All Products
Search

This Product

    Container Service for Kubernetes:Use Global Accelerator (GA) instances for cross-domain accelerated pulling of container images

    Document Center

    Container Service for Kubernetes:Use Global Accelerator (GA) instances for cross-domain accelerated pulling of container images

    Last Updated:Feb 28, 2025

    To pull container images from overseas sources across domains in an ACK cluster, you can create a Global Accelerator (GA) instance to utilize its global network acceleration services.

    Prerequisites

    You have successfully created an ACK managed cluster Pro edition with version 1.24 or higher. For information on creating a cluster, see Create an ACK managed cluster. To upgrade a cluster, refer to Manually upgrade a cluster.

    Notes

    Ensure your network access behavior is standardized. Access issues may arise if the target website contains illegal information.

    Billing description

    In addition to the related costs associated with the ACK cluster, utilizing this feature will incur GA instance fees. These include instance fees, performance capacity unit (CU) fees, and network transmission bandwidth fees. For more information, see Billing.

    Step 1: Create a standard GA instance

    A standard GA instance offers a fully connected network with multiple access and origin regions, supporting Layer 4 (TCP and UDP) and Layer 7 (HTTP and HTTPS) protocol acceleration. Configure the overseas regions requiring network acceleration and the access address of the image repository to be pulled, such as docker.io.

    Note

    The network acceleration for the standard GA instance created defaults to premium bandwidth for cross-border acceleration.

    1. Log on to the GA console.

    2. On the Instances page, click Create Acceleration Instance > Standard Pay-as-you-go. Then, follow the prompts on various configuration wizard pages. Be sure to read the notes provided on each page carefully, and then complete the review and submission of your configuration items.

      This step explains how to create a pay-as-you-go standard GA instance focusing on key configuration items. For detailed steps and descriptions of configuration items, see Create and manage standard Global Accelerator instances.

      Configuration

      Description

      Instance Basic Configuration

      Instance Billing Method

      By default, Pay-as-you-go is displayed, and the fees incurred include the following:

      Configure Acceleration Region

      Acceleration Area

      Select the region where your ACK cluster is located as the acceleration region. This example selects Hangzhou and Shanghai.

      Note

      For more information about areas and regions, see Acceleration areas and regions.

      If you select a region in the Chinese mainland as the acceleration region, you need to perform ICP filing for the related domain names involved. For more information, see Domain name management.

      Assign Bandwidth

      • Bandwidth Peak: The bandwidth of the acceleration region. In this example, it is 200 Mbps.

      • IP Protocol: The IP address protocol for accessing the Global Accelerator service. In this example, it is IPv4.

      Configure listeners

      Protocol

      The network transmission protocol type used by the listener. In this example, it is configured as TCP.

      Port

      Specify a port for the listener to receive and forward requests to endpoints. Valid values: 1 to 65499.

      You can specify up to 30 ports for each listener. Separate multiple listener ports with commas (,). For example, you can enter 80,90,8080.

      In this example, the configuration is 80,443.

      Configure an endpoint group

      Region

      The overseas region that requires network acceleration. In this example, it is configured as US (Virginia).

      Endpoint Configuration

      Endpoints are the destinations of client requests. You can configure endpoints according to the following example.

      • Backend Service Type: In this example, select Custom Domain Name.

      • Backend Service: The access domain name address of the image repository to be pulled. In this example, it is configured as docker.io.

      • Weight: Specify a weight for the endpoint. Valid values: 0 to 255. GA distributes network traffic to endpoints based on the weights.

        Warning

        If you set the weight of an endpoint to 0, Global Accelerator stops distributing network traffic to the endpoint. Proceed with caution.

        In this example, the configuration is 255.

      After configuring, proceed to the GA instance details page as prompted.

    3. On the GA instance details page, click the Acceleration Region tab. Note the accelerated IP information from the Accelerated IP column in the region list, corresponding to the region where the ACK cluster is situated, for reference in Step 3: Configure domain name resolution records.

    Step 2: Configure forwarding rules for the GA instance

    To configure forwarding rules for other related domain names of the target image, add a virtual endpoint group to the listener.

    After creating a virtual endpoint group for a listener, you can establish a custom forwarding rule and link it to the group. Once linked, the listener will direct requests that match the forwarding criteria to either the default endpoint group or the designated virtual endpoint group. This setup enables a Global Accelerator instance to simultaneously accelerate access to multiple target endpoints. For more information, see Add and manage forwarding rules.

    1. On the GA instance details page, click the Listener tab, then click the listener's ID in the ID and Name column to access its details page.

    2. Click the Endpoint Group tab, then click Add Virtual Endpoint Group and follow the prompts to complete the configuration.

      An example configuration for Endpoint Configuration is as follows:

      • Backend Service Type: Select Custom Domain Name.

      • Backend Service: Enter the domain name address associated with the image source, such as production.cloudflare.docker.com.

      • Weight: Set to 255.

    3. On the listener configuration page, click the Forwarding Rules tab, then click + Insert New Rule and follow the prompts to set up the new forwarding rule.

      The main configuration items include the following:

      • Domain Name: Choose Exact Match And Wildcard for the domain name matching rule. Specify the forwarding domain name, such as production.cloudflare.docker.com, related to the target image source.

      • Forwarding Action: Set up forwarding to the virtual endpoint group, selecting the one added previously.

    Step 3: Configure domain name resolution records

    You can add resolution records to the /etc/hosts file on ACK cluster nodes for local domain name resolution, or configure PrivateZone domain name resolution records for internal DNS resolution. Note that charges apply once the configuration is active. For billing details, see Billing. Below is a comparison of these two methods.

