You can connect edge nodes (on-premises nodes) to ACK Edge clusters in public network or private network mode. This topic describes how to configure endpoints when you connect edge nodes to ACK Edge clusters. This topic also describes how to configure IP routing and ports for internal endpoints in private network mode.
Introduction to ports
Protocol | Port | Direction | Annotation |
TCP | 10250 and 10255 | Inbound |
|
9100 and 9445 | Inbound | Managed Service for Prometheus initiates a request to the node exporter port 9100 or port 9445 of the node to obtain monitoring data. | |
[10280,10284] | Outbound | When the proxy mode of Raven is enabled, the edge node accesses the public endpoint of the cloud Raven gateway through ports 10280 to 10284 to build a tunnel. | |
UDP | 8472 | Inbound and outbound | Flannel VXLAN uses the UDP port 8472 on the node to build a VXLAN tunnel. |
4500 | Outbound | When the tunnel mode of Raven is enabled, the edge node accesses the public endpoint of the cloud Raven gateway on port 4500 to build a tunnel. |
Configure endpoints and IP routing for edge nodes
To ensure that on-premises devices or edge devices can access the following domain names and IP addresses, you must configure the following settings based on different access methods.
Access over the Internet
In the outbound direction of the security policies for edge nodes, you must allow access to the public endpoint or domain names in the following table.
Ensure that the edge nodes have Internet access.
Access over a private network
In the outbound direction of the security policies for edge nodes, you must allow access to the internal endpoint or domain names in the following table.
Configure bidirectional routing for the following components: data center router, virtual border router (VBR), Cloud Enterprise Network (CEN) instance, transit router (TR), and virtual private cloud (VPC) routing table.
Configure endpoints for edge nodes
In the following table,
{region}indicates the region ID of the ACK Edge cluster, such ascn-hangzhou. For more information about region IDs, see Supported regions.When edge nodes access container images in private network mode, you must use internal endpoints and add routes pointing to the addresses of the container images and the Object Storage Service (OSS) buckets that store the container images. For more information about the internal endpoints and relevant routes, see Network management overview.
Endpoint in public network mode | Endpoint in private network mode | Description |
| cs-anony-vpc.{region}.aliyuncs.com | The control plane endpoint. |
aliacs-k8s-{region}.oss-{region}.aliyuncs.com | aliacs-k8s-{region}.oss-{region}-internal.aliyuncs.com | The endpoint for downloading files from OSS. You can download the installation packages of components such as edgeadm, kubelet, Container Network Interface (CNI), runtime, and edgehub from OSS. |
The public endpoint of the API server. | The internal endpoint of the API server. | You can view the public endpoint of the API server on the Basic Information tab. |
Address of the Internet-facing Server Load Balancer (SLB) instance of the tunnel-server (Kubernetes versions earlier than 1.26) | Not available in private network mode | View the information of the following Service: kube-system/x-tunnel-server-svc |
Address of the Internet-facing SLB instance of the tunnel-server (Kubernetes versions equal to or later than 1.26) | Not available in private network mode | View the information of the following Service:
|
ntp1.aliyun.com cn.ntp.org.cn | ntp1.aliyun.com cn.ntp.org.cn | The address of the NTP server. If you set the |
|
| The address required for downloading system component images. For more information about IP routing for these endpoints in private network mode, see Network management overview. |
Install the following system tools online: net-tools, iproute, chrony (or ntpdate), crontabs, pciutils, socat, ebtables, iptables, and conntrack-tools. | Install the following system tools online: net-tools, iproute, chrony (or ntpdate), crontabs, pciutils, socat, ebtables, iptables, and conntrack-tools. | Check whether the system tools are installed on the node to be added. If the system tools are not installed, the system installs the tools online. The addresses of these tools are determined by the YUM or APT repositories of the node.
|
Endpoints and IP routing in private network mode
To access the private addresses of ACK component images from a data center, you can choose to connect to a VPC through CEN, Express Connect, leased lines, or VPN. You also need to add routes that point to the private addresses of the component images. For more information, see Network management overview. You also need to add route that point to OSS because the images are stored in OSS. For more information, see Network management overview.
