All Products
Search

This Product

    Container Service for Kubernetes:Using GA to accelerate cross-region container image pulling in ACK

    Document Center

    Container Service for Kubernetes:Using GA to accelerate cross-region container image pulling in ACK

    Last Updated:Mar 26, 2026

    Use Global Accelerator (GA) to pull container images from overseas registries (such as Docker Hub) into a Container Service for Kubernetes (ACK) cluster located in the Chinese mainland. GA routes image pull traffic through its global network, bypassing connectivity issues that cause slow or failed pulls.

    When to use this approach

    This approach is best when your ACK cluster nodes need direct, accelerated access to overseas registries and you want to avoid mirroring images into a private registry. If you already use Container Registry (ACR), consider using ACR's image synchronization instead. See Pull images.

    Prerequisites

    Before you begin, ensure that you have:

    Usage notes

    • Regulate your network access behavior. If the target website contains illegal content, access may be blocked.

    • This feature incurs GA instance fees in addition to ACK cluster costs. GA fees include instance fees, performance Capacity Unit (CU) fees, and network bandwidth fees. See Product Billing.

    How it works

    The setup has three parts:

    1. GA instance — A medium GA instance with premium bandwidth cross-border acceleration routes image pull traffic from your ACK nodes in the Chinese mainland to the overseas registry endpoints.

    2. Forwarding rules — Virtual endpoint groups and forwarding rules on the GA listener direct traffic for each registry domain (for example, docker.io, production.cloudflare.docker.com) to the correct endpoint.

    3. DNS records — DNS records on your cluster nodes point registry domains to the GA accelerated IP addresses, so all image pull requests go through the GA instance.

    For DNS records, two options are available. Choose based on your cluster scale and maintenance preference:

    /etc/hosts (local) Cloud DNS PrivateZone
    Scope Node only. Pods need separate custom Hosts config. All nodes in the Virtual Private Cloud (VPC) and their pods.
    Maintainability Manual, per-node. Centralized management.
    Update speed Immediate after file edit. Depends on TTL (default: 1 minute).
    Best for Quick fix on a few nodes, or small-scale deployments. Large-scale clusters requiring long-term stability.
    Additional cost None. Incurs charges. See Product Billing.

    Step 1: Create a medium GA instance

    A medium GA instance provides fully connected, cross-border acceleration for Layer 4 (TCP and UDP) and Layer 7 (HTTP and HTTPS) traffic. Configure it to accelerate traffic from your ACK cluster regions to the overseas registry.

    The medium GA instance created in this example uses premium bandwidth cross-border acceleration by default.

    1. Log on to the GA console.

    2. On the Instances page, click Create Standard Pay-as-you-go Instance and complete the configuration wizard. The following table describes the key settings. For a full reference, see Create and manage a medium Global Accelerator instance.

      Section Setting Example value
      Basic Instance Configuration Instance Billing Method Pay-As-You-Go
      Configure Acceleration Area Acceleration Area Select the regions where your ACK cluster nodes are located. This example uses Hangzhou and Shanghai. For supported regions, see Acceleration areas and regions.
      Maximum Bandwidth 200 Mbps per area
      IP Protocol IPv4
      Configure listeners Protocol TCP
      Port 80,443 (valid range: 1–65499; up to 30 ports per listener, comma-separated)
      Configure an endpoint group Region The overseas region hosting the registry. This example uses US (Virginia).
      Backend Service Type Custom Domain Name
      Backend Service The main domain of the registry to pull from. This example uses docker.io.
      Weight 255 (valid range: 0–255). Setting the weight to 0 stops traffic to the endpoint.

    3. After completing the configuration, go to the GA instance details page. On the Acceleration Areas tab, record the Accelerated IP Address for each region where your ACK cluster is located. You need these IPs in Step 3.

    Step 2: Configure forwarding rules for the GA instance

    Docker Hub uses multiple domains (for example, docker.io and production.cloudflare.docker.com). Add a virtual endpoint group and forwarding rule for each additional domain so the GA listener can route traffic to all of them.

    1. On the GA instance details page, click the ACK consoleGA consoleGA consoleACK consoleACK consoleListeners tab, then click the listener ID to open the Listener details page.

    2. On the Endpoint Group tab, click Add Virtual Endpoint Group and configure it:

      • Backend Service Type: Custom Domain Name

      • Backend Service: The additional registry domain to accelerate (for example, production.cloudflare.docker.com)

      • Weight: 255

    3. On the Forwarding Rule tab, click Add Forwarding Rule and configure it: Repeat steps 2–3 for each additional domain associated with the target registry.

      • Host: Select Exact Match. Enter the same domain you configured as the backend service (for example, production.cloudflare.docker.com).

      • Then: Select Forward to virtual endpoint group, and select the virtual endpoint group you added in the previous step.

    For more information on forwarding rules, see Add and manage forwarding rules.

    Step 3: Configure DNS records

    Point the registry domains to the GA accelerated IPs on your ACK cluster nodes so that image pull requests route through GA.

