If you want to establish a connection between your Container Registry Enterprise Edition instance and an Elastic Compute Service (ECS) instance that resides in a virtual private cloud (VPC), you must configure a VPC access control list (ACL) for your Enterprise Edition instance. This topic describes how to configure a VPC ACL for a Container Registry Enterprise Edition instance.
Prerequisites
VPCs and vSwitches are created in the region where the Container Registry Enterprise Edition instance resides. For more information, see Create and manage a VPC.
Alibaba Cloud DNS PrivateZone (PrivateZone) is activated. For more information, see Activate Alibaba Cloud DNS PrivateZone.
Background information
After you configure a VPC ACL for a Container Registry Enterprise Edition instance, the Enterprise Edition instance consumes an IP address in the VPC. The system must resolve VPC domain names of the Enterprise Edition instance to the IP address to allow ECS to access the Enterprise Edition instance by using the VPC domain names. Container Registry uses PrivateZone to automatically configure domain name resolution.
When you configure a VPC ACL for a Container Registry Enterprise Edition instance, you can select a vSwitch that has sufficient IP addresses. After you configure the VPC ACL, all ECS instances in the VPC can access the Container Registry Enterprise Edition instance by using the VPC domain names of the Enterprise Edition instance.
When you configure a VPC ACL for an Enterprise Edition instance, Container Registry automatically creates the service-linked role AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone for PrivateZone. Then, the Enterprise Edition instance can access PrivateZone, and PrivateZone can automatically resolve the domain names of the Enterprise Edition instance. For more information about AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone, see The service-linked role for Alibaba Cloud DNS PrivateZone.
Do not change the DNS zone that is automatically created in PrivateZone. If you change the DNS zone, exceptions occur in image pulling or image deletion.
Procedure
The quota of the VPCs that can be added to an ACL varies based on the editions of Container Registry Enterprise Edition instances. You can add up to three VPCs to an ACL of a Basic Edition instance of Container Registry Enterprise Edition, and add up to seven VPCs to an ACL of an Advanced Edition instance of Container Registry Enterprise Edition. For more information, see Billing of Container Registry Enterprise Edition instances.
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose .
NoteIf you want to configure ACLs for Helm charts, choose .
On the VPC tab, click Add VPC.
In the Add VPC dialog box, select a VPC and a vSwitch, and click Confirm.
NoteYou only need to select a vSwitch and a VPC. Then, all ECS instances in the VPC can access the Container Registry Enterprise Edition instance.
After the status of the VPC association changes from Creating to Running, the VPC is added.
Optional: View the DNS zone in PrivateZone.
After the VPC is added, Container Registry automatically creates a DNS zone in PrivateZone to resolve the domain names of the Container Registry Enterprise Edition instance. You can view the DNS zone in PrivateZone.
Log on to the Alibaba Cloud DNS console.
In the left-side navigation pane, click PrivateZone.
On the Authoritative Zones tab, view the DNS zone.