All Products
Search
Document Center

Container Service for Kubernetes:Network device configuration for a dedicated connection

Last Updated:Dec 23, 2025

Alibaba Cloud Container Service for Kubernetes (ACK) Edge allows you to integrate servers from your on-premises data center as nodes in your cluster, connecting them over a dedicated private connection. Before these servers can be joined to the cluster, you must correctly configure your underlying network infrastructure. This topic describes how to configure the necessary network devices in a dedicated connection environment. Following these steps will help you establish a reliable, secure, and high-speed private communication channel between your on-premises data center and your cloud virtual private cloud (VPC).

Network architecture

image

Network topology of the data center

The data center network in the preceding figure is built on a three-tier network architecture where servers and switches constitute Layer 2 LANs. Multiple Layer 2 LANs are then aggregated into a Layer 3 routing domain, creating a unified on-premises network environment. In this case, the private CIDR block of the data center is 10.0.0.0/8.

VPC topology

VPCs are deployed on top of virtualized networks. Compute instances such as Elastic Compute Service (ECS) instances and elastic container instances in a VPC communicate with each other through vSwitches in the VPC. Specific Alibaba Cloud services use 100.0.0.0/8, which is accessible through vSwitches in VPCs by default.

Dedicated connection network

Alibaba Cloud provides a network of dedicated access points across various regions. To minimize latency, select the access point that is physically closest to your data center. See Access point locations for details. The connection routes from your data center core switch, through a network firewall, to a virtual border router (VBR) at an Alibaba Cloud Express Connect access point. You can then use either a Express Connect Router (ECR) or Cloud Enterprise Network (CEN) to link this access point to your Alibaba Cloud VPC, establishing a secure and high-speed private network.

Configure network

Assume that Layer 3 network configurations are completed for the data center core switch and the subnets of the core switch and communication is established between the core switch and its subnets.

Inbound route: allows access to the VPC or cloud services from the data center.

Outbound route: allows access to the data center from the VPC.

Sample network configurations

  • VPC CIDR block: 192.168.0.0/16.

  • Data center CIDR block: 10.0.0.0/8.

  • CIDR block of cloud services and products: 100.0.0.0/8.

  • CIDR block of edge containers: 172.16.0.0/12. You must specify the CIDR block of edge containers if the ACK Edge cluster uses the Terway Edge plug-in.

  • ACK Edge clusters have the following dependencies in the China (Hangzhou) region:

    • Object Storage Service (OSS): 100.118.28.0/24,100.114.102.0/24,100.98.170.0/24, and 100.118.31.0/24.

    • Container Registry: 100.103.9.188/32 and 100.103.7.181/32.

    • ACK Management: The domain name is cs-anony-vpc.cn-hangzhou.aliyuncs.com. We recommend that you resolve the domain name in the VPC. In this example, the resolution result is 100.103.42.233.

The following sections describe how to configure your network based on the example topology above, using the 100.0.0.0/8 CIDR block to represent Alibaba Cloud services. If you find this IP range to be too broad, you can replace it with the specific IP ranges required by ACK Edge. For a complete list of these ranges, see Endpoints and corresponding route CIDR blocks in dedicated connection mode. The remainder of this topic will continue to use the 100.0.0.0/8 range for demonstration purposes.

Configure the data center core switch

Parameter

Description

Usage notes

Inbound route

Specify the CIDR blocks of the VPC and cloud service that you want to access and associate an ECR with a VBR.

  • VPC CIDR block: 192.168.0.0/16.

  • Cloud service CIDR block: 100.0.0.0/8.

If your ACK Edge cluster uses the Terway Edge plug-in, you must configure Border Gateway Protocol (BGP) on the data center core switch and switches to allow Terway Edge to advertise container routes to the core switch and switches. For more information, see Usage guide for Terway Edge and Use Terway Edge to implement container communication.

Outbound route

Configure an outbound route to route packets from a VBR to the data center servers. Make sure that server network configurations are already completed on the core switch.

Configure the data center network firewall

Parameter

Description

Usage notes

Outbound

Specify the CIDR blocks of the VPC and cloud service that you want to access:

  • VPC CIDR block: 192.168.0.0/16.

  • Cloud service CIDR block: 100.0.0.0/8.

If you require fine-grained configurations, you can specify the following CIDR blocks in the China (Hangzhou) region:

  • OSS CIDR block.

  • Container Registry CIDR block.

  • TCP port 443 or 80 of the IP address of ACK Management and TCP port 6443 of the API server of the ACK Edge cluster.

If your ACK Edge cluster uses the Flannel plug-in, you must configure the data center network firewall to allow outbound and inbound traffic through UDP port 8472.

  • Source IP addresses: the VPC CIDR block.

  • Destination IP addresses: the data center CIDR block.

Inbound

Specify the CIDR blocks of the VPC and cloud service that you want to access:

  • VPC CIDR block: 192.168.0.0/16.

  • Cloud service CIDR block: 100.0.0.0/8.

If you require fine-grained configurations, you need to allow the preceding CIDR blocks to access TCP ports 10250 and 10255 of the kubelet and TCP ports 9100 and 9445 of Node-Exporter.

Configure the VBR

Parameter

Description

Usage notes

Inbound route

Specify an inbound route to route packets to the VPC CIDR block (192.168.0.0/16) and the cloud service CIDR block (100.0.0.0/8). You can configure VPC direct connection, ECRs, or CEN instances. For more information, see Express Connect.

None.

Outbound route

Configure an outbound route to route packets to the data center CIDR block (10.0.0.0/8) and the data center core switch by using Express Connect and the network firewall of the data center.

If your ACK Edge cluster uses the Terway Edge plug-in, you must specify an outbound route on the VBR and specify the CIDR block of edge containers (172.16.0.0/12) in the outbound route.

Configure the ECR or CEN instance

Parameter

Description

Usage notes

Inbound route

Add an inbound route to the transit router route table of the ECR or CEN instance to route packets to the VPC CIDR block (192.168.0.0/16) and the cloud service CIDR block (100.0.0.0/8).

None.

Outbound route

Add an outbound route to the transit router route table of the ECR or CEN instance to route packets to the data center CIDR block (10.0.0.0/8) through the VBR.

If your ACK Edge cluster uses the Terway Edge plug-in, you must specify an outbound route for the ECR or CEN instance to route packets to the CIDR block of edge containers (172.16.0.0/12).

Configure the VPC route table

Parameter

Description

Usage notes

Inbound route

By default, network configurations are completed on the VPC. The VPC automatically routes requests received from the data center.

None.

Outbound route

Add an outbound route to the VPC route table to route packets to the data center CIDR block (10.0.0.0/8) through the CEN instance, ECR, and VBR.

If your ACK Edge cluster uses the Terway Edge plug-in, you must add an outbound route to the VPC route table to route packets to the CIDR block of edge containers (172.16.0.0/12).

Configure the VPC security group

Parameter

Description

Usage notes

Outbound

You must allow outbound traffic to the data center CIDR block (10.0.0.0/8). You can configure fine-grained control for specific ports. For example, you can allow outbound traffic to TCP ports 10250 and 10255 of the kubelet and TCP ports 9100 and 9445 of Node-Exporter.

If your ACK Edge cluster uses the Flannel plug-in, you must configure the VPC security group to allow outbound and inbound traffic through UDP port 8472.

  • Source IP addresses: the VPC CIDR block.

  • Destination IP addresses: the data center CIDR block.

Inbound

You must allow inbound traffic to the data center CIDR block (10.0.0.0/8). You can configure fine-grained control for specific ports. For example, you can allow inbound traffic to TCP port 6443 of the API server.

Inbound port requirements for edge nodes

The following table lists the ports that must be opened for inbound traffic on your edge nodes to allow access from the cloud-side VPC.

Protocol

Ports

Source

Description

TCP

10250, 10255

The CIDR block of your VPC.

Note

(Optional) For fine-grained control, you can restrict the source to the specific vSwitch CIDR blocks used by your cluster.

  • The API server communicates with the kubelet on each node via ports 10250 and 10255 for O&M.

  • The Metrics Server scrapes metrics from the kubelet on each node via ports 10250 and 10255.

9100, 9445

The CIDR block of your VPC.

Note

(Optional) For fine-grained control, you can restrict the source to the specific vSwitch CIDR blocks used by your cluster.