Private addresses of ACK components and routes
Regions on Public Cloud
Region | Region ID | VPC endpoint | Route |
China (Hangzhou) | cn-hangzhou | registry-cn-hangzhou-vpc.ack.aliyuncs.com | 100.103.9.188/32 100.103.7.181/32 |
China (Shanghai) | cn-shanghai | registry-cn-shanghai-vpc.ack.aliyuncs.com | 100.103.94.158/32 100.103.7.57/32 |
China (Fuzhou - Local Region) | cn-fuzhou | registry-cn-fuzhou-vpc.ack.aliyuncs.com | 100.100.0.43/32 100.100.0.28/32 |
China (Qingdao) | cn-qingdao | registry-cn-qingdao-vpc.ack.aliyuncs.com | 100.100.0.172/32 100.100.0.207/32 |
China (Beijing) | cn-beijing | registry-cn-beijing-vpc.ack.aliyuncs.com | 100.103.99.73/32 100.103.0.251/32 |
China (Zhangjiakou) | cn-zhangjiakou | registry-cn-zhangjiakou-vpc.ack.aliyuncs.com | 100.100.1.179/32 100.100.80.152/32 |
China (Hohhot) | cn-huhehaote | registry-cn-huhehaote-vpc.ack.aliyuncs.com | 100.100.0.194/32 100.100.80.55/32 |
China (Ulanqab) | cn-wulanchabu | registry-cn-wulanchabu-vpc.ack.aliyuncs.com | 100.100.0.122/32 100.100.0.58/32 |
China (Shenzhen) | cn-shenzhen | registry-cn-shenzhen-vpc.ack.aliyuncs.com | 100.103.96.139/32 100.103.6.153/32 |
China (Heyuan) | cn-heyuan | registry-cn-heyuan-vpc.ack.aliyuncs.com | 100.100.0.150/32 100.100.0.193/32 |
China (Guangzhou) | cn-guangzhou | registry-cn-guangzhou-vpc.ack.aliyuncs.com | 100.100.0.101/32 100.100.0.21/32 |
China (Chengdu) | cn-chengdu | registry-cn-chengdu-vpc.ack.aliyuncs.com | 100.100.0.48/32 100.100.0.64/32 |
Zhengzhou (CUCC Joint Venture) | cn-zhengzhou-jva | registry-cn-zhengzhou-jva-vpc.ack.aliyuncs.com | 100.100.0.111/32 100.100.0.84/32 |
China (Hong Kong) | cn-hongkong | registry-cn-hongkong-vpc.ack.aliyuncs.com | 100.103.85.19/32 100.100.80.157/32 |
US (Silicon Valley) | us-west-1 | registry-us-west-1-vpc.ack.aliyuncs.com | 100.103.13.55/32 100.100.80.93/32 |
US (Virginia) | us-east-1 | registry-us-east-1-vpc.ack.aliyuncs.com | 100.103.12.19/32 100.100.80.11/32 |
Japan (Tokyo) | ap-northeast-1 | registry-ap-northeast-1-vpc.ack.aliyuncs.com | 100.100.0.167/32 100.100.80.198/32 |
South Korea (Seoul) | ap-northeast-2 | registry-ap-northeast-2-vpc.ack.aliyuncs.com | 100.100.0.71/32 100.100.0.33/32 |
Singapore | ap-southeast-1 | registry-ap-southeast-1-vpc.ack.aliyuncs.com | 100.103.103.254/32 100.100.80.136/32 |
Malaysia (Kuala Lumpur) | ap-southeast-3 | registry-ap-southeast-3-vpc.ack.aliyuncs.com | 100.100.0.17/32 100.100.80.137/32 |
Indonesia (Jakarta) | ap-southeast-5 | registry-ap-southeast-5-vpc.ack.aliyuncs.com | 100.100.0.226/32 100.100.80.200/32 |
Philippines (Manila) | ap-southeast-6 | registry-ap-southeast-6-vpc.ack.aliyuncs.com | 100.100.0.75/32 100.100.0.24/32 |
Thailand (Bangkok) | ap-southeast-7 | registry-ap-southeast-7-vpc.ack.aliyuncs.com | 100.100.0.62/32 100.100.0.34/32 |
Germany (Frankfurt) | eu-central-1 | registry-eu-central-1-vpc.ack.aliyuncs.com | 100.100.0.92/32 100.100.80.155/32 |
UK (London) | eu-west-1 | registry-eu-west-1-vpc.ack.aliyuncs.com | 100.100.0.175/32 100.100.0.18/32 |
SAU (Riyadh - Partner Region) | me-central-1 | registry-me-central-1-vpc.ack.aliyuncs.com | 100.100.0.109/32 100.100.0.18/32 |
Regions on Finance Cloud
Region | Region ID | VPC endpoint | Route |
China East 2 Finance | cn-shanghai-finance-1 | registry-cn-shanghai-finance-1-vpc.ack.aliyuncs.com | 100.100.0.54/32 100.100.80.227/32 |
OSS internal endpoints and VIP ranges
Regions on Public Cloud
Region | Region ID | OSS region ID | Internal endpoint for access over VPCs | VIP range |
China (Hangzhou) | cn-hangzhou | oss-cn-hangzhou | oss-cn-hangzhou-internal.aliyuncs.com |
|
China (Shanghai) | cn-shanghai | oss-cn-shanghai | oss-cn-shanghai-internal.aliyuncs.com |
