When Elastic Compute Service (ECS) instances in a virtual private cloud (VPC) need to push or pull container images without traversing the public internet, add the VPC to the access control list (ACL) of your Container Registry Enterprise Edition instance. After the VPC is added, all ECS instances in the VPC can reach the Enterprise Edition instance through its VPC domain names over private networking.
How it works
When you add a VPC to the ACL:
The Enterprise Edition instance consumes one IP address from the vSwitch you select in the VPC.
Container Registry uses Alibaba Cloud DNS PrivateZone to automatically configure domain name resolution. The system resolves VPC domain names of the Enterprise Edition instance to the IP address to allow ECS instances to access the Enterprise Edition instance by using the VPC domain names.
Container Registry automatically creates a service-linked role named
AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone. This role grants the Enterprise Edition instance access to PrivateZone for automatic domain name resolution. For more information, see The service-linked role for Alibaba Cloud DNS PrivateZone.
After PrivateZone resolves the domain names, all ECS instances in the VPC can access the Enterprise Edition instance through its VPC domain names. You only need to select a vSwitch and a VPC.
Do not change the DNS zone that is automatically created in PrivateZone. If you change the DNS zone, exceptions occur during image pulls or image deletion.
Prerequisites
Before you begin, make sure that you have:
A VPC and vSwitch in the same region as the Enterprise Edition instance. For more information, see Create and manage a VPC
Alibaba Cloud DNS PrivateZone activated. For billing details, see Billing
Usage notes
Item | Description |
VPC quota | The number of VPCs that can be added to an ACL varies based on the sub-edition of Container Registry Enterprise Edition instances. If the default VPC quota cannot meet your requirements, you can purchase additional quota. For more information, see Billing of Container Registry Enterprise Edition instances. |
vSwitch IP availability | Select a vSwitch with enough idle IP addresses. The Enterprise Edition instance consumes one IP address from the vSwitch. |
Helm charts | To configure ACLs for Helm charts, choose Helm Chart > Access Control instead of Repository > Access Control. |
Add a VPC to the ACL
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
In the left-side navigation pane of the instance, choose Repository > Access Control.
On the VPC tab, click Add VPC.
In the Add VPC dialog box, select a VPC and a vSwitch, and then click Confirm. The status of the VPC changes from Creating to Running after the VPC is added.
Optional: View the built-in authoritative zone in PrivateZone. After the VPC is added, Container Registry automatically creates a built-in authoritative zone in PrivateZone to resolve the domain names of the Enterprise Edition instance. You can view the built-in authoritative zone in PrivateZone.
Log on to the Alibaba Cloud DNS console.
In the left-side navigation pane, click Configurations > Private Zone.
On the User Defined Zones tab of the Authoritative Zone tab, view the built-in authoritative zone.
References
To access Enterprise Edition instances across regions in a VPC environment, see Access Enterprise Edition Instances Across Regions or from IDC.