    For the four Docker Hub domains, the roles are:

    Domain Role
    docker.io Docker main domain
    registry-1.docker.io Docker registry
    auth.docker.io Docker authentication service
    production.cloudflare.docker.com Docker content delivery

    Choose one of the following methods based on your scale and maintenance needs (see the comparison table in How it works).

    Option A: Local /etc/hosts records (recommended for quick setup)

    Add A records directly to the /etc/hosts file on each ACK cluster node. This method takes effect immediately and requires no additional cost.

    For new nodes (recommended long-term path):

    Configure a startup script in the node pool so every new node gets the DNS records automatically:

    1. In the ACK console, go to Clusters and click your cluster name.

    2. In the left navigation pane, choose Nodes > Node Pools.

    3. Click Edit in the Actions column of the target node pool.

    4. Under Advanced Options (Optional), enter the following script in User Data, replacing <accelerated-IP> with the accelerated IP you recorded in Step 1:

      echo "<accelerated-IP>  production.cloudflare.docker.com" >> /etc/hosts
echo "<accelerated-IP>  docker.io" >> /etc/hosts
echo "<accelerated-IP>  registry-1.docker.io" >> /etc/hosts    # Docker registry domain name.
echo "<accelerated-IP>  auth.docker.io"  >> /etc/hosts         # Docker authentication service domain name.

    5. Click Confirm.

    For existing nodes:

    Run the script on existing nodes using Cloud Assistant:

    1. In the ACK console, go to Clusters and click your cluster name.

    2. In the left navigation pane, choose Nodes > Nodes.

    3. Select the nodes that need to pull images, click Batch Operations at the bottom of the page, set the operation type to Run Shell Scripts, and click OK.

    4. Select ACS-ECS-BulkyRunCommand as the execution template (supports running Cloud Assistant commands across multiple ECS instances in batch).

    5. Enter the same script as above, with the actual accelerated IP. Complete the parameter configuration and create the task. The following image shows an example of filling in the script:

      image

    Verify: After the task completes, log on to an ECS instance and confirm the records are present:

    cat /etc/hosts | grep docker

    Then test whether the node can pull a container image:

    docker pull docker.io/library/nginx:latest
    The /etc/hosts entries apply only to the node itself — pods running on the node need separate custom Hosts configuration.

    Option B: Cloud DNS PrivateZone records (recommended for large-scale clusters)

    Configure CNAME records in Alibaba Cloud DNS PrivateZone to point each registry domain to the GA instance's accelerated domain name. This method applies to all nodes in the VPC and their pods without per-node configuration.

    Important

    Cloud DNS PrivateZone incurs charges after configuration takes effect. See Product Billing.

    Because docker.io and production.cloudflare.docker.com have different top-level domains, you need to create two authoritative zones: io and cloudflare.docker.com. The following steps show how to create the cloudflare.docker.com zone. Repeat for io.

    1. Get the GA instance's CNAME accelerated domain name.

    1. Log on to the GA console and go to Standard Instance > Instances.

    2. Click the target GA instance ID.

    3. On the Instance Information page, copy the CNAME accelerated domain name.

      image

    2. Get the VPC ID of the ACK cluster.

    1. Log on to the ACK console and go to Clusters.

    2. Click the target cluster name, then click Cluster Information in the left navigation pane.

    3. On the Basic Information tab, copy the VPC ID from the Network section.

    3. Create the PrivateZone authoritative zone and CNAME records.

    1. Log on to the Alibaba Cloud DNS console.

    2. In the left navigation pane, click Private Zone, then select Authoritative Zone > User Defined Zones.

    3. Click Add Zone, enter cloudflare.docker.com as the zone name, enable Recursive Resolution Proxy for Subdomain Names, and click OK.

    4. In the User Defined Zones tab, click Settings in the Actions column for cloudflare.docker.com, then click Add Record.

    5. In the Add Record dialog, select Form Editor Mode and configure the following settings: Click OK.

      Parameter Value
      Record Type CNAME — points a domain to another domain
      Hostname For zone cloudflare.docker.com: enter production. For zone io: enter docker, registry-1.docker, and auth.docker in sequence (one record each).
      Record Values The CNAME accelerated domain name you copied in step 1.
      TTL Default is 1 minute. Smaller values make record updates propagate faster.

    6. In the User Defined Zones tab, click Effective Scope in the Actions column for cloudflare.docker.com.

    7. In the Effective Scope dialog, under Effective in VPCs, select Current Account > Standard VPC. Select the region where your ACK cluster is located, then select the VPC ID you copied in step 2 (hover over a VPC name to see its ID). Click OK.

    Verify: After configuration takes effect (within the TTL period), log on to an ECS instance in the cluster and test whether the node can pull a container image:

    docker pull docker.io/library/nginx:latest

    What's next

    • Use Container Registry (ACR) to automate image building, pulling, and management. See Pull images.

    • For questions or feedback about this feature, contact us.