All Products
Search
Document Center

Container Service for Kubernetes:Configure endpoints and IP routing for edge nodes

Last Updated:Dec 20, 2024

You can connect edge nodes (on-premises nodes) to ACK Edge clusters in public network or private network mode. This topic describes how to configure endpoints when you connect edge nodes to ACK Edge clusters. This topic also describes how to configure IP routing and ports for internal endpoints in private network mode.

Introduction to ports

Protocol

Port

Direction

Annotation

TCP

10250 and 10255

Inbound

  • The API server initiates a request to the kubelet port 10250 or port 10255 of the node to perform O&M operations.

  • MetricsServer initiates a request to the kubelet port 10250 or port 10255 of the node to obtain the metric information.

9100 and 9445

Inbound

Managed Service for Prometheus initiates a request to the node exporter port 9100 or port 9445 of the node to obtain monitoring data.

[10280,10284]

Outbound

When the proxy mode of Raven is enabled, the edge node accesses the public endpoint of the cloud Raven gateway through ports 10280 to 10284 to build a tunnel.

UDP

8472

Inbound and outbound

Flannel VXLAN uses the UDP port 8472 on the node to build a VXLAN tunnel.

4500

Outbound

When the tunnel mode of Raven is enabled, the edge node accesses the public endpoint of the cloud Raven gateway on port 4500 to build a tunnel.

Configure endpoints and IP routing for edge nodes

To ensure that on-premises devices or edge devices can access the following domain names and IP addresses, you must configure the following settings based on different access methods.

Access over the Internet

  • In the outbound direction of the security policies for edge nodes, you must allow access to the public endpoint or domain names in the following table.

  • Ensure that the edge nodes have Internet access.

Access over a private network

  • In the outbound direction of the security policies for edge nodes, you must allow access to the internal endpoint or domain names in the following table.

  • Configure bidirectional routing for the following components: data center router, virtual border router (VBR), Cloud Enterprise Network (CEN) instance, transit router (TR), and virtual private cloud (VPC) routing table.

Configure endpoints for edge nodes

Note
  • In the following table, {region} indicates the region ID of the ACK Edge cluster, such as cn-hangzhou. For more information about region IDs, see Supported regions.

  • When edge nodes access container images in private network mode, you must use internal endpoints and add routes pointing to the addresses of the container images and the Object Storage Service (OSS) buckets that store the container images. For more information about the internal endpoints and relevant routes, see Endpoints and IP routing in private network mode.

Endpoint in public network mode

Endpoint in private network mode

Description

  • cs-anony.aliyuncs.com

  • cs-anony.{region}.aliyuncs.com

cs-anony-vpc.{region}.aliyuncs.com

The control plane endpoint.

aliacs-k8s-{region}.oss-{region}.aliyuncs.com

aliacs-k8s-{region}.oss-{region}-internal.aliyuncs.com

The endpoint for downloading files from OSS. You can download the installation packages of components such as edgeadm, kubelet, Container Network Interface (CNI), runtime, and edgehub from OSS.

The public endpoint of the API server.

The internal endpoint of the API server.

You can view the public endpoint of the API server on the Basic Information tab.

Address of the Internet-facing Server Load Balancer (SLB) instance of the tunnel-server

(Kubernetes versions earlier than 1.26)

Not available in private network mode

View the information of the following Service:

kube-system/x-tunnel-server-svc

Address of the Internet-facing SLB instance of the cloud Raven gateway

Not available in private network mode

View the information of the following Service:

  • kube-system/x-raven-proxy-svc-gw-cloud-xxx

  • kube-system/x-raven-tunnel-svc-gw-cloud-xxx

ntp1.aliyun.com cn.ntp.org.cn

ntp1.aliyun.com cn.ntp.org.cn

The address of the NTP server.

If you set the selfHostNtpServer parameter to true to manually synchronize the time, you can ignore this parameter.

  • dockerauth.{region}.aliyuncs.com

    Note

    Only the public endpoint of Docker in China (Zhangjiakou) is dockerauth-{region}.aliyuncs.com.

  • dockerauth-ee.{region}.aliyuncs.com

  • aliregistry-{region}.oss-{region}.aliyuncs.com

  • registry.{region}.aliyuncs.com

  • registry-{region}.ack.aliyuncs.com

  • dockerauth-vpc.{region}.aliyuncs.com

  • dockerauth-ee-vpc.{region}.aliyuncs.com

  • aliregistry-{region}.oss-{region}-internal.aliyuncs.com

  • registry-vpc.{region}.aliyuncs.com

  • registry-{region}-vpc.ack.aliyuncs.com

The address required for downloading system component images. For more information about IP routing for these endpoints in private network mode, see Endpoints and IP routing in private network mode.

