If a Kubernetes cluster in your data center is connected as a registered cluster, its workloads may need to access Alibaba Cloud products over an internal network. You can use Cloud Enterprise Network (CEN), Express Connect, or a VPN to connect to the internal network of the region where the cloud product is deployed. Then, you must configure routes that point to the internal CIDR blocks of the cloud products. This topic lists the internal CIDR blocks for some cloud products in public and Finance Cloud regions and explains how to obtain them.
Precautions
Cloud products have fixed internal virtual IP address (VIP) ranges for each region. To prevent network failures, you must configure complete routes for each region.
When you use an Elastic Compute Service (ECS) instance to access a cloud product over an internal network, the security group must allow access to the entire VIP range. The VIP of the cloud product may change within this range. If you do not add the complete VIP range to the security group, the network connection may fail. You are responsible for any losses that result from the cloud product becoming inaccessible.
A cloud product typically uses a fixed internal IP address in a region, such as 100.103.22.120. To simplify route configuration, you can use a subnet mask, such as 100.103.22.0/24.
Data center security policy and route configuration
To ensure that your data center can access the required domain names and IP addresses after connecting through a leased line, complete the following configurations.
In the outbound security policy of your on-premises data center, allow access to the leased line addresses or domain names of the cloud products that you want to access.
Configure round-trip routes in the route tables of your data center, virtual border router (VBR), Cloud Enterprise Network (CEN), transit router (TR), and virtual private cloud (VPC).
After you connect the Kubernetes cluster in your data center as a registered cluster, you can use capabilities such as image services, cloud elasticity with Elastic Container Instance (ECI) and ECS, networking, observability, and logging. The use of these capabilities depends on the route configuration for the corresponding cloud product endpoints.
In an endpoint, {region} represents the region ID of the region that you want to access from your data center. For example, the region ID for China (Hangzhou) is cn-hangzhou.
To query the endpoints of a cloud product, see the documentation for that product.
The following sections list the service endpoints for corresponding cloud products in several common business scenarios.
ACK component CIDR block mappings
When a Kubernetes cluster in your data center is connected as a registered cluster and needs to use cloud capabilities such as elasticity, networking, observability, and logging, the registered cluster agent and other components must access the image addresses of ACK components over the internal network. Therefore, you must configure routes that point to the image addresses of ACK components. Because the images are stored in Object Storage Service (OSS), you must also configure the route CIDR blocks for OSS. The corresponding CIDR blocks are listed in the following tables.