    Attribute

    Local Domain Name Resolution Record

    Cloud DNS PrivateZone Resolution Record

    Configuration Location

    Configure the target node in the /etc/hosts file.

    Configure in Alibaba Cloud DNS PrivateZone.

    Scope

    Limited to node configuration. To apply to pods, configure Custom Hosts.

    Applies to all nodes and their internal pods within the VPC.

    Maintainability

    Requires manual configuration and maintenance on the node.

    Centralized management, easier maintenance and updates.

    Applicable Scenarios

    Suitable for quickly and temporarily solving specific node issues or small-scale deployments.

    Suitable for unified domain name resolution needs of large-scale clusters, ensuring long-term stability.

    Update Effectiveness Speed

    Changes take effect immediately, but require manual operations on multiple nodes.

    Depends on TTL configuration. Internal DNS refresh, no need for manual updates one by one.

    Cache Time (TTL)

    Configured in the local file, changes take effect immediately, no cache delay impact.

    Default is 1 minute, adjustable, affecting the time for resolution record updates to take effect in all regions.

    Local domain name resolution record

    After setting up the forwarding rule, add domain name resolution records in the ACK cluster node to allow the node to access the image domain name through the GA instance's accelerated IP.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose Nodes > Nodes.

    3. Configure local resolution.

      • Existing nodes: In the node list, select the nodes you want to pull images from, and at the bottom of the page, click Batch Operations, choose Execute Shell Command as the operation type, and click Confirm.

      • New nodes: In the left-side navigation pane, select Node Management > Node Pools, click the target node pool in the Operation column, and click Edit. Then, in the Advanced Options (optional), enter the following Shell script content in the Instance Custom Data field, and click Confirm.

        echo "47.XX.XX.5  production.cloudflare.docker.com" >> /etc/hosts
echo "47.XX.XX.5  docker.io" >> /etc/hosts

    4. Choose the template ACS-ECS-BulkyRunCommand for executing Cloud Assistant commands on multiple ECS instances in batches. Use the default settings for other configuration items and proceed to the next step.

    5. Follow the page prompts to enter the Shell script that will batch add the necessary domain name resolution records (A records) to the /etc/hosts file on the node. Set the IP address to the two acceleration IPs you retrieved in Step 2: Configure forwarding rules for the GA instance, and use the domain URL as the corresponding domain name address for the target image to be pulled. After configuring the parameters, proceed to create the task.

      For instance, you can utilize the echo command for domain name resolution:

      image

      After the task completion, log on to the ECS instance to verify the presence of the corresponding domain name resolution records on the node and test whether the node can successfully pull container images from overseas sources.

    Cloud DNS PrivateZone resolution record

    After setting up the forwarding rule, configure Cloud DNS PrivateZone to add the corresponding domain name resolution records, enabling the node to access the image domain name through the GA instance's accelerated IP.

    1. Retrieve the CNAME accelerated domain name of the target GA instance.

      1. Log on to the GA console.

      2. In the left-side navigation pane, select Standard Instances.

      3. On the Instances page, locate the desired basic Global Accelerator instance and click on its instance ID.

      4. On the Instance Information page, retrieve the CNAME for the accelerated domain name associated with the target GA instance.

        image

    2. Identify the VPC ID of the virtual private cloud where the target ACK cluster node resides.

      1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

      2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, click Cluster Information.

      3. On the Cluster Information page, click the Basic Information tab, and retrieve the VPC ID under the Network tab.

    3. Set up Cloud DNS PrivateZone domain name resolution records

      Set the DNS CNAME record for the access domain name to point to the accelerated domain name provided by the GA instance. For domains such as docker.io and production.cloudflare.docker.com, which have different top-level domains, establish two separate authoritative domain names: io and cloudflare.docker.com. The example below shows how to create an authoritative domain name for cloudflare.docker.com.

      1. Log on to the Alibaba Cloud DNS console.

      2. In the left-side navigation pane, click Private DNS (PrivateZone). In the upper-right corner, click Configuration Mode. Then, click the Built-in Authoritative Module tab. On this tab, click the User Defined Zones tab.

      3. On the Custom Domain Name page, you can click Add Domain (zone), enter cloudflare.docker.com into the dialog box, select Domain Type as Built-in Authoritative Acceleration Zone, enable Subdomain Recursive Resolution Proxy, and then click Confirm.

      4. On the Built-in Authoritative tab, click cloudflare.docker.com in the Operation column, and then click Resolution Record. On the Resolution Record tab, click Add Record.

      5. In the Add Record dialog box, you can set the parameters and then click Confirm.

        Parameter

        Configuration

        Record Type

        Select CNAME to point the domain name to another domain name.

        Host Record

        • When the built-in authoritative domain name (Zone) is cloudflare.docker.com, enter production.

        • When the built-in authoritative domain name (Zone) is io, enter docker.

        Record Value

        Enter the CNAME accelerated domain name obtained in Step 1.

        TTL Time

        Cache time. The smaller the value, the faster the record takes effect in all regions. The default is 1 minute.

      6. On the Domain Settings tab, click the Domain Effectiveness Scope image icon.

      7. In the Alibaba Cloud VPC Internal Network selection box, select Current Account, then choose Standard VPC and the region where your target cluster instance is located. Select the VPC identified in Step 2 as your virtual private cloud. Click Confirm.

    Once the configuration is complete, log on to the ECS instance to test whether the node can successfully pull container images from overseas sources.

    References

    • The Container Registry service ACR automates the building, pulling, and management of images. For more information, see Manage Images.

    • If you encounter any issues during product use or have suggestions, please contact us.