Install the following system tools online: net-tools, iproute, chrony (or ntpdate), crontabs, pciutils, socat, ebtables, iptables, and conntrack-tools.

Install the following system tools online: net-tools, iproute, chrony (or ntpdate), crontabs, pciutils, socat, ebtables, iptables, and conntrack-tools.

Check whether the system tools are installed on the node to be added. If the system tools are not installed, the system installs the tools online. The addresses of these tools are determined by the YUM or APT repositories of the node.

  • Ubuntu: Run the apt-get command to install the system tools.

  • CentOS: Run the yum command to install the system tools.

Endpoints and IP routing in private network mode

To access the private addresses of ACK component images from a data center, you can choose to connect to a VPC through CEN, Express Connect, leased lines, or VPN. Additionally, you need to add routes that point to the private addresses of the component images, and to OSS because the images are stored there. For more information, see Network management overview.

Private addresses of ACK components and routes

Regions on Public Cloud

Region

Region ID

VPC endpoint

Route

China (Hangzhou)

cn-hangzhou

registry-cn-hangzhou-vpc.ack.aliyuncs.com

100.103.9.188/32

100.103.7.181/32

China (Shanghai)

cn-shanghai

registry-cn-shanghai-vpc.ack.aliyuncs.com

100.103.94.158/32

100.103.7.57/32

100.100.80.231/32

China (Fuzhou - Local Region)

cn-fuzhou

registry-cn-fuzhou-vpc.ack.aliyuncs.com

100.100.0.43/32 100.100.0.28/32

China (Qingdao)

cn-qingdao

registry-cn-qingdao-vpc.ack.aliyuncs.com

100.100.0.172/32

100.100.0.207/32

China (Beijing)

cn-beijing

registry-cn-beijing-vpc.ack.aliyuncs.com

100.103.99.73/32

100.103.0.251/32

100.103.6.63/32

China (Zhangjiakou)

cn-zhangjiakou

registry-cn-zhangjiakou-vpc.ack.aliyuncs.com

100.100.1.179/32

100.100.80.152/32

China (Hohhot)

cn-huhehaote

registry-cn-huhehaote-vpc.ack.aliyuncs.com

100.100.0.194/32

100.100.80.55/32

China (Ulanqab)

cn-wulanchabu

registry-cn-wulanchabu-vpc.ack.aliyuncs.com

100.100.0.122/32

100.100.0.58/32

China (Shenzhen)

cn-shenzhen

registry-cn-shenzhen-vpc.ack.aliyuncs.com

100.103.96.139/32

100.103.6.153/32

100.103.26.52/32

China (Heyuan)

cn-heyuan

registry-cn-heyuan-vpc.ack.aliyuncs.com

100.100.0.150/32

100.100.0.193/32

China (Guangzhou)

cn-guangzhou

registry-cn-guangzhou-vpc.ack.aliyuncs.com

100.100.0.101/32

100.100.0.21/32

China (Chengdu)

cn-chengdu

registry-cn-chengdu-vpc.ack.aliyuncs.com

100.100.0.48/32

100.100.0.64/32

Zhengzhou (CUCC Joint Venture)

cn-zhengzhou-jva

registry-cn-zhengzhou-jva-vpc.ack.aliyuncs.com

100.100.0.111/32 100.100.0.84/32

China (Hong Kong)

cn-hongkong

registry-cn-hongkong-vpc.ack.aliyuncs.com

100.103.85.19/32

100.100.80.157/32

US (Silicon Valley)

us-west-1

registry-us-west-1-vpc.ack.aliyuncs.com

100.103.13.55/32

100.100.80.93/32

US (Virginia)

us-east-1

registry-us-east-1-vpc.ack.aliyuncs.com

100.103.12.19/32

100.100.80.11/32

Japan (Tokyo)

ap-northeast-1

registry-ap-northeast-1-vpc.ack.aliyuncs.com

100.100.0.167/32

100.100.80.198/32

South Korea (Seoul)

ap-northeast-2

registry-ap-northeast-2-vpc.ack.aliyuncs.com

100.100.0.71/32

100.100.0.33/32

Singapore

ap-southeast-1

registry-ap-southeast-1-vpc.ack.aliyuncs.com

100.103.103.254/32

100.100.80.136/32

Malaysia (Kuala Lumpur)