ACK component internal image address and route CIDR block mappings
Public cloud regions
Region | Region ID | VPC endpoint | Route |
China (Hangzhou) | cn-hangzhou | registry-cn-hangzhou-vpc.ack.aliyuncs.com | 100.103.9.188/32 100.103.7.181/32 |
China (Shanghai) | cn-shanghai | registry-cn-shanghai-vpc.ack.aliyuncs.com | 100.103.94.158/32 100.103.7.57/32 100.100.80.231/32 |
China (Fuzhou - Local Region) | cn-fuzhou | registry-cn-fuzhou-vpc.ack.aliyuncs.com | 100.100.0.43/32 100.100.0.28/32 |
China (Qingdao) | cn-qingdao | registry-cn-qingdao-vpc.ack.aliyuncs.com | 100.100.0.172/32 100.100.0.207/32 |
China (Beijing) | cn-beijing | registry-cn-beijing-vpc.ack.aliyuncs.com | 100.103.99.73/32 100.103.0.251/32 100.103.6.63/32 |
China (Zhangjiakou) | cn-zhangjiakou | registry-cn-zhangjiakou-vpc.ack.aliyuncs.com | 100.100.1.179/32 100.100.80.152/32 |
China (Hohhot) | cn-huhehaote | registry-cn-huhehaote-vpc.ack.aliyuncs.com | 100.100.0.194/32 100.100.80.55/32 |
China (Ulanqab) | cn-wulanchabu | registry-cn-wulanchabu-vpc.ack.aliyuncs.com | 100.100.0.122/32 100.100.0.58/32 |
China (Shenzhen) | cn-shenzhen | registry-cn-shenzhen-vpc.ack.aliyuncs.com | 100.103.96.139/32 100.103.6.153/32 100.103.26.52/32 |
China (Heyuan) | cn-heyuan | registry-cn-heyuan-vpc.ack.aliyuncs.com | 100.100.0.150/32 100.100.0.193/32 |
China (Guangzhou) | cn-guangzhou | registry-cn-guangzhou-vpc.ack.aliyuncs.com | 100.100.0.101/32 100.100.0.21/32 |
China (Chengdu) | cn-chengdu | registry-cn-chengdu-vpc.ack.aliyuncs.com | 100.100.0.48/32 100.100.0.64/32 |
Zhengzhou (CUCC Joint Venture) | cn-zhengzhou-jva | registry-cn-zhengzhou-jva-vpc.ack.aliyuncs.com | 100.100.0.111/32 100.100.0.84/32 |
China (Hong Kong) | cn-hongkong | registry-cn-hongkong-vpc.ack.aliyuncs.com | 100.103.85.19/32 100.100.80.157/32 |
US (Silicon Valley) | us-west-1 | registry-us-west-1-vpc.ack.aliyuncs.com | 100.103.13.55/32 100.100.80.93/32 |
US (Virginia) | us-east-1 | registry-us-east-1-vpc.ack.aliyuncs.com | 100.103.12.19/32 100.100.80.11/32 |
Japan (Tokyo) | ap-northeast-1 | registry-ap-northeast-1-vpc.ack.aliyuncs.com | 100.100.0.167/32 100.100.80.198/32 |
South Korea (Seoul) | ap-northeast-2 | registry-ap-northeast-2-vpc.ack.aliyuncs.com | 100.100.0.71/32 100.100.0.33/32 |
Singapore | ap-southeast-1 | registry-ap-southeast-1-vpc.ack.aliyuncs.com | 100.103.103.254/32 100.100.80.136/32 |
Malaysia (Kuala Lumpur) | ap-southeast-3 | registry-ap-southeast-3-vpc.ack.aliyuncs.com | 100.100.0.17/32 100.100.80.137/32 |
Indonesia (Jakarta) | ap-southeast-5 | registry-ap-southeast-5-vpc.ack.aliyuncs.com | 100.100.0.226/32 100.100.80.200/32 |
Philippines (Manila) | ap-southeast-6 | registry-ap-southeast-6-vpc.ack.aliyuncs.com | 100.100.0.75/32 100.100.0.24/32 |
Thailand (Bangkok) | ap-southeast-7 | registry-ap-southeast-7-vpc.ack.aliyuncs.com | 100.100.0.62/32 100.100.0.34/32 |
Germany (Frankfurt) | eu-central-1 | registry-eu-central-1-vpc.ack.aliyuncs.com | 100.100.0.92/32 100.100.80.155/32 |
UK (London) | eu-west-1 | registry-eu-west-1-vpc.ack.aliyuncs.com | 100.100.0.175/32 100.100.0.18/32 |
SAU (Riyadh - Partner Region) | me-central-1 | registry-me-central-1-vpc.ack.aliyuncs.com | 100.100.0.109/32 100.100.0.18/32 |
