 100.115.154.0/24 |
UK (London) | eu-west-1 | oss-eu-west-1.aliyuncs.com | oss-eu-west-1-internal.aliyuncs.com | 100.114.114.128/25 | |
US (Silicon Valley) | us-west-1 | oss-us-west-1.aliyuncs.com | oss-us-west-1-internal.aliyuncs.com | 100.115.107.0/24 | |
US (Virginia) | us-east-1 | oss-us-east-1.aliyuncs.com | oss-us-east-1-internal.aliyuncs.com |
| |
Mexico | na-south-1 | oss-na-south-1.aliyuncs.com | oss-na-south-1-internal.aliyuncs.com | 100.115.112.0/27 |
Middle East
Region | Region ID | Public endpoint | Internal endpoint | Dual-stack endpoint | Internal VIP CIDR blocks |
UAE (Dubai) | me-east-1 | oss-me-east-1.aliyuncs.com | oss-me-east-1-internal.aliyuncs.com | 100.99.235.0/24 | |
SAU (Riyadh - Partner Region) | me-central-1 | oss-me-central-1.aliyuncs.com | oss-me-central-1-internal.aliyuncs.com | 100.99.121.0/24 |