When you replicate Container Registry (ACR) images across borders — such as between the Chinese mainland and regions outside China, or between the Chinese mainland and Hong Kong (China) — slow or failed syncs are often caused by unstable public network connections. ACR provides two solutions: sync acceleration and custom synchronization links.
How it works
| Solution | Use when | Network link | How to configure |
|---|---|---|---|
| Sync acceleration | The default ACR sync link doesn't meet your cross-border replication needs and you have no special network requirements. | ACR acceleration link | Enable in the ACR console. See Solution 1: Use sync acceleration. |
| Custom synchronization link | Sync acceleration performance doesn't meet your latency requirements, or you need advanced control over the network link. | A Cloud Enterprise Network (CEN) instance that you configure | Set up CEN connectivity, configure VPCs for the source and destination ACR instances, then configure the custom sync link. See Solution 2: Use a custom synchronization link. |
Limitations
Synchronization is supported only between public cloud regions. Synchronization to non-public cloud regions — such as Alibaba Finance Cloud or Alibaba Gov Cloud — is not supported.
Both solutions are available only for Premium Edition ACR Enterprise instances.
Solution 1: Use sync acceleration
-
Log on to the Container Registry console.
-
In the top navigation bar, select a region.
-
In the left navigation pane, click Instances.
-
On the Instances page, click the Enterprise Edition instance you want to manage.
-
In the left navigation pane, choose Distribution > Instance Replication.
-
On the Instance Sync page, enable the Sync Acceleration switch in the upper-left corner.
-
In the Prompt dialog box, click OK.
After enabling sync acceleration, create a sync rule to replicate images from the source instance to the destination instance. For more information, see Synchronize images between instances within the same account (same-account) or Synchronize images between instances across different accounts (cross-account).
Reference data for sync acceleration performance
The following table shows P95 latency values for synchronizing a single-layer 1 GB image between different regions, collected in March 2022. Latency values exclude queuing time caused by exceeding the maximum number of concurrent sync tasks. The Hangzhou region is used as the Chinese mainland example.
The P95 value is the 95th percentile of task completion times. This means 95% of tasks completed in a time less than or equal to this value.
Solution 2: Use a custom synchronization link
Only one sync link can exist between two instances in different regions. Do not create duplicate links.
Step 1 (Optional): Grant permissions to a RAM user
A Resource Access Management (RAM) user needs the following permissions to use the custom synchronization link feature. For more information, see Grant permissions to a RAM user using a custom policy.
{
"Version": "1",
"Statement": [
{
"Action": [
"cr:CreateSyncCustomLink",
"cr:GetSyncCustomLink",
"cr:UpdateSyncCustomLink",
"cr:ListSyncCustomLink",
"cr:DeleteSyncCustomLink"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Step 2 (Optional): Create VPCs
Create a virtual private cloud (VPC) in the source region and the destination region. The following example uses an instance in the Hangzhou region as the source and the Singapore region as the destination. The VPC in the Hangzhou region is named test1, and the VPC in the Singapore region is named test2.
Step 3: Connect the networks using CEN
Create a CEN instance and configure a transit router in the source and destination regions. For more information, see Connect VPCs across regions.
Step 4: Add VPCs to the source and destination ACR instances
-
Log on to the Container Registry console.
-
In the top navigation bar, select a region.
-
On the Instances page, click the target Enterprise instance.
-
On the Instance List page, click the Enterprise Edition instance in the Hangzhou region.
-
In the left navigation pane, choose Repository > Access Control.
-
On the VPC tab, click Add VPC.
-
In the Add VPC dialog box, set Existing VPC to test1, select a vSwitch, and click Confirm.
-
Repeat the preceding steps to add test2 to the destination instance. Record the Visit IP of the destination instance in the test2 VPC.
A VPC can be added to multiple destination instances in the same region. After you add the VPC, all instances can use the link to sync images.
-
On an ECS instance in the VPC associated with the source instance, run the following command to verify connectivity to the destination instance. Replace
<Target_IP>with the IP address recorded in the previous step.telnet <Target_IP> 443The expected output is:
Trying <Target_IP>... Connected to <Target_IP>.
Step 5: Configure a custom sync link
-
Log on to the Container Registry console.
-
In the top navigation bar, select a region.
-
On the Instance List page, click the target Enterprise instance.
-
Click the Enterprise Edition instance in the Hangzhou region.
-
In the left navigation pane, choose Distribution > Sync Link. On the page that appears, click Add Sync Link.
-
In the Network Instance wizard, configure the following parameters and click Next.
Parameter Description Link Name Enter a name for the sync link. Link Description Enter a description for the sync link. Instance ID/Name Select the ID of the CEN instance. Source Network Set the network parameters for the source instance region: <br>- VPC: Select the VPC for the source region. In this example, select test1 in the Hangzhou region. The VPC must be added to the source instance and have cross-region bandwidth configured in CEN. <br>- vSwitch: Select a vSwitch. Different regions support vSwitches in different zones — select a vSwitch in a zone as prompted. <br>- Security Group: Select a security group. Ports 80 and 443 must be open in the inbound direction. Managed security groups are not supported. Target network Set the network parameters for the destination instance region: <br>- Region: Select the destination region. <br>- VPC: Select the VPC for the destination region. In this example, select test2 in the Singapore region. The VPC must be added to the destination instance and have cross-region bandwidth configured in CEN. -
In the Interconnect Bandwidth wizard, configure the following parameters and click Create.
Parameter Description Maximum Bandwidth Usage The maximum bandwidth available for sync tasks on this link. Bandwidth is distributed evenly and dynamically across concurrent sync tasks. Total Sync Tasks The number of sync tasks that can use this link simultaneously. Tasks that exceed this limit are queued. Standard Edition instances support up to 5 concurrent sync tasks; Premium Edition instances support up to 10. -
On the Sync Link page, find the target link and click Enable in the Actions column.
-
In the Notice dialog box, click OK.
After enabling the sync link, create sync rules to replicate images from the source instance to the destination instance. The sync link is used automatically for acceleration. For more information, see Synchronize images between instances within the same account (same-account) or Synchronize images between instances across different accounts (cross-account).
FAQ
How do I check which link type a sync task used?
Log on to the Container Registry console. On the management page of the Enterprise Edition instance, choose Distribution > Sync Records in the left navigation pane. The Sync Records page shows the link type for each sync task:
-
Default Link: The default link of the Enterprise Edition instance.
-
Acceleration Link: Sync acceleration was used.
-
Custom Link: A custom CEN link was used.
API reference
To create a sync task using an API operation, see: