ACK Edge clusters connect on-premises IDC servers to Alibaba Cloud through Express Connect. Before adding edge nodes to a cluster, configure the required network elements on each device in the connectivity path. This topic covers the network architecture, device-by-device configuration, required ports, and endpoint allowlists for Express Connect environments.
Network architecture
On-premises IDC network topology
A typical on-premises IDC network uses a three-tier architecture. Servers and switches form a Layer 2 local area network (LAN). Multiple Layer 2 LANs combine into a Layer 3 network domain, giving the IDC a private CIDR block of 10.0.0.0/8.
Cloud-based VPC topology
The cloud-based Virtual Private Cloud (VPC) uses a virtualized network. Compute instances such as Elastic Compute Service (ECS) and Elastic Container Instance (ECI) connect directly to vSwitches and communicate through them. Some Alibaba Cloud services use the 100.0.0.0/8 CIDR block, which is accessible by default through vSwitches inside the VPC.
Express Connect network
Express Connect access points are available in multiple regions. Select an access point location based on proximity. Use your IDC core switch to connect to a Virtual Border Router (VBR) associated with an Express Connect access point through a network firewall. Then use an Express Connect Router (ECR) or a Cloud Enterprise Network (CEN) instance to connect to your VPC.
Prerequisites
Before you begin, confirm that:
-
Your IDC core switch and its subnets have completed Layer 3 network configuration and are interconnected.
-
You have provisioned an Express Connect circuit and associated it with a VBR.
-
You have an ECR or CEN instance to connect the VBR to your VPC. For details, see Alibaba Cloud Express Connect.
Network element configuration
All upstream routes go from your on-premises IDC toward the cloud VPC or Alibaba Cloud services. All downstream routes go from the cloud VPC back to your on-premises IDC.
CNI plug-in impact on configuration
The network plug-in your ACK Edge cluster uses affects several configuration steps. Identify your plug-in before you start:
| CNI plug-in | Additional upstream/downstream routes | Additional firewall and security group rules |
|---|---|---|
| Terway Edge | Add the edge container CIDR block (172.16.0.0/12) to downstream routes on the VBR, ECR or CEN, and VPC route table. Configure BGP on the IDC core switch and access switches. | None |
| Flannel | None | Allow UDP 8472 in both directions on the IDC network firewall and cloud VPC security group. Source: VPC CIDR block. Destination: host CIDR block in the on-premises IDC. |
Sample network configuration
This topic uses the following CIDR blocks as examples. The China (Hangzhou) region is used throughout.
| Network | CIDR block |
|---|---|
| Cloud VPC | 192.168.0.0/16 |
| On-premises IDC | 10.0.0.0/8 |
| Alibaba Cloud internal services | 100.0.0.0/8 |
| Edge container network (Terway Edge only) | 172.16.0.0/12 |
If the 100.0.0.0/8 CIDR block is too broad for your environment, replace it with the specific IP ranges for your region. The table below lists the key service endpoints for China (Hangzhou):
| Service | CIDR blocks or endpoint |
|---|---|
| Object Storage Service (OSS) | 100.118.28.0/24, 100.114.102.0/24, 100.98.170.0/24, 100.118.31.0/24 |
| Container Registry (ACR) | 100.103.9.188/32, 100.103.7.181/32 |
| ACK management | cs-anony-vpc.cn-hangzhou.aliyuncs.com (resolves to 100.103.42.233 inside the VPC) |
For the complete list of service endpoints and their route CIDR blocks, see Endpoints and corresponding route CIDR blocks for Express Connect mode.