Prometheus scrapes monitoring data from the Node-Exporter service on each node via ports 9100 and 9445.

UDP

8472

The CIDR blocks of your VPC and your nodes.

Note

Required only if you are using the Flannel network plugin.

Flannel uses UDP port 8472 on each node to build its VXLAN overlay network for cross-node pod communication.

Outbound domain names and ports for edge nodes

For edge nodes in dedicated connection mode, you must allow access to specific domain names and ports. In the endpoints, {region} represents the ID of the region where the cluster is located. For example, the region ID for the Hangzhou region is cn-hangzhou. For a list of region IDs, see Supported regions.

Destination

Endpoint for dedicated connection

Port

Description

Container Service control plane

cs-anony-vpc.{region}.aliyuncs.com

  • TCP 443 (cluster version ≥ 1.26)

  • TCP 80 (cluster version < 1.26)

The control plane endpoint.

OSS installation package

aliacs-k8s-{region}.oss-{region}-internal.aliyuncs.com

  • TCP 443 (cluster version ≥ 1.26)

  • TCP 80 and 443 (cluster version < 1.26)

The OSS download endpoint. You can download installation packages for add-ons such as edgeadm, kubelet, Container Network Interface (CNI), runtime, and edgehub from OSS.

API server internal endpoint

You can find it on the Basic Information tab of the cluster details page.

TCP 6443

View on the Basic Information tab of the cluster.

NTP

ntp1.aliyun.com cn.ntp.org.cn

Related to the NTP protocol, generally UDP port 123.

The address of the NTP server.

If you configure the selfHostNtpServer parameter as true during access, indicating manual time synchronization, this address is not needed.

System add-on image registry endpoint

  • dockerauth-vpc.{region}.aliyuncs.com

  • dockerauth-ee-vpc.{region}.aliyuncs.com (This domain name is not available in some regions and can be skipped.)

  • aliregistry-{region}.oss-{region}-internal.aliyuncs.com

  • registry-vpc.{region}.aliyuncs.com

    Important

    This is the ACR Personal Edition instance address, only needed for clusters in specific regions.

    Expand to see which regions need configuration

    • cn-nanjing

    • me-east-1

    • cn-north-2-gov-1

    • cn-hangzhou-finance-1

    • cn-shanghai-mybk

    • cn-shenzhen-finance-1

    • cn-beijing-finance-1

    • cn-wuhan-lr

    • cn-heyuan-acdr-1

  • registry-{region}-vpc.ack.aliyuncs.com

TCP 443

Endpoints for system add-on images. For the CIDR blocks corresponding to these endpoints, see Endpoints and corresponding route CIDR blocks in dedicated connection mode.

System tools

System tools for online installation (no extra domain names required):

net-tools, iproute, chrony (or ntpdate), crontabs, pciutils, socat, ebtables, iptables, conntrack-tools

Not available

Check whether the system tools are installed on the node to be added. If not, the system will install the tools online. The addresses of these tools are determined by the YUM or APT repositories of the node.

  • For Ubuntu systems, use apt-get for installation.

  • For CentOS systems, use yum for installation.

Endpoints and corresponding route CIDR blocks in dedicated connection mode

Devices in a data center can access ACK add-on image registry endpoints over an internal network. Connect your data center to the VPC internal network using CEN, Express Connect, dedicated connection, or VPN. After the connection is established, configure routes to the ACK add-on image registry endpoints. Since images are stored in OSS, you must also configure routes for the OSS CIDR blocks. The following tables list the mappings between endpoints and route CIDR blocks in the dedicated connection mode.

