If your Elastic Compute Service (ECS) instances reside in one or more virtual private clouds (VPCs), you must configure access to your Container Registry Enterprise Edition instance over the VPCs. Then, the ECS instances in the VPCs can connect to the Container Registry Enterprise Edition instance. This topic describes how to configure access to a Container Registry Enterprise Edition instance over VPCs.

Prerequisites

  • VPCs and vSwitches are created in the region where the Container Registry Enterprise Edition instance resides. For more information, see Create and manage a VPC.
  • Alibaba Cloud DNS PrivateZone is activated. For more information, see Activate PrivateZone.

Background information

After you configure access to the Container Registry Enterprise Edition instance over VPCs, the instance occupies an IP address in each VPC. You can use the internal domain name of the instance to access this instance over a VPC only when the internal domain name is resolved to the IP address occupied by the instance in the VPC. Container Registry uses PrivateZone to automatically configure domain name resolution.
Note When you configure access over a VPC, you can select a random vSwitch or select a vSwitch that has sufficient IP addresses. After the settings are complete, all ECS instances in the VPC can access the Container Registry Enterprise Edition instance by using the internal domain name.

When you configure access to your Container Registry Enterprise Edition instance over VPCs, Container Registry automatically creates the service-linked role AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone for PrivateZone to resolve the domain names of the Container Registry Enterprise Edition instance. For more information about AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone, see The service-linked role for Alibaba Cloud DNS PrivateZone.

Precautions

Do not change the resolution zone that is automatically created in PrivateZone. If you change the resolution zone, exceptions such as failure in image pulling or image deletion occur.

Procedure

Note You can add up to three VPCs to each Container Registry instance.
  1. Log on to the Container Registry console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click Instances.
  4. On the Instances page, click the required Container Registry Enterprise Edition instance.
  5. On the management page of the Container Registry Enterprise Edition instance, choose Repositories > Access Control in the left-side navigation pane.
    Note If you want to configure access control for Helm charts, choose Helm Chart > Access Control.
  6. On the VPC tab, click Add VPC.
  7. In the Add VPC dialog box, select a VPC and a vSwitch, and click Confirm.
    Note You need only to select a vSwitch and a VPC. Then, all ECS instances in the VPC can access the Container Registry Enterprise Edition instance.
    After the status of the VPC changes from Creating to Running, the VPC is added.
  8. Optional: View the resolution zone of PrivateZone.
    After the VPC is added, Container Registry automatically creates a resolution zone in PrivateZone to resolve the domain name of the Container Registry Enterprise Edition instance. You can view the resolution zone in PrivateZone.
    1. Log on to the Alibaba Cloud DNS console.
    2. In the left-side navigation pane, click PrivateZone.

      On the Hosted Zones tab, view the resolution zone.