IDC core switch
| Configuration item | Description | Notes |
|---|---|---|
| Upstream routes | Add routes to the cloud VPC CIDR block (192.168.0.0/16) and the Alibaba Cloud service CIDR block (100.0.0.0/8). Point them to the Express Connect VBR through the ECR. | If your cluster uses Terway Edge, configure BGP on your IDC core switch and access switches so the network plug-in can advertise container routes. For details, see Use the Terway Edge network plug-in and Configure Terway Edge for container communication. |
| Downstream routes | Add routes from the Express Connect VBR to your IDC servers. This topic assumes your core switch has already completed server network configuration. | — |
IDC network firewall
| Direction | Allow list | Notes |
|---|---|---|
| Outbound | Cloud VPC CIDR block (192.168.0.0/16) and Alibaba Cloud service CIDR block (100.0.0.0/8). For fine-grained control, also allow: OSS endpoint CIDR blocks, ACR endpoint CIDR blocks, TCP 443 or 80 for the ACK management endpoint, and TCP 6443 for the API server. | If your cluster uses Flannel, allow UDP 8472 in both directions. Source: cloud VPC CIDR block. Destination: host CIDR block in your on-premises IDC. |
| Inbound | Cloud VPC CIDR block (192.168.0.0/16) and Alibaba Cloud service CIDR block (100.0.0.0/8). For fine-grained control, also allow inbound traffic on kubelet TCP ports 10250 and 10255, and Node Exporter TCP ports 9100 and 9445. | — |
Virtual Border Router (VBR)
| Configuration item | Description | Notes |
|---|---|---|
| Upstream routes | Add routes to the cloud VPC CIDR block (192.168.0.0/16) and Alibaba Cloud service CIDR block (100.0.0.0/8), pointing to the VPC. Use a direct VPC connection, an ECR, or a CEN instance. | — |
| Downstream routes | Add a route to the IDC server CIDR block (10.0.0.0/8), pointing to the core switch through Express Connect and the IDC network firewall. | If your cluster uses Terway Edge, also add the edge container CIDR block (172.16.0.0/12) to the VBR's downstream routes. |
Express Connect Router (ECR) or Cloud Enterprise Network (CEN)
| Configuration item | Description | Notes |
|---|---|---|
| Upstream routes | In the ECR or CEN forwarding route table, add routes to the cloud VPC CIDR block (192.168.0.0/16) and Alibaba Cloud service CIDR block (100.0.0.0/8), pointing to the VPC. | — |
| Downstream routes | In the ECR or CEN forwarding route table, add a route to the IDC server CIDR block (10.0.0.0/8), pointing to the VBR. | If your cluster uses Terway Edge, also add the edge container CIDR block (172.16.0.0/12) to the ECR or CEN's downstream routes. |
VPC route table
| Configuration item | Description | Notes |
|---|---|---|
| Upstream routes | The cloud VPC uses default network configuration and forwards requests from your IDC to their destination addresses. | — |
| Downstream routes | Add a route to the IDC server CIDR block (10.0.0.0/8), pointing to CEN, ECR, or VBR. | If your cluster uses Terway Edge, also add the edge container CIDR block (172.16.0.0/12) to the VPC route table's downstream routes. |
Cloud VPC security group
| Direction | Allow list | Notes |
|---|---|---|
| Outbound | IDC server CIDR block (10.0.0.0/8). For fine-grained port control, also allow outbound traffic on kubelet TCP ports 10250 and 10255, and Node Exporter TCP ports 9100 and 9445. | If your cluster uses Flannel, allow UDP 8472 in both directions. Source: cloud VPC CIDR block. Destination: host CIDR block in your on-premises IDC. |
| Inbound | IDC CIDR block (10.0.0.0/8). For fine-grained port control, also allow inbound traffic on API server TCP port 6443. | — |
Ports required for inbound access to edge nodes
Configure these inbound ports on edge nodes to allow cloud-initiated access.
| Protocol | Port | Source | Purpose | Used by |
|---|---|---|---|---|
| TCP | 10250, 10255 | VPC CIDR block (optional — scope to your cluster's vSwitch CIDR block for tighter control) | kubelet API | API server (O&M operations), Metrics Server (metric collection) |
| TCP | 9100, 9445 | VPC CIDR block (optional — scope to your cluster's vSwitch CIDR block for tighter control) | Node Exporter metrics | Prometheus |
| UDP | 8472 | VPC CIDR block and node address or node CIDR block (required only for Flannel clusters) | VXLAN tunnel | Flannel |
Domain names and ports required for outbound access from edge nodes
Configure the following endpoints to allow edge nodes to reach Alibaba Cloud services over Express Connect. Replace {region} with your cluster's region ID (for example, cn-hangzhou for China (Hangzhou)). For a complete list of region IDs, see Regions where Alibaba Cloud services are available.
| Target | Endpoint | Port | Required | Description |
|---|---|---|---|---|
| Container Service control plane | cs-anony-vpc.{region}.aliyuncs.com | TCP 443 (clusters v1.26 or later); TCP 80 (clusters earlier than v1.26) | Required | ACK management endpoint |
| OSS installation packages | aliacs-k8s-{region}.oss-{region}-internal.aliyuncs.com | TCP 443 (clusters v1.26 or later); TCP 80 and 443 (clusters earlier than v1.26) | Required | Download edgeadm, kubelet, CNI, runtime, and edgehub installation packages from OSS |
| Internal API server endpoint | View on the Basic Information tab of the cluster details page | TCP 6443 | Required | Communication with kube-apiserver |
| NTP | ntp1.aliyun.com, cn.ntp.org.cn | UDP 123 (typically) | Optional — skip if selfHostNtpServer is set to true |
Clock synchronization |
| System component image registry | dockerauth-vpc.{region}.aliyuncs.com; dockerauth-ee-vpc.{region}.aliyuncs.com (not available in all regions); registry-{region}-vpc.ack.aliyuncs.com | TCP 443 | Required | Pull system component images. For corresponding IP ranges, see Endpoints and corresponding route CIDR blocks for Express Connect mode. |
| System tools | No additional domains required | N/A | Required if tools are absent | The node registration process checks for net-tools, iproute, chrony (or ntpdate), crontabs, pciutils, socat, ebtables, iptables, and conntrack-tools. Missing tools are installed via apt-get (Ubuntu) or yum (CentOS) using the node's existing package source configuration. |
Endpoints and corresponding route CIDR blocks for Express Connect mode
On-premises IDC devices access ACK component image registries over the internal network. You can connect your VPC internal network using CEN, Express Connect, dedicated lines, or VPN. Configure routes to the following registry endpoints and their associated OSS CIDR blocks, because ACK images are stored in OSS.
Internal image registry endpoints and route CIDR blocks for ACK components
Public cloud regions
| Region | Region ID | VPC endpoint | Route CIDR blocks |
|---|---|---|---|
| China (Hangzhou) | cn-hangzhou | registry-cn-hangzhou-vpc.ack.aliyuncs.com | 100.103.9.188/32, 100.103.7.181/32 |
| China (Shanghai) | cn-shanghai | registry-cn-shanghai-vpc.ack.aliyuncs.com | 100.103.94.158/32, 100.103.7.57/32, 100.100.80.231/32 |
| China (Fuzhou - Local Region) | cn-fuzhou | registry-cn-fuzhou-vpc.ack.aliyuncs.com | 100.100.0.43/32, 100.100.0.28/32 |
| China (Qingdao) | cn-qingdao | registry-cn-qingdao-vpc.ack.aliyuncs.com | 100.100.0.172/32, 100.100.0.207/32 |
| China (Beijing) | cn-beijing | registry-cn-beijing-vpc.ack.aliyuncs.com | 100.103.99.73/32, 100.103.0.251/32, 100.103.6.63/32 |
| China (Zhangjiakou) | cn-zhangjiakou | registry-cn-zhangjiakou-vpc.ack.aliyuncs.com | 100.100.1.179/32, 100.100.80.152/32 |
| China (Hohhot) | cn-huhehaote | registry-cn-huhehaote-vpc.ack.aliyuncs.com | 100.100.0.194/32, 100.100.80.55/32 |
| China (Ulanqab) | cn-wulanchabu | registry-cn-wulanchabu-vpc.ack.aliyuncs.com | 100.100.0.122/32, 100.100.0.58/32 |