ACK add-on internal image registry endpoints and route CIDR blocks

Public cloud

Region

Region ID

VPC endpoint

Route

China (Hangzhou)

cn-hangzhou

registry-cn-hangzhou-vpc.ack.aliyuncs.com

100.103.9.188/32

100.103.7.181/32

China (Shanghai)

cn-shanghai

registry-cn-shanghai-vpc.ack.aliyuncs.com

100.103.94.158/32

100.103.7.57/32

100.100.80.231/32

China (Fuzhou - Local Region)

cn-fuzhou

registry-cn-fuzhou-vpc.ack.aliyuncs.com

100.100.0.43/32 100.100.0.28/32

China (Qingdao)

cn-qingdao

registry-cn-qingdao-vpc.ack.aliyuncs.com

100.100.0.172/32

100.100.0.207/32

China (Beijing)

cn-beijing

registry-cn-beijing-vpc.ack.aliyuncs.com

100.103.99.73/32

100.103.0.251/32

100.103.6.63/32

China (Zhangjiakou)

cn-zhangjiakou

registry-cn-zhangjiakou-vpc.ack.aliyuncs.com

100.100.1.179/32

100.100.80.152/32

China (Hohhot)

cn-huhehaote

registry-cn-huhehaote-vpc.ack.aliyuncs.com

100.100.0.194/32

100.100.80.55/32

China (Ulanqab)

cn-wulanchabu

registry-cn-wulanchabu-vpc.ack.aliyuncs.com

100.100.0.122/32

100.100.0.58/32

China (Shenzhen)

cn-shenzhen

registry-cn-shenzhen-vpc.ack.aliyuncs.com

100.103.96.139/32

100.103.6.153/32

100.103.26.52/32

China (Heyuan)

cn-heyuan

registry-cn-heyuan-vpc.ack.aliyuncs.com

100.100.0.150/32

100.100.0.193/32

China (Guangzhou)

cn-guangzhou

registry-cn-guangzhou-vpc.ack.aliyuncs.com

100.100.0.101/32

100.100.0.21/32

China (Chengdu)

cn-chengdu

registry-cn-chengdu-vpc.ack.aliyuncs.com

100.100.0.48/32

100.100.0.64/32

Zhengzhou (CUCC Joint Venture)

cn-zhengzhou-jva

registry-cn-zhengzhou-jva-vpc.ack.aliyuncs.com

100.100.0.111/32 100.100.0.84/32

China (Hong Kong)

cn-hongkong

registry-cn-hongkong-vpc.ack.aliyuncs.com

100.103.85.19/32

100.100.80.157/32

US (Silicon Valley)

us-west-1

registry-us-west-1-vpc.ack.aliyuncs.com

100.103.13.55/32

100.100.80.93/32

US (Virginia)

us-east-1

registry-us-east-1-vpc.ack.aliyuncs.com

100.103.12.19/32

100.100.80.11/32

Japan (Tokyo)

ap-northeast-1

registry-ap-northeast-1-vpc.ack.aliyuncs.com

100.100.0.167/32

100.100.80.198/32

South Korea (Seoul)

ap-northeast-2

registry-ap-northeast-2-vpc.ack.aliyuncs.com

100.100.0.71/32

100.100.0.33/32

Singapore

ap-southeast-1

registry-ap-southeast-1-vpc.ack.aliyuncs.com

100.103.103.254/32

100.100.80.136/32

Malaysia (Kuala Lumpur)

ap-southeast-3

registry-ap-southeast-3-vpc.ack.aliyuncs.com

100.100.0.17/32

100.100.80.137/32

Indonesia (Jakarta)

ap-southeast-5

registry-ap-southeast-5-vpc.ack.aliyuncs.com

100.100.0.226/32

100.100.80.200/32

Philippines (Manila)

ap-southeast-6

registry-ap-southeast-6-vpc.ack.aliyuncs.com

100.100.0.75/32

100.100.0.24/32

Thailand (Bangkok)

ap-southeast-7

registry-ap-southeast-7-vpc.ack.aliyuncs.com

100.100.0.62/32

100.100.0.34/32

Germany (Frankfurt)

eu-central-1

registry-eu-central-1-vpc.ack.aliyuncs.com

100.100.0.92/32

100.100.80.155/32

UK (London)

eu-west-1

registry-eu-west-1-vpc.ack.aliyuncs.com

100.100.0.175/32

100.100.0.18/32

SAU (Riyadh - Partner Region)

me-central-1

registry-me-central-1-vpc.ack.aliyuncs.com

100.100.0.109/32 100.100.0.18/32

OSS internal endpoints and VIP CIDR blocks

Public cloud

The names of some regions outside the Chinese mainland may differ between the OSS pricing page and the resource plan purchase page. However, these different names refer to the same physical location. For example, the US (Silicon Valley) region may be displayed as US West 1 or US West. For more information, see OSS Pricing or Purchase a resource plan.