|
China (Nanjing - Local Region) | cn-nanjing | oss-cn-nanjing | oss-cn-nanjing-internal.aliyuncs.com | 100.114.142.0/24 |
China (Qingdao) | cn-qingdao | oss-cn-qingdao | oss-cn-qingdao-internal.aliyuncs.com |
|
China (Beijing) | cn-beijing | oss-cn-beijing | oss-cn-beijing-internal.aliyuncs.com |
|
China (Zhangjiakou) | cn-zhangjiakou | oss-cn-zhangjiakou | oss-cn-zhangjiakou-internal.aliyuncs.com |
|
China (Hohhot) | cn-huhehaote | oss-cn-huhehaote | oss-cn-huhehaote-internal.aliyuncs.com |
|
China (Ulanqab) | cn-wulanchabu | oss-cn-wulanchabu | oss-cn-wulanchabu-internal.aliyuncs.com |
|
China (Shenzhen) | cn-shenzhen | oss-cn-shenzhen | oss-cn-shenzhen-internal.aliyuncs.com |
|
China (Heyuan) | cn-heyuan | oss-cn-heyuan | oss-cn-heyuan-internal.aliyuncs.com |
|
China (Guangzhou) | cn-guangzhou | oss-cn-guangzhou | oss-cn-guangzhou-internal.aliyuncs.com |
|
China (Chengdu) | cn-chengdu | oss-cn-chengdu | oss-cn-chengdu-internal.aliyuncs.com |
|
China (Hong Kong) | cn-hongkong | oss-cn-hongkong | oss-cn-hongkong-internal.aliyuncs.com |
|
US (Silicon Valley) * | us-west-1 | oss-us-west-1 | oss-us-west-1-internal.aliyuncs.com | 100.115.107.0/24 |
US (Virginia) * | us-east-1 | oss-us-east-1 | oss-us-east-1-internal.aliyuncs.com |
|
Japan (Tokyo) * | ap-northeast-1 | oss-ap-northeast-1 | oss-ap-northeast-1-internal.aliyuncs.com |
|
South Korea (Seoul) | ap-northeast-2 | oss-ap-northeast-2 | oss-ap-northeast-2-internal.aliyuncs.com | 100.99.119.0/24 |
Singapore * | ap-southeast-1 | oss-ap-southeast-1 | oss-ap-southeast-1-internal.aliyuncs.com |
|
Australia (Sydney) Closing Down * | ap-southeast-2 | oss-ap-southeast-2 | oss-ap-southeast-2-internal.aliyuncs.com | 100.98.201.0/24 |
Malaysia (Kuala Lumpur) * | ap-southeast-3 | oss-ap-southeast-3 | oss-ap-southeast-3-internal.aliyuncs.com |
|
Indonesia (Jakarta) * | ap-southeast-5 | oss-ap-southeast-5 | oss-ap-southeast-5-internal.aliyuncs.com | 100.114.98.0/24 |
Philippines (Manila) | ap-southeast-6 | oss-ap-southeast-6 | oss-ap-southeast-6-internal.aliyuncs.com | 100.115.16.0/24 |
Thailand (Bangkok) | ap-southeast-7 | oss-ap-southeast-7 | oss-ap-southeast-7-internal.aliyuncs.com | 100.98.249.0/24 |
Germany (Frankfurt) * | eu-central-1 | oss-eu-central-1 | oss-eu-central-1-internal.aliyuncs.com | 100.115.154.0/24 |
UK (London) | eu-west-1 | oss-eu-west-1 | oss-eu-west-1-internal.aliyuncs.com | 100.114.114.128/25 |
UAE (Dubai) * | me-east-1 | oss-me-east-1 | oss-me-east-1-internal.aliyuncs.com | 100.99.235.0/24 |
SAU (Riyadh) | me-central-1 | oss-me-central-1 | oss-me-central-1-internal.aliyuncs.com | 100.99.121.0/24 |
Regions on Finance Cloud
Region | Region ID | OSS Region ID | Internal endpoint for access over VPCs | VIP range |
China East 1 Finance | N/A | oss-cn-hzjbp |
|
|
China East 2 Finance | N/A | oss-cn-shanghai-finance-1 | oss-cn-shanghai-finance-1-internal.aliyuncs.com |
|
China North 2 Finance (Preview) | N/A | oss-cn-beijing-finance-1 | oss-cn-beijing-finance-1-internal.aliyuncs.com | 100.112.52.0/24 |
China South 1 Finance | N/A | oss-cn-shenzhen-finance-1 | oss-cn-shenzhen-finance-1-internal.aliyuncs.com | 100.112.15.0/24 |
China East 1 Finance Public | N/A | oss-cn-hzfinance | oss-cn-hzfinance-internal.aliyuncs.com |
|
China East 2 Finance Public | N/A | oss-cn-shanghai-finance-1-pub | oss-cn-shanghai-finance-1-pub-internal.aliyuncs.com |
|
China South 1 Finance Public | N/A | oss-cn-szfinance | oss-cn-szfinance-internal.aliyuncs.com |
|
China North 2 Finance Public | N/A | oss-cn-beijing-finance-1-pub | oss-cn-beijing-finance-1-pub-internal.aliyuncs.com | 100.112.52.0/24 |