All Products
Search

This Product

    Container Registry:Build container images using the secure build mode for VPCs

    Document Center

    Container Registry:Build container images using the secure build mode for VPCs

    Last Updated:Mar 26, 2026

    When your source code or dependencies (such as Maven repositories) live inside a virtual private cloud (VPC) or a private data center, you need a way to build container images without routing traffic through the public internet. Container Registry Enterprise Edition supports VPC-based image builds, letting you access private GitLab repositories and internal services entirely over private network connections.

    Prerequisites

    Before you begin, ensure that you have:

    • A Container Registry Enterprise Edition instance. See Use a Container Registry Enterprise Edition instance to push and pull images

    • A self-managed GitLab service in a VPC or data center in the same region as your Container Registry Enterprise Edition instance

      • If GitLab is accessed through an Elastic Compute Service (ECS) instance IP address, add an inbound rule to the ECS security group that allows traffic from 100.104.0.0/16

      • If GitLab is accessed through a Server Load Balancer (SLB), no additional security group configuration is required

    • If your GitLab service or VPC-based service is in a data center connected via Express Connect:

      • The data center CIDR block must not overlap with 100.104.0.0/16

      • Configure a return route for 100.104.0.0/16 in the virtual border router (VBR) and your data center router. See What is Express Connect and VBR

    • A VPC and a vSwitch created in a zone that supports VPC mode. The following table lists supported zones

    Supported zones

    Cloud type Region Zones
    Alibaba Cloud public cloud China (Beijing) cn-beijing-c, cn-beijing-d, cn-beijing-e, cn-beijing-f, cn-beijing-g, cn-beijing-h, cn-beijing-i, cn-beijing-j, cn-beijing-k
    China (Hangzhou) cn-hangzhou-e, cn-hangzhou-f, cn-hangzhou-g, cn-hangzhou-h, cn-hangzhou-i, cn-hangzhou-j, cn-hangzhou-k
    China (Shenzhen) cn-shenzhen-a, cn-shenzhen-b, cn-shenzhen-c, cn-shenzhen-d, cn-shenzhen-e, cn-shenzhen-f
    China (Shanghai) cn-shanghai-a, cn-shanghai-b, cn-shanghai-c, cn-shanghai-d, cn-shanghai-e, cn-shanghai-f, cn-shanghai-g, cn-shanghai-i
    China (Zhangjiakou) cn-zhangjiakou-a, cn-zhangjiakou-b, cn-zhangjiakou-c
    China (Hong Kong) cn-hongkong-b, cn-hongkong-c, cn-hongkong-d
    Singapore ap-southeast-1a, ap-southeast-1b, ap-southeast-1c
    Indonesia (Jakarta) ap-southeast-5a, ap-southeast-5b
    US (Virginia) us-east-1a, us-east-1b
    US (Silicon Valley) us-west-1a, us-west-1b
    UK (London) eu-west-1a, eu-west-1b
    Germany (Frankfurt) eu-central-1a, eu-central-1b
    Japan (Tokyo) ap-northeast-1a, ap-northeast-1b
    China (Chengdu) cn-chengdu-a, cn-chengdu-b
    China (Heyuan) cn-heyuan-a, cn-heyuan-b
    Alibaba Finance Cloud China (Hangzhou) cn-hangzhou-finance-h, cn-hangzhou-finance-i, cn-hangzhou-finance-j, cn-hangzhou-finance-k

    How it works

    When you bind a VPC-based source code repository, Container Registry calls an ECS API operation to create a managed security group. This security group gives Container Registry services the network path to reach your self-managed GitLab instance. Container Registry then binds an elastic network interface (ENI) on your vSwitch to the Container Registry Enterprise Edition instance, completing the connection.

    The managed security group is controlled entirely by Container Registry. You can view it, but cannot modify it. It denies all inbound traffic and permits outbound traffic only to the private endpoints of your GitLab service and Maven repository.

    Step 1: Create a VPC link

    1. Log on to the Container Registry console.

    2. In the top navigation bar, select a region.

    3. In the left-side navigation pane, click Instances.

    4. On the Instances page, click the card of the target Container Registry Enterprise Edition instance.

    5. On the Overview page, choose Repository > Code Source.

    6. On the Code Source page, find GitLab and click Manage Link in the Actions column.

    7. In the Manage Link dialog box, configure the following parameters and click Create.

      Parameter Description Example
      Private IP address of the GitLab Server Private IP address of the self-managed GitLab source code repository 192.168.1.10
      Other IP addresses that need to be allowed Additional VPC private endpoints to allow outbound access to, such as a Maven repository 192.168.1.20
      Existing VPC The VPC created in the prerequisites vpc-bp1xxxxxxxxxx
      vSwitch The vSwitch created in the prerequisites vsw-bp1xxxxxxxxxx

    Step 2: Bind the GitLab source code repository

    1. On the Code Source page, find GitLab and click Bind Account in the Actions column.

    2. In the Private GitLab dialog box, configure the following parameters and click Confirm.

      Parameter Description Example
      Network Type Select VPC
      Link Information The VPC link created in step 1
      Endpoint Logon URL of the GitLab service. Use the private URL for a self-managed GitLab instance; use the public URL for a public GitLab service. http://192.168.1.10
      Username Your GitLab username alice
      Private Token Your GitLab access token. See Bind a source code hosting platform for how to create one.

    When Bound appears in the Status column for GitLab, the repository is successfully connected to your Container Registry Enterprise Edition instance.

    Step 3: Build an image in the VPC

    Warning

    Before submitting the build task, clear Build With Servers Deployed Outside Chinese Mainland. Leaving this option selected causes the build to use servers outside the Chinese mainland, which cannot reach your VPC resources.

    With the GitLab repository bound, trigger an image build. See Use Container Registry Enterprise Edition instances to build images for the full build workflow.

    What's next