ap-southeast-3

registry-ap-southeast-3-vpc.ack.aliyuncs.com

100.100.0.17/32

100.100.80.137/32

Indonesia (Jakarta)

ap-southeast-5

registry-ap-southeast-5-vpc.ack.aliyuncs.com

100.100.0.226/32

100.100.80.200/32

Philippines (Manila)

ap-southeast-6

registry-ap-southeast-6-vpc.ack.aliyuncs.com

100.100.0.75/32

100.100.0.24/32

Thailand (Bangkok)

ap-southeast-7

registry-ap-southeast-7-vpc.ack.aliyuncs.com

100.100.0.62/32

100.100.0.34/32

Germany (Frankfurt)

eu-central-1

registry-eu-central-1-vpc.ack.aliyuncs.com

100.100.0.92/32

100.100.80.155/32

UK (London)

eu-west-1

registry-eu-west-1-vpc.ack.aliyuncs.com

100.100.0.175/32

100.100.0.18/32

SAU (Riyadh - Partner Region)

me-central-1

registry-me-central-1-vpc.ack.aliyuncs.com

100.100.0.109/32 100.100.0.18/32

Regions on Finance Cloud

Region

Region ID

VPC endpoint

Route

China East 2 Finance

cn-shanghai-finance-1

registry-cn-shanghai-finance-1-vpc.ack.aliyuncs.com

100.100.0.54/32 100.100.80.227/32

OSS internal endpoints and VIP ranges

Regions on Public Cloud

Region

Region ID

OSS region ID

Internal endpoint for access over VPCs

VIP range

China (Hangzhou)

cn-hangzhou

oss-cn-hangzhou

oss-cn-hangzhou-internal.aliyuncs.com

  • 100.118.28.0/24

  • 100.114.102.0/24

  • 100.98.170.0/24

  • 100.118.31.0/24

China (Shanghai)

cn-shanghai

oss-cn-shanghai

oss-cn-shanghai-internal.aliyuncs.com

  • 100.98.35.0/24

  • 100.98.110.0/24

  • 100.98.169.0/24

  • 100.118.102.0/24

China (Nanjing - Local Region)

cn-nanjing

oss-cn-nanjing

oss-cn-nanjing-internal.aliyuncs.com

100.114.142.0/24

China (Qingdao)

cn-qingdao

oss-cn-qingdao

oss-cn-qingdao-internal.aliyuncs.com

  • 100.115.173.0/24

  • 100.99.113.0/24

  • 100.99.114.0/24

  • 100.99.115.0/24

China (Beijing)

cn-beijing

oss-cn-beijing

oss-cn-beijing-internal.aliyuncs.com

  • 100.118.58.0/24

  • 100.118.167.0/24

  • 100.118.170.0/24

  • 100.118.171.0/24

  • 100.118.172.0/24

  • 100.118.173.0/24

China (Zhangjiakou)

cn-zhangjiakou

oss-cn-zhangjiakou

oss-cn-zhangjiakou-internal.aliyuncs.com

  • 100.118.90.0/24

  • 100.98.159.0/24

  • 100.114.0.0/24

  • 100.114.1.0/24

China (Hohhot)

cn-huhehaote

oss-cn-huhehaote

oss-cn-huhehaote-internal.aliyuncs.com

  • 100.118.195.0/24

  • 100.99.110.0/24

  • 100.99.111.0/24

  • 100.99.112.0/24

China (Ulanqab)

cn-wulanchabu

oss-cn-wulanchabu

oss-cn-wulanchabu-internal.aliyuncs.com

  • 100.114.11.0/24

  • 100.114.12.0/24

  • 100.114.100.0/24

  • 100.118.214.0/24

China (Shenzhen)

cn-shenzhen

oss-cn-shenzhen

oss-cn-shenzhen-internal.aliyuncs.com

  • 100.118.78.0/24

  • 100.118.203.0/24

  • 100.118.204.0/24

  • 100.118.217.0/24

China (Heyuan)

cn-heyuan

oss-cn-heyuan

oss-cn-heyuan-internal.aliyuncs.com

  • 100.98.83.0/24

  • 100.118.174.0/24

China (Guangzhou)

cn-guangzhou

oss-cn-guangzhou

oss-cn-guangzhou-internal.aliyuncs.com

  • 100.115.33.0/24

  • 100.114.101.0/24

China (Chengdu)

cn-chengdu

oss-cn-chengdu

oss-cn-chengdu-internal.aliyuncs.com

  • 100.115.155.0/24

  • 100.99.107.0/24

  • 100.99.108.0/24

  • 100.99.109.0/24

China (Hong Kong)