Finance Cloud regions
Region | Region ID | VPC endpoint | Route |
China East 2 Finance | cn-shanghai-finance-1 | registry-cn-shanghai-finance-1-vpc.ack.aliyuncs.com | 100.100.0.54/32 100.100.80.227/32 |
OSS internal domain name and VIP range mappings
Public cloud regions
Region | Region ID | OSS-specific Region ID | VPC Endpoint | VIP range |
China (Hangzhou) | cn-hangzhou | oss-cn-hangzhou | oss-cn-hangzhou-internal.aliyuncs.com |
|
China (Shanghai) | cn-shanghai | oss-cn-shanghai | oss-cn-shanghai-internal.aliyuncs.com |
|
China (Nanjing - Local Region - Decommissioning) | cn-nanjing | oss-cn-nanjing | oss-cn-nanjing-internal.aliyuncs.com | 100.114.142.0/24 |
China (Qingdao) | cn-qingdao | oss-cn-qingdao | oss-cn-qingdao-internal.aliyuncs.com |
|
China (Beijing) | cn-beijing | oss-cn-beijing | oss-cn-beijing-internal.aliyuncs.com |
|
China (Zhangjiakou) | cn-zhangjiakou | oss-cn-zhangjiakou | oss-cn-zhangjiakou-internal.aliyuncs.com |
|
China (Hohhot) | cn-huhehaote | oss-cn-huhehaote | oss-cn-huhehaote-internal.aliyuncs.com |
|
China (Ulanqab) | cn-wulanchabu | oss-cn-wulanchabu | oss-cn-wulanchabu-internal.aliyuncs.com |
|
China (Shenzhen) | cn-shenzhen | oss-cn-shenzhen | oss-cn-shenzhen-internal.aliyuncs.com |
|
China (Heyuan) | cn-heyuan | oss-cn-heyuan | oss-cn-heyuan-internal.aliyuncs.com |
|
China (Guangzhou) | cn-guangzhou | oss-cn-guangzhou | oss-cn-guangzhou-internal.aliyuncs.com |
|
China (Chengdu) | cn-chengdu | oss-cn-chengdu | oss-cn-chengdu-internal.aliyuncs.com |
|
China (Hong Kong) | cn-hongkong | oss-cn-hongkong | oss-cn-hongkong-internal.aliyuncs.com |
|
US (Silicon Valley)* | us-west-1 | oss-us-west-1 | oss-us-west-1-internal.aliyuncs.com | 100.115.107.0/24 |
US (Virginia)* | us-east-1 | oss-us-east-1 | oss-us-east-1-internal.aliyuncs.com |
|
Japan (Tokyo)* | ap-northeast-1 | oss-ap-northeast-1 | oss-ap-northeast-1-internal.aliyuncs.com |
|
South Korea (Seoul) | ap-northeast-2 | oss-ap-northeast-2 | oss-ap-northeast-2-internal.aliyuncs.com | 100.99.119.0/24 |
Singapore* | ap-southeast-1 | oss-ap-southeast-1 | oss-ap-southeast-1-internal.aliyuncs.com |
|
Malaysia (Kuala Lumpur)* | ap-southeast-3 | oss-ap-southeast-3 | oss-ap-southeast-3-internal.aliyuncs.com |
|
Indonesia (Jakarta)* | ap-southeast-5 | oss-ap-southeast-5 | oss-ap-southeast-5-internal.aliyuncs.com | 100.114.98.0/24 |
Philippines (Manila) | ap-southeast-6 | oss-ap-southeast-6 | oss-ap-southeast-6-internal.aliyuncs.com | 100.115.16.0/24 |
Thailand (Bangkok) | ap-southeast-7 | oss-ap-southeast-7 | oss-ap-southeast-7-internal.aliyuncs.com | 100.98.249.0/24 |
Germany (Frankfurt)* | eu-central-1 | oss-eu-central-1 | oss-eu-central-1-internal.aliyuncs.com | 100.115.154.0/24 |
UK (London) | eu-west-1 | oss-eu-west-1 | oss-eu-west-1-internal.aliyuncs.com | 100.114.114.128/25 |
UAE (Dubai)* | me-east-1 | oss-me-east-1 | oss-me-east-1-internal.aliyuncs.com | 100.99.235.0/24 |
SAU (Riyadh - Partner Region) | me-central-1 | oss-me-central-1 | oss-me-central-1-internal.aliyuncs.com | 100.99.121.0/24 |
Finance Cloud regions
Region | Region ID | OSS Region ID | Internal endpoint for access over VPCs | VIP range |
China East 1 Finance | cn-hangzhou-finance | oss-cn-hzjbp |
