Use Global Accelerator (GA) instances for cross-region accelerated pulling of container images in ACK clusters - Container Service for Kubernetes

To pull cross-region container images that reside outside the Chinese mainland in a Container Service for Kubernetes (ACK) cluster, you can create a Global Accelerator (GA) instance and use its global network acceleration service.

Prerequisites

An ACK Pro cluster that runs Kubernetes 1.24 or later is created. For more information about how to create a cluster, see Create an ACK managed cluster. For more information about how to upgrade a cluster, see Manually upgrade ACK clusters.
A kubectl client is connected to the ACK cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Usage notes

Regulate your network access behaviors. If the target website contains illegal information, you may not be able to access it.

Billing overview

In addition to the fees incurred by the ACK cluster, there are also related costs for the GA instance, including instance fees, performance capacity unit (CU) fees, and network transmission bandwidth fees. For more information, see Billing rules and Billing overview of the GA instance.

Step 1: Create a standard GA instance

Standard GA instances connect users in different acceleration regions to origin servers that are deployed in different regions and provide acceleration services at Layer 4 (TCP and UDP protocols) and Layer 7 (HTTP and HTTPS protocols). You can configure regions outside the Chinese mainland that require network acceleration. You can also add the domain name of the image repository from which you want to pull data, such as docker.io.

Note

The standard GA instance created in this topic uses BGP (Multi-ISP) Pro by default for cross-border communication acceleration.

Log on to the GA console.

On the Instances page, click Create GA Instance > Pay-as-you-go Standard Instance, then configure parameters as prompted. Read the notes on the page, complete the configurations and submit.

This step introduces how to create a pay-as-you-go standard GA instance based on some key parameters. For more information, see Create and manage standard GA instances.

Configuration	Description
Basic Instance Configuration
Instance Billing Method	The default billing method is pay-as-you-go. You may be charged the following fees: For more information about instance fees and CU fees, see Billing of pay-as-you-go GA instances. For more information about data transfer fees, see Pay-by-data-transfer.
Configure Acceleration Area
Acceleration Area	Select the region where your ACK cluster is deployed as the acceleration area. In this example, Hangzhou and Shanghai are selected. Note For more information about areas and regions, see Acceleration areas and regions. If you select Chinese Mainland as the acceleration area, you must apply for an Internet Content Provider (ICP) filing for the relevant domain names. For more information, see Manage domain names.
Assign Bandwidth	Maximum Bandwidth: The bandwidth of the acceleration region. In this example, 200 Mbps is used. IP Protocol: The IP address protocol for accessing the Global Accelerator service. In this example, IPv4 is used.
Configure listener
Protocol	The network transmission protocol that is used by the listener. In this example, TCP is used.
Port	Specify a port for the listener to receive and forward requests to endpoints. Valid values: 1 to 65499. You can specify up to 30 ports for each listener. Separate multiple listener ports with commas (,). For example, you can enter `80,90,8080`. In this example, enter`80,443`.
Configure an endpoint group
Region	The region outside the Chinese mainland that requires network acceleration. In this example, US (Virginia) is selected.
Endpoint configuration	Endpoints are backend services that receive and handle client requests. Configure the endpoint based on the following example. Backend Service Type: In this example, Custom Domain Name is selected. Backend Service: The domain name of the image repository from which you want to pull data. In this example, enter `docker.io`. Weight: Specify a weight for the endpoint. Valid values: 0 to 255. GA routes network traffic to endpoints based on the weights of the endpoints. Warning If you set the weight of an endpoint to 0, Global Accelerator stops distributing network traffic to the endpoint. Proceed with caution. In this example, enter`255`.

After the configuration is complet, enter the details page of the GA instance as prompted.

On the details page of the GA instance, click the Acceleration Areas tab, and under the Accelerated IP Address column of the area list, record the accelerated IP address of the area where the ACK cluster is deployed for use in Step 3: Configure the DNS record of the cluster node.

Step 2: Configure the forwarding rule of the GA instance

If you need to configure forwarding rules for other domain names of the target image, you can add a virtual endpoint group for the listener.

After you create a virtual endpoint group for a listener, you can create a custom forwarding rule and associate the rule with the virtual endpoint group. After you associate a forwarding rule with an endpoint group, the listener forwards the requests that meet the forwarding conditions to the default endpoint group or the virtual endpoint group specified in the forwarding rule. This way, GA can accelerate access to multiple endpoints at the same time. For more information about how to create a forwarding rule, see Create and manage forwarding rules.