| China (Shenzhen) | cn-shenzhen | registry-cn-shenzhen-vpc.ack.aliyuncs.com | 100.103.96.139/32, 100.103.6.153/32, 100.103.26.52/32 |
| China (Heyuan) | cn-heyuan | registry-cn-heyuan-vpc.ack.aliyuncs.com | 100.100.0.150/32, 100.100.0.193/32 |
| China (Guangzhou) | cn-guangzhou | registry-cn-guangzhou-vpc.ack.aliyuncs.com | 100.100.0.101/32, 100.100.0.21/32 |
| China (Chengdu) | cn-chengdu | registry-cn-chengdu-vpc.ack.aliyuncs.com | 100.100.0.48/32, 100.100.0.64/32 |
| Zhengzhou (CUCC Joint Venture) | cn-zhengzhou-jva | registry-cn-zhengzhou-jva-vpc.ack.aliyuncs.com | 100.100.0.111/32, 100.100.0.84/32 |
| China (Hong Kong) | cn-hongkong | registry-cn-hongkong-vpc.ack.aliyuncs.com | 100.103.85.19/32, 100.100.80.157/32 |
| US (Silicon Valley) | us-west-1 | registry-us-west-1-vpc.ack.aliyuncs.com | 100.103.13.55/32, 100.100.80.93/32 |
| US (Virginia) | us-east-1 | registry-us-east-1-vpc.ack.aliyuncs.com | 100.103.12.19/32, 100.100.80.11/32 |
| Japan (Tokyo) | ap-northeast-1 | registry-ap-northeast-1-vpc.ack.aliyuncs.com | 100.100.0.167/32, 100.100.80.198/32 |
| South Korea (Seoul) | ap-northeast-2 | registry-ap-northeast-2-vpc.ack.aliyuncs.com | 100.100.0.71/32, 100.100.0.33/32 |
| Singapore | ap-southeast-1 | registry-ap-southeast-1-vpc.ack.aliyuncs.com | 100.103.103.254/32, 100.100.80.136/32 |
| Malaysia (Kuala Lumpur) | ap-southeast-3 | registry-ap-southeast-3-vpc.ack.aliyuncs.com | 100.100.0.17/32, 100.100.80.137/32 |
| Indonesia (Jakarta) | ap-southeast-5 | registry-ap-southeast-5-vpc.ack.aliyuncs.com | 100.100.0.226/32, 100.100.80.200/32 |
| Philippines (Manila) | ap-southeast-6 | registry-ap-southeast-6-vpc.ack.aliyuncs.com | 100.100.0.75/32, 100.100.0.24/32 |
| Thailand (Bangkok) | ap-southeast-7 | registry-ap-southeast-7-vpc.ack.aliyuncs.com | 100.100.0.62/32, 100.100.0.34/32 |
| Germany (Frankfurt) | eu-central-1 | registry-eu-central-1-vpc.ack.aliyuncs.com | 100.100.0.92/32, 100.100.80.155/32 |
| UK (London) | eu-west-1 | registry-eu-west-1-vpc.ack.aliyuncs.com | 100.100.0.175/32, 100.100.0.18/32 |
| SAU (Riyadh - Partner Region) | me-central-1 | registry-me-central-1-vpc.ack.aliyuncs.com | 100.100.0.109/32, 100.100.0.18/32 |
OSS internal endpoints and VIP CIDR blocks
Public cloud
Due to a policy change to improve compliance and security, starting March 20, 2025, new OSS users must use a custom domain name (CNAME) to perform data API operations on OSS buckets in Chinese mainland regions. Default public endpoints are restricted for these operations. Refer to the official announcement for the complete list of affected operations. If you access your data via HTTPS, bind a valid SSL certificate to your custom domain. This is mandatory for OSS Console access, as the console enforces HTTPS.
The names of some regions outside the Chinese mainland may differ between the OSS pricing page and the resource plan purchase page. However, these different names refer to the same physical location. For example, the US (Silicon Valley) region may be displayed as US West 1 or US West. For more information, see OSS Pricing or Purchase a resource plan.