Important

Due to a policy change to improve compliance and security, starting March 20, 2025, new OSS users must use a custom domain name (CNAME) to perform data API operations on OSS buckets located in Chinese mainland regions. Default public endpoints are restricted for these operations. Refer to the official announcement for a complete list of the affected operations. If you access your data via HTTPS, you must bind a valid SSL Certificate to your custom domain. This is mandatory for OSS Console access, as the console enforces HTTPS.

Asia-Pacific - China

Region

Region ID

Public endpoint

Internal endpoint

Dual-stack endpoint

Internal VIP CIDR blocks

China (Hangzhou)

cn-hangzhou

oss-cn-hangzhou.aliyuncs.com

oss-cn-hangzhou-internal.aliyuncs.com

cn-hangzhou.oss.aliyuncs.com

  • 100.118.28.0/24

  • 100.114.102.0/24

  • 100.98.170.0/24

  • 100.118.31.0/24

China (Shanghai)

cn-shanghai

oss-cn-shanghai.aliyuncs.com

oss-cn-shanghai-internal.aliyuncs.com

cn-shanghai.oss.aliyuncs.com

  • 100.98.35.0/24

  • 100.98.110.0/24

  • 100.98.169.0/24

  • 100.118.102.0/24

China (Nanjing - Local Region) (Closing Down)

cn-nanjing

oss-cn-nanjing.aliyuncs.com

oss-cn-nanjing-internal.aliyuncs.com

Not supported

100.114.142.0/24

China (Qingdao)

cn-qingdao

oss-cn-qingdao.aliyuncs.com

oss-cn-qingdao-internal.aliyuncs.com

cn-qingdao.oss.aliyuncs.com

  • 100.115.173.0/24

  • 100.99.113.0/24

  • 100.99.114.0/24

  • 100.99.115.0/24

China (Beijing)

cn-beijing

oss-cn-beijing.aliyuncs.com

oss-cn-beijing-internal.aliyuncs.com

cn-beijing.oss.aliyuncs.com

  • 100.118.58.0/24

  • 100.118.167.0/24

  • 100.118.170.0/24

  • 100.118.171.0/24

  • 100.118.172.0/24

  • 100.118.173.0/24

China (Zhangjiakou)

cn-zhangjiakou

oss-cn-zhangjiakou.aliyuncs.com

oss-cn-zhangjiakou-internal.aliyuncs.com

cn-zhangjiakou.oss.aliyuncs.com

  • 100.118.90.0/24

  • 100.98.159.0/24

  • 100.114.0.0/24

  • 100.114.1.0/24

China (Hohhot)

cn-huhehaote

oss-cn-huhehaote.aliyuncs.com

oss-cn-huhehaote-internal.aliyuncs.com

cn-huhehaote.oss.aliyuncs.com

  • 100.118.195.0/24

  • 100.99.110.0/24

  • 100.99.111.0/24

  • 100.99.112.0/24

China (Ulanqab)

cn-wulanchabu

oss-cn-wulanchabu.aliyuncs.com

oss-cn-wulanchabu-internal.aliyuncs.com

cn-wulanchabu.oss.aliyuncs.com

  • 100.114.11.0/24

  • 100.114.12.0/24

  • 100.114.100.0/24

  • 100.118.214.0/24

China (Shenzhen)

cn-shenzhen

oss-cn-shenzhen.aliyuncs.com

oss-cn-shenzhen-internal.aliyuncs.com

cn-shenzhen.oss.aliyuncs.com

  • 100.118.78.0/24

  • 100.118.203.0/24

  • 100.118.204.0/24

  • 100.118.217.0/24

China (Heyuan)

cn-heyuan

oss-cn-heyuan.aliyuncs.com

oss-cn-heyuan-internal.aliyuncs.com

cn-heyuan.oss.aliyuncs.com

  • 100.98.83.0/24

  • 100.118.174.0/24

China (Guangzhou)

cn-guangzhou

oss-cn-guangzhou.aliyuncs.com

oss-cn-guangzhou-internal.aliyuncs.com

cn-guangzhou.oss.aliyuncs.com

  • 100.115.33.0/24

  • 100.114.101.0/24

China (Chengdu)