On the details page of the GA instance, click the Listeners tab, then click the ID of the listener under the Listener ID/Name column of the listener list to enter the details page of the listener.
Click the Endpoint Group tab, then click Add Virtual Endpoint Group, and complete the configuration as prompted.
The Endpoint Configuration example is as follows:
- Backend Service Type: Select Custom Domain Name.
- Backend Service: The domain name of the image source from which you want to pull data, such as production.cloudflare.docker.com.
- Weight: Use the default 255.
On the details page of the listener, click the Forwarding Rule tab, then click + Add Forwarding Rule, and configure the new forwarding policy as prompted.
The following configurations are used:
- If (Matching All Conditions): Select the host matching rule as Exact Match. The forwarding host should be the domain name of the image source from which you want to pull data, such as production.cloudflare.docker.com.
- Then: Configure to Forward to the virtual endpoint group, and select the virtual endpoint group added in the previous step.

Step 3: Configure the DNS record

There are two ways to configure Domain Name System (DNS) records. You can add DNS records to the /etc/hosts file of the ACK cluster nodes to add entries for on-premises domain name resolution. You can also configure PrivateZone for internal DNS resolution, and you are charged after the configuration takes effect. For more information about the billing of PrivateZone, see Billing.

Configure on-premises domain name resolution records for ACK cluster nodes

After you create a forwarding rule, you also need to add the corresponding DNS record in the ACK cluster node. This way, the node can access the domain name of the image repository from which you want to pull data through the accelerated IP address of the GA instance.

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose Nodes > Nodes.
Under the node list, select the nodes in which you want to pull the image, and click Batch Operations at the bottom of the page, then select the operation type as Run Shell Scripts, and click OK.
Select the template to run as ACS-ECS-BulkyRunCommand, which supports running Cloud Assistant commands on multiple ECS instances in batches. Leave the rest configurations as default and proceed to the next step.
Fill in the Shell script as prompted to batch add the corresponding DNS records (record A) in the /etc/hosts file of the node. Configure the IP address as the accelerated IP address obtained in Step 2: Configure the forwarding rule of the GA instance and domain names as target images from which you want to pull data. Complete the configuration and click Create.
For example, you can use the echo command to configure DNS settings:
After the task is complete, you can log on to the ECS instance to confirm that the corresponding DNS records exist on the node. You can also test whether the node can pull the container images that reside outside the Chinese mainland.

Configure PrivateZone

After you create a forwarding rule, you also need to configure PrivateZone to add the corresponding DNS record. This way, the node can access the domain name of the image repository from which you want to pull data through the accelerated IP address of the GA instance.

Obtain the CNAME acceleration domain name of the target GA instance.
1. Log on to the GA console.
2. In the left-side navigation pane, select Standard Instance.
3. On the Instances page, find the basic GA instance that you want to manage and click the instance ID.
4. On the Instance Information tab, obtain the CNAME of the GA instance.
Obtain the VPC ID to which the target ACK cluster node belongs.
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, click Cluster Information.
3. On the Cluster Information page, click the Basic Information tab and obtain the VPC ID.

Configure the PrivateZone DNS record

Configure the CNAME resolution records of the domain names you want to access as the acceleration domain names in the GA instance, which are docker.io and production.cloudflare.docker.com. Since the top-level domain names are different, you need to create two built-in authoritative zones, which are io and cloudflare.docker.com respectively. The following example shows how to create the built-in authoritative zone cloudflare.docker.com.

Log on to the Alibaba Cloud DNS console.
In the left-side navigation pane, click Private DNS (PrivateZone). In the upper-right corner, click Configuration Mode. Then, click the Built-in Authoritative Module tab. On this tab, click the User Defined Zones tab.
Under the User Defined Zones tab, click Add New Zone, enter cloudflare.docker.com in the dialog box, select Built-in Authoritative Acceleration Zone for Zone Type, enable Recursive Resolution Proxy for Subdomain Names, and then click OK.
Under the Built-in Authoritative Zone column, click cloudflare.docker.com, then on the Resource Records Settings tab, click Add Record.

In the Add Record dialog box, set the parameters. Click OK.

Parameter	Configuration
Record Type	Select CNAME to point the domain name to another domain name.
Hostname	If the built-in authoritative zone is `cloudflare.docker.com`, enter `production`. If the built-in authoritative zone is `io`, enter `docker`.
Record Value	Enter the CNAME obtained in Step 1.
TTL	Cache time. The smaller the value, the faster the record changes take effect in various locations. The value is 1 minute by default.

On the Zone Settings tab, click the icon beside Effective Scope of Zone.
Select Current Account for Alibaba Cloud VPC, then select Standard VPC, and select the region where the target cluster instance is deployed. Select the virtual private network in Step 2 and click OK.

After the configuration is complete, you can log on to the ECS instance to test whether the node can pull the container images that reside outside the Chinese mainland.

References

You can use the Container Registry (ACR) service to automatically build, pull, and manage images. For more information, see Manage images.
If you have any questions or suggestions, contact us.