Asia-Pacific - China
| Region | Region ID | Public endpoint | Internal endpoint | Dual-stack endpoint | Internal VIP CIDR blocks |
|---|---|---|---|---|---|
| China (Hangzhou) | cn-hangzhou | oss-cn-hangzhou.aliyuncs.com | oss-cn-hangzhou-internal.aliyuncs.com | cn-hangzhou.oss.aliyuncs.com | 100.118.28.0/24, 100.114.102.0/24, 100.98.170.0/24, 100.118.31.0/24 |
| China (Shanghai) | cn-shanghai | oss-cn-shanghai.aliyuncs.com | oss-cn-shanghai-internal.aliyuncs.com | cn-shanghai.oss.aliyuncs.com | 100.98.35.0/24, 100.98.110.0/24, 100.98.169.0/24, 100.118.102.0/24 |
| China (Nanjing - Local Region) Closing Down | cn-nanjing | oss-cn-nanjing.aliyuncs.com | oss-cn-nanjing-internal.aliyuncs.com | Not supported | 100.114.142.0/24 |
| China (Qingdao) | cn-qingdao | oss-cn-qingdao.aliyuncs.com | oss-cn-qingdao-internal.aliyuncs.com | cn-qingdao.oss.aliyuncs.com | 100.115.173.0/24, 100.99.113.0/24, 100.99.114.0/24, 100.99.115.0/24 |
| China (Beijing) | cn-beijing | oss-cn-beijing.aliyuncs.com | oss-cn-beijing-internal.aliyuncs.com | cn-beijing.oss.aliyuncs.com | 100.118.58.0/24, 100.118.167.0/24, 100.118.170.0/24, 100.118.171.0/24, 100.118.172.0/24, 100.118.173.0/24 |
| China (Zhangjiakou) | cn-zhangjiakou | oss-cn-zhangjiakou.aliyuncs.com | oss-cn-zhangjiakou-internal.aliyuncs.com | cn-zhangjiakou.oss.aliyuncs.com | 100.118.90.0/24, 100.98.159.0/24, 100.114.0.0/24, 100.114.1.0/24 |
| China (Hohhot) | cn-huhehaote | oss-cn-huhehaote.aliyuncs.com | oss-cn-huhehaote-internal.aliyuncs.com | cn-huhehaote.oss.aliyuncs.com | 100.118.195.0/24, 100.99.110.0/24, 100.99.111.0/24, 100.99.112.0/24 |
| China (Ulanqab) | cn-wulanchabu | oss-cn-wulanchabu.aliyuncs.com | oss-cn-wulanchabu-internal.aliyuncs.com | cn-wulanchabu.oss.aliyuncs.com | 100.114.11.0/24, 100.114.12.0/24, 100.114.100.0/24, 100.118.214.0/24 |
| China (Shenzhen) | cn-shenzhen | oss-cn-shenzhen.aliyuncs.com | oss-cn-shenzhen-internal.aliyuncs.com | cn-shenzhen.oss.aliyuncs.com | 100.118.78.0/24, 100.118.203.0/24, 100.118.204.0/24, 100.118.217.0/24 |
| China (Heyuan) | cn-heyuan | oss-cn-heyuan.aliyuncs.com | oss-cn-heyuan-internal.aliyuncs.com | cn-heyuan.oss.aliyuncs.com | 100.98.83.0/24, 100.118.174.0/24 |
| China (Guangzhou) | cn-guangzhou | oss-cn-guangzhou.aliyuncs.com | oss-cn-guangzhou-internal.aliyuncs.com | cn-guangzhou.oss.aliyuncs.com | 100.115.33.0/24, 100.114.101.0/24 |
| China (Chengdu) | cn-chengdu | oss-cn-chengdu.aliyuncs.com | oss-cn-chengdu-internal.aliyuncs.com | cn-chengdu.oss.aliyuncs.com | 100.115.155.0/24, 100.99.107.0/24, 100.99.108.0/24, 100.99.109.0/24 |
| China (Hong Kong) | cn-hongkong | oss-cn-hongkong.aliyuncs.com | oss-cn-hongkong-internal.aliyuncs.com | cn-hongkong.oss.aliyuncs.com | 100.115.61.0/24, 100.99.103.0/24, 100.99.104.0/24, 100.99.106.0/24 |