cn-chengdu

oss-cn-chengdu.aliyuncs.com

oss-cn-chengdu-internal.aliyuncs.com

cn-chengdu.oss.aliyuncs.com

  • 100.115.155.0/24

  • 100.99.107.0/24

  • 100.99.108.0/24

  • 100.99.109.0/24

China (Hong Kong)

cn-hongkong

oss-cn-hongkong.aliyuncs.com

oss-cn-hongkong-internal.aliyuncs.com

cn-hongkong.oss.aliyuncs.com

  • 100.115.61.0/24

  • 100.99.103.0/24

  • 100.99.104.0/24

  • 100.99.106.0/24

Asia-Pacific - Other

Region

Region ID

Public endpoint

Internal endpoint

Dual-stack endpoint

Internal VIP CIDR blocks

Japan (Tokyo)

ap-northeast-1

oss-ap-northeast-1.aliyuncs.com

oss-ap-northeast-1-internal.aliyuncs.com

Not supported

  • 100.114.211.0/24

  • 100.114.114.0/25

South Korea (Seoul)

ap-northeast-2

oss-ap-northeast-2.aliyuncs.com

oss-ap-northeast-2-internal.aliyuncs.com

Not supported

100.99.119.0/24

Singapore

ap-southeast-1

oss-ap-southeast-1.aliyuncs.com

oss-ap-southeast-1-internal.aliyuncs.com

Not supported

  • 100.118.219.0/24

  • 100.99.213.0/24

  • 100.99.116.0/24

  • 100.99.117.0/24

Malaysia (Kuala Lumpur)

ap-southeast-3

oss-ap-southeast-3.aliyuncs.com

oss-ap-southeast-3-internal.aliyuncs.com

Not supported

  • 100.118.165.0/24

  • 100.99.125.0/24

  • 100.99.130.0/24

  • 100.99.131.0/24

Indonesia (Jakarta)

ap-southeast-5

oss-ap-southeast-5.aliyuncs.com

oss-ap-southeast-5-internal.aliyuncs.com

Not supported

100.114.98.0/24

Philippines (Manila)

ap-southeast-6

oss-ap-southeast-6.aliyuncs.com

oss-ap-southeast-6-internal.aliyuncs.com

Not supported

100.115.16.0/24

Thailand (Bangkok)

ap-southeast-7

oss-ap-southeast-7.aliyuncs.com

oss-ap-southeast-7-internal.aliyuncs.com

Not supported

100.98.249.0/24

Europe and Americas

Region

Region ID

Public endpoint

Internal endpoint

Dual-stack endpoint

Internal VIP CIDR blocks

Germany (Frankfurt)

eu-central-1

oss-eu-central-1.aliyuncs.com

oss-eu-central-1-internal.aliyuncs.com

eu-central-1.oss.aliyuncs.com

100.115.154.0/24

UK (London)

eu-west-1

oss-eu-west-1.aliyuncs.com

oss-eu-west-1-internal.aliyuncs.com

Not supported

100.114.114.128/25

US (Silicon Valley)

us-west-1

oss-us-west-1.aliyuncs.com

oss-us-west-1-internal.aliyuncs.com

Not supported

100.115.107.0/24

US (Virginia)

us-east-1

oss-us-east-1.aliyuncs.com

oss-us-east-1-internal.aliyuncs.com

Not supported

  • 100.115.60.0/24

  • 100.99.100.0/24

  • 100.99.101.0/24

  • 100.99.102.0/24

Mexico

na-south-1

oss-na-south-1.aliyuncs.com

oss-na-south-1-internal.aliyuncs.com

Not supported

100.115.112.0/27

Middle East

Region

Region ID

Public endpoint

Internal endpoint

Dual-stack endpoint

Internal VIP CIDR blocks

UAE (Dubai)

me-east-1

oss-me-east-1.aliyuncs.com

oss-me-east-1-internal.aliyuncs.com

Not supported

100.99.235.0/24

SAU (Riyadh - Partner Region)

me-central-1

oss-me-central-1.aliyuncs.com

oss-me-central-1-internal.aliyuncs.com

Not supported

100.99.121.0/24