cn-hongkong

oss-cn-hongkong

oss-cn-hongkong-internal.aliyuncs.com

  • 100.115.61.0/24

  • 100.99.103.0/24

  • 100.99.104.0/24

  • 100.99.106.0/24

US (Silicon Valley) *

us-west-1

oss-us-west-1

oss-us-west-1-internal.aliyuncs.com

100.115.107.0/24

US (Virginia) *

us-east-1

oss-us-east-1

oss-us-east-1-internal.aliyuncs.com

  • 100.115.60.0/24

  • 100.99.100.0/24

  • 100.99.101.0/24

  • 100.99.102.0/24

Japan (Tokyo) *

ap-northeast-1

oss-ap-northeast-1

oss-ap-northeast-1-internal.aliyuncs.com

  • 100.114.211.0/24

  • 100.114.114.0/25

South Korea (Seoul)

ap-northeast-2

oss-ap-northeast-2

oss-ap-northeast-2-internal.aliyuncs.com

100.99.119.0/24

Singapore *

ap-southeast-1

oss-ap-southeast-1

oss-ap-southeast-1-internal.aliyuncs.com

  • 100.118.219.0/24

  • 100.99.213.0/24

  • 100.99.116.0/24

  • 100.99.117.0/24

Malaysia (Kuala Lumpur) *

ap-southeast-3

oss-ap-southeast-3

oss-ap-southeast-3-internal.aliyuncs.com

  • 100.118.165.0/24

  • 100.99.125.0/24

  • 100.99.130.0/24

  • 100.99.131.0/24

Indonesia (Jakarta) *

ap-southeast-5

oss-ap-southeast-5

oss-ap-southeast-5-internal.aliyuncs.com

100.114.98.0/24

Philippines (Manila)

ap-southeast-6

oss-ap-southeast-6

oss-ap-southeast-6-internal.aliyuncs.com

100.115.16.0/24

Thailand (Bangkok)

ap-southeast-7

oss-ap-southeast-7

oss-ap-southeast-7-internal.aliyuncs.com

100.98.249.0/24

Germany (Frankfurt) *

eu-central-1

oss-eu-central-1

oss-eu-central-1-internal.aliyuncs.com

100.115.154.0/24

UK (London)

eu-west-1

oss-eu-west-1

oss-eu-west-1-internal.aliyuncs.com

100.114.114.128/25

UAE (Dubai) *

me-east-1

oss-me-east-1

oss-me-east-1-internal.aliyuncs.com

100.99.235.0/24

SAU (Riyadh)

me-central-1

oss-me-central-1

oss-me-central-1-internal.aliyuncs.com

100.99.121.0/24

Regions on Finance Cloud

Region

Region ID

OSS Region ID

Internal endpoint for access over VPCs

VIP range

China East 1 Finance

N/A

oss-cn-hzjbp

  • oss-cn-hzjbp-a-internal.aliyuncs.com

  • oss-cn-hzjbp-b-internal.aliyuncs.com

  • 100.103.4.210/32

  • 100.115.6.0/24

China East 2 Finance

N/A

oss-cn-shanghai-finance-1

oss-cn-shanghai-finance-1-internal.aliyuncs.com

  • 100.115.105.0/24

  • 100.100.36.8/32

China North 2 Finance (Preview)

N/A

oss-cn-beijing-finance-1

oss-cn-beijing-finance-1-internal.aliyuncs.com

100.112.52.0/24

China South 1 Finance

N/A

oss-cn-shenzhen-finance-1

oss-cn-shenzhen-finance-1-internal.aliyuncs.com

100.112.15.0/24

China East 1 Finance Public

N/A

oss-cn-hzfinance

oss-cn-hzfinance-internal.aliyuncs.com

  • 100.103.4.95/32

  • 100.103.5.142/32

  • 100.103.5.143/32

  • 100.103.5.144/32

  • 100.115.6.0/24

China East 2 Finance Public

N/A

oss-cn-shanghai-finance-1-pub

oss-cn-shanghai-finance-1-pub-internal.aliyuncs.com

  • 100.100.36.24/32

  • 100.100.36.8/32

China South 1 Finance Public

N/A

oss-cn-szfinance

oss-cn-szfinance-internal.aliyuncs.com

  • 100.112.15.0/24

  • 100.100.80.70/32

China North 2 Finance Public

N/A

oss-cn-beijing-finance-1-pub

oss-cn-beijing-finance-1-pub-internal.aliyuncs.com

100.112.52.0/24