Asia-Pacific - Other
| Region | Region ID | Public endpoint | Internal endpoint | Dual-stack endpoint | Internal VIP CIDR blocks |
|---|---|---|---|---|---|
| Japan (Tokyo) | ap-northeast-1 | oss-ap-northeast-1.aliyuncs.com | oss-ap-northeast-1-internal.aliyuncs.com | Not supported | 100.114.211.0/24, 100.114.114.0/25 |
| South Korea (Seoul) | ap-northeast-2 | oss-ap-northeast-2.aliyuncs.com | oss-ap-northeast-2-internal.aliyuncs.com | Not supported | 100.99.119.0/24 |
| Singapore | ap-southeast-1 | oss-ap-southeast-1.aliyuncs.com | oss-ap-southeast-1-internal.aliyuncs.com | Not supported | 100.118.219.0/24, 100.99.213.0/24, 100.99.116.0/24, 100.99.117.0/24 |
| Malaysia (Kuala Lumpur) | ap-southeast-3 | oss-ap-southeast-3.aliyuncs.com | oss-ap-southeast-3-internal.aliyuncs.com | Not supported | 100.118.165.0/24, 100.99.125.0/24, 100.99.130.0/24, 100.99.131.0/24 |
| Indonesia (Jakarta) | ap-southeast-5 | oss-ap-southeast-5.aliyuncs.com | oss-ap-southeast-5-internal.aliyuncs.com | Not supported | 100.114.98.0/24 |
| Philippines (Manila) | ap-southeast-6 | oss-ap-southeast-6.aliyuncs.com | oss-ap-southeast-6-internal.aliyuncs.com | Not supported | 100.115.16.0/24 |
| Thailand (Bangkok) | ap-southeast-7 | oss-ap-southeast-7.aliyuncs.com | oss-ap-southeast-7-internal.aliyuncs.com | Not supported | 100.98.249.0/24 |
Europe and Americas
| Region | Region ID | Public endpoint | Internal endpoint | Dual-stack endpoint | Internal VIP CIDR blocks |
|---|---|---|---|---|---|
| Germany (Frankfurt) | eu-central-1 | oss-eu-central-1.aliyuncs.com | oss-eu-central-1-internal.aliyuncs.com | eu-central-1.oss.aliyuncs.com | 100.115.154.0/24 |
| UK (London) | eu-west-1 | oss-eu-west-1.aliyuncs.com | oss-eu-west-1-internal.aliyuncs.com | Not supported | 100.114.114.128/25 |
| US (Silicon Valley) | us-west-1 | oss-us-west-1.aliyuncs.com | oss-us-west-1-internal.aliyuncs.com | Not supported | 100.115.107.0/24 |
| US (Virginia) | us-east-1 | oss-us-east-1.aliyuncs.com | oss-us-east-1-internal.aliyuncs.com | Not supported | 100.115.60.0/24, 100.99.100.0/24, 100.99.101.0/24, 100.99.102.0/24 |
| Mexico | na-south-1 | oss-na-south-1.aliyuncs.com | oss-na-south-1-internal.aliyuncs.com | Not supported | 100.115.112.0/27 |
Middle East
| Region | Region ID | Public endpoint | Internal endpoint | Dual-stack endpoint | Internal VIP CIDR blocks |
|---|---|---|---|---|---|
| UAE (Dubai) | me-east-1 | oss-me-east-1.aliyuncs.com | oss-me-east-1-internal.aliyuncs.com | Not supported | 100.99.235.0/24 |
| SAU (Riyadh - Partner Region) | me-central-1 | oss-me-central-1.aliyuncs.com | oss-me-central-1-internal.aliyuncs.com | Not supported | 100.99.121.0/24 |