Use PrivateLink to resolve CIDR block conflicts in data centers - Container Service for Kubernetes

After a Kubernetes cluster in a data center connects to a registered cluster by using an Express Connect circuit, the ack-virtual-node component needs to call Alibaba Cloud API operations to manage resource lifecycle when using serverless computing resources. However, the IP addresses resolved by these domain names are typically in the 100.x.x.x range, which may conflict with other Services that use the same CIDR block in the internal network. This can affect normal access and operations of resources. This topic describes how to use PrivateLink to resolve CIDR block conflicts in data centers.

Prerequisites

A registered cluster is created and connected to a Kubernetes cluster in a data center or from another cloud provider (Kubernetes 1.24 or later is recommended).
The ack-virtual-node component is installed and the version of the component is 2.13.0 or later. For more information, see Schedule pods to run on elastic container instances through virtual nodes and Schedule pods to run on elastic container instances through virtual nodes.
The endpoint service is activated.

Procedure

Note

To use serverless computing resources through ack-virtual-node, you must create endpoints for the virtual private cloud (VPC), Container Compute Service (ACS), and elastic container instance respectively. In this example, a VPC is used.

Log on to the VPC console and click Create Endpoint on the Endpoints page.

On the Create Endpoint page, configure the endpoint based on the following information. For more information, see Create and manage endpoints.

Parameter	Description
Region	Select the region to which the endpoint belongs.
Endpoint Name	Specify a name for the endpoint.
Endpoint Type	Select Interface Endpoint.
Endpoint Service	Select Alibaba Cloud Service, and then enter the name of the endpoint service. Note For Alibaba Cloud Service endpoints, you must submit a ticket to be added to the whitelist.
VPC	Select the VPC where you want to create the endpoint.
Security Group	Select the security group to associate with the elastic network interface (ENI) of the endpoint. The security group is used to control data transfer from the VPC to the endpoint ENI. The endpoint ENI is the entry point for the endpoint VPC to access the endpoint service. Note By default, you can add an endpoint to up to five security groups.
Zone and vSwitch	Select the zone of the endpoint service and select a vSwitch in the zone. The system automatically creates an endpoint ENI in the vSwitch. You can select one zone of the endpoint service. Click the icon in the Zone and vSwitch section. In the message that appears, click OK. You can select multiple zones of the endpoint service. By default, you must select two zones and one vSwitch in each zone. If you want to select more zones, click Add vSwitch. Note You can select multiple availability zones to ensure that if any zone fails, applications can quickly switch to others. This ensures high service availability and stability, and prevents service interruptions or data loss.
Resource Group	Select the resource group to which the endpoint belongs.
Tag	Configure the Tag Key and Tag Value.
Description	Enter a description for the endpoint.
Access Policies	Select an access policy. Default Policy: The full access policy is used by default. Custom Policy: You can enter a custom access policy.
Note	When you create an endpoint for the first time, the system automatically creates a service-linked role for the endpoint. The role allows the endpoint to access other resources. For more information, see Service linked role.

After you complete the configuration, click OK.
Log on to the Alibaba Cloud DNS console. In the left navigation pane, click Private DNS (PrivateZone), and click the Cloud Service Defined Zones tab to view the default resolved domain name.
Click the domain name in the Built-in Authoritative Zone column to view the resolution records.