|
|
China East 2 Finance | cn-shanghai-finance-1 | oss-cn-shanghai-finance-1 | oss-cn-shanghai-finance-1-internal.aliyuncs.com |
|
China North 2 Finance (Preview) | cn-beijing-finance-1 | oss-cn-beijing-finance-1 | oss-cn-beijing-finance-1-internal.aliyuncs.com | 100.112.52.0/24 |
China South 1 Finance | cn-shenzhen-finance-1 | oss-cn-shenzhen-finance-1 | oss-cn-shenzhen-finance-1-internal.aliyuncs.com | 100.112.15.0/24 |
China East 1 Finance Public | cn-hangzhou-finance | oss-cn-hzfinance | oss-cn-hzfinance-internal.aliyuncs.com |
|
China East 2 Finance Public | cn-shanghai-finance-1 | oss-cn-shanghai-finance-1-pub | oss-cn-shanghai-finance-1-pub-internal.aliyuncs.com |
|
China South 1 Finance Public | cn-shenzhen-finance-1 | oss-cn-szfinance | oss-cn-szfinance-internal.aliyuncs.com |
|
China North 2 Finance Public | cn-beijing-finance-1 | oss-cn-beijing-finance-1-pub | oss-cn-beijing-finance-1-pub-internal.aliyuncs.com | 100.112.52.0/24 |
Application Monitoring internal domain and route CIDR mappings
Region | Region ID | VPC Endpoint | Route CIDR blocks to add |
China (Hangzhou) | cn-hangzhou | arms-dc-hz-internal.aliyuncs.com | 100.103.107.0/24 |
China (Shanghai) | cn-shanghai | arms-dc-sh-internal.aliyuncs.com | 100.103.103.0/24 |
China (Qingdao) | cn-qingdao | arms-dc-qd-internal.aliyuncs.com | 100.100.0.0/24 |
China (Beijing) | cn-beijing | arms-dc-bj-internal.aliyuncs.com | 100.103.102.0/24 |
China (Zhangjiakou) | cn-zhangjiakou | arms-dc-zb-internal.aliyuncs.com | 100.100.1.0/24 |
China (Hohhot) | cn-huhehaote | dc-cn-huhehaote-internal.arms.aliyuncs.com | 100.100.0.0/24 |
China (Ulanqab) | cn-wulanchabu | dc-cn-wulanchabu-internal.arms.aliyuncs.com | 100.100.0.0/24 |
China (Shenzhen) | cn-shenzhen | arms-dc-sz-internal.aliyuncs.com | 100.103.103.0/24 |
China (Heyuan) | cn-heyuan | dc-cn-heyuan-internal.arms.aliyuncs.com | 100.100.0.0/24 |
China (Guangzhou) | cn-guangzhou | dc-cn-guangzhou-internal.arms.aliyuncs.com | 100.100.0.0/24 |
China (Chengdu) | cn-chengdu | dc-cn-chengdu-internal.arms.aliyuncs.com | 100.100.0.0/24 |
China (Hong Kong) | cn-hongkong | arms-dc-hk-internal.aliyuncs.com | 100.103.102.0/24 |
US (Silicon Valley) | us-west-1 | arms-dc-usw-internal.aliyuncs.com | 100.103.83.0/24 |
US (Virginia) | us-east-1 | dc-us-east-1-internal.arms.aliyuncs.com | 100.103.83.0/24 |
Japan (Tokyo) | ap-northeast-1 | arms-dc-jp-internal.aliyuncs.com | 100.100.0.0/24 |
Singapore | ap-southeast-1 | arms-dc-sg-internal.aliyuncs.com | 100.103.104.0/24 |
Malaysia (Kuala Lumpur) | ap-southeast-3 | dc-ap-southeast-3-internal.arms.aliyuncs.com | 100.100.0.0/24 |
Indonesia (Jakarta) | ap-southeast-5 | dc-ap-southeast-5-internal.arms.aliyuncs.com | 100.100.0.0/24 |
Germany (Frankfurt) | eu-central-1 | dc-eu-central-1-internal.arms.aliyuncs.com | 100.100.0.0/24 |
UK (London) | eu-west-1 | dc-eu-west-1-internal.arms.aliyuncs.com | 100.100.0.0/24 |
Cloud elasticity (ECI)
You can deploy the ack-virtual-node component in the registered cluster to schedule application pods to Elastic Container Instance (ECI). To do this, perform the following steps:
Install the ack-virtual-node component. For more information, see Schedule pods to ECI using virtual nodes.
Configure routes from your data center to the internal endpoints of the cloud products that the ack-virtual-node component uses. The ack-virtual-node component requires access only to ECI. For more information about ECI endpoints, see Endpoints.
Obtain the CIDR blocks that correspond to the endpoints. For more information, see Use the dig command to obtain the internal CIDR block of a cloud product.
Networking
Typically, a Kubernetes cluster in a data center already has a network plugin installed. If you use ECS node pools in your registered cluster and want to use the high-performance Terway network plugin on the cloud nodes, perform the following steps:
Install the Terway network component. For more information, see Deploy and configure the Terway network plugin.
Configure routes from your data center to the internal endpoints of the cloud products that the Terway network plugin uses. The Terway network plugin requires access to Elastic Compute Service (ECS) and Virtual Private Cloud (VPC).
For more information about ECS endpoints, see ECS endpoints.
For more information about VPC endpoints, see VPC endpoints.
Obtain the CIDR blocks that correspond to the endpoints. For more information, see Use the dig command to obtain the internal CIDR block of a cloud product.
Prometheus monitoring
You can deploy the arms-prometheus component in the registered cluster to monitor the Kubernetes cluster in your data center using Managed Service for Prometheus. To do this, perform the following steps:
Install the arms-prometheus component. For more information, see Connect a registered cluster to Managed Service for Prometheus.
Configure routes from your data center to the internal endpoints of the cloud products that the arms-prometheus component uses. The arms-prometheus component requires access to Managed Service for Prometheus.
Use the dig command to obtain the internal CIDR block of a cloud product
If the cloud product that you use is not listed above, you can use the `dig` command to obtain its internal CIDR block for a specific region. For example, if the ack-virtual-node component is deployed in the Kubernetes cluster in your data center, you can run the following command to obtain the CIDR block for the internal API endpoint of ECI in the China (Shanghai) region.
dig eci-vpc.cn-shanghai.aliyuncs.comExpected output:
; <<>> DiG 9.10.6 <<>> eci-vpc.cn-shanghai.aliyuncs.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11344
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;eci-vpc.cn-shanghai.aliyuncs.com. IN A
;; ANSWER SECTION:
eci-vpc.cn-shanghai.aliyuncs.com. 300 IN CNAME eci-vpc.cn-shanghai.aliyuncs.com.gds.alibabadns.com.
eci-vpc.cn-shanghai.aliyuncs.com.gds.alibabadns.com. 300 IN CNAME popunify-vpc.cn-shanghai.aliyuncs.com.
popunify-vpc.cn-shanghai.aliyuncs.com. 300 IN CNAME popunify-vpc.cn-shanghai.aliyuncs.com.gds.alibabadns.com.
popunify-vpc.cn-shanghai.aliyuncs.com.gds.alibabadns.com. 300 IN A 100.103.22.120
;; Query time: 93 msec
;; SERVER: 30.30.XX.XX#53(30.30.XX.XX)
;; WHEN: Tue Aug 27 13:59:01 CST 2024
;; MSG SIZE rcvd: 193The output shows that the internal VIP for ECI in the China (Shanghai) region is 100.103.22.120.