Alibaba Cloud allows you to connect external Kubernetes clusters deployed in data centers to registered clusters in Alibaba Cloud and enable the workloads in the external clusters to access Alibaba Cloud resources over the internal network. To meet this goal, you need to use Alibaba Cloud services such as Cloud Enterprise Network (CEN), Express Connect, or VPN Gateway to connect the external clusters to the internal network where the cloud resources are deployed in Alibaba Cloud regions. You also need to configure routes that point to the internal CIDR blocks of the cloud resources. This topic describes the internal CIDR blocks of some Alibaba Cloud services in different regions in Alibaba Cloud Public Cloud or Alibaba Finance Cloud.
Usage notes
Each Alibaba Cloud service specifies a static internal virtual IP address (VIP) range for each region. To prevent connection failures, you must configure complete routes to regions based on the VIP ranges of different regions.
If you want to access an Alibaba Cloud service over the internal network from an Elastic Compute Service (ECS) instance, make sure that the security group of the ECS instance allows access to all VIP ranges of the cloud service. The VIP of the cloud service may vary within the VIP ranges. If you do not add complete routes based on the VIP ranges, the ECS instance may fail to access the service. In this case, you are responsible for any loss and damage arising therefrom.
In most cases, an Alibaba Cloud service uses the static VIP 100.103.22.120 in each region. To simplify route configurations, you can specify a subnet mask for the VIP. Example: 100.103.22.0/24.
Data center security and route configurations
After a data center is connected to Alibaba Cloud by using private networks, you need to configure the following settings to ensure that the external Kubernetes cluster in the data center can access the following domain names and IP addresses:
The outbound security policy of the data center must allow access to the private IP addresses or domain names of the cloud services that you want to access.
Configure inbound and outbound routes in the route tables of the data center, virtual border router (VBR), CEN instance, transit router, and virtual private cloud (VPC) that are used to connect the cluster to the cloud services.
After you connect the external Kubernetes cluster in the data center to the registered cluster, the cluster can use the capabilities provided by Alibaba Cloud services, such as image hosting, resource elasticity based on ECS and Elastic Container Instance, networking, observability, and logging. To use these capabilities, you must configure routes to route packets from the cluster to the endpoints of these cloud services.
{region} in a service endpoint indicates the region ID of the service endpoint. For example, the region ID of the China (Hangzhou) region is cn-hangzhou.
To obtain the endpoints of a service, refer to the service documentation.
The following section describes the endpoints of some Alibaba Cloud services.
CIDR blocks of ACK components
After you connect the external Kubernetes cluster in the data center to the registered cluster, the cluster can use the capabilities provided by Alibaba Cloud services, such as resource elasticity based on ECS and Elastic Container Instance, networking, observability, and logging. When you deploy ack-cluster-agent in the registered cluster or install other components, you need to access the image registries of Container Service for Kubernetes (ACK) components over the internal network. In this case, you must configure routes that point to the image registries of ACK components. In addition, you must configure routes that point to Object Storage Service (OSS) because the images of ACK components are stored in OSS. The following tables describe the VIP ranges of Container Registry and OSS.
Private addresses of ACK components and routes
Regions on Public Cloud
Region | Region ID | VPC endpoint | Route |
China (Hangzhou) | cn-hangzhou | registry-cn-hangzhou-vpc.ack.aliyuncs.com | 100.103.9.188/32 100.103.7.181/32 |
China (Shanghai) | cn-shanghai | registry-cn-shanghai-vpc.ack.aliyuncs.com | 100.103.94.158/32 100.103.7.57/32 |
China (Fuzhou - Local Region) | cn-fuzhou | registry-cn-fuzhou-vpc.ack.aliyuncs.com | 100.100.0.43/32 100.100.0.28/32 |
China (Qingdao) | cn-qingdao | registry-cn-qingdao-vpc.ack.aliyuncs.com | 100.100.0.172/32 100.100.0.207/32 |
China (Beijing) | cn-beijing | registry-cn-beijing-vpc.ack.aliyuncs.com | 100.103.99.73/32 100.103.0.251/32 |
China (Zhangjiakou) | cn-zhangjiakou | registry-cn-zhangjiakou-vpc.ack.aliyuncs.com | 100.100.1.179/32 100.100.80.152/32 |
China (Hohhot) | cn-huhehaote | registry-cn-huhehaote-vpc.ack.aliyuncs.com | 100.100.0.194/32 100.100.80.55/32 |
China (Ulanqab) | cn-wulanchabu | registry-cn-wulanchabu-vpc.ack.aliyuncs.com | 100.100.0.122/32 100.100.0.58/32 |
China (Shenzhen) | cn-shenzhen | registry-cn-shenzhen-vpc.ack.aliyuncs.com | 100.103.96.139/32 100.103.6.153/32 |
China (Heyuan) | cn-heyuan | registry-cn-heyuan-vpc.ack.aliyuncs.com | 100.100.0.150/32 100.100.0.193/32 |
China (Guangzhou) | cn-guangzhou | registry-cn-guangzhou-vpc.ack.aliyuncs.com | 100.100.0.101/32 100.100.0.21/32 |
China (Chengdu) | cn-chengdu | registry-cn-chengdu-vpc.ack.aliyuncs.com | 100.100.0.48/32 100.100.0.64/32 |
Zhengzhou (CUCC Joint Venture) | cn-zhengzhou-jva | registry-cn-zhengzhou-jva-vpc.ack.aliyuncs.com | 100.100.0.111/32 100.100.0.84/32 |
China (Hong Kong) | cn-hongkong | registry-cn-hongkong-vpc.ack.aliyuncs.com | 100.103.85.19/32 100.100.80.157/32 |
US (Silicon Valley) | us-west-1 | registry-us-west-1-vpc.ack.aliyuncs.com | 100.103.13.55/32 100.100.80.93/32 |
US (Virginia) | us-east-1 | registry-us-east-1-vpc.ack.aliyuncs.com | 100.103.12.19/32 100.100.80.11/32 |
Japan (Tokyo) | ap-northeast-1 | registry-ap-northeast-1-vpc.ack.aliyuncs.com | 100.100.0.167/32 100.100.80.198/32 |
South Korea (Seoul) | ap-northeast-2 | registry-ap-northeast-2-vpc.ack.aliyuncs.com | 100.100.0.71/32 100.100.0.33/32 |
Singapore | ap-southeast-1 | registry-ap-southeast-1-vpc.ack.aliyuncs.com | 100.103.103.254/32 100.100.80.136/32 |
Malaysia (Kuala Lumpur) | ap-southeast-3 | registry-ap-southeast-3-vpc.ack.aliyuncs.com | 100.100.0.17/32 100.100.80.137/32 |
Indonesia (Jakarta) | ap-southeast-5 | registry-ap-southeast-5-vpc.ack.aliyuncs.com | 100.100.0.226/32 100.100.80.200/32 |
Philippines (Manila) | ap-southeast-6 | registry-ap-southeast-6-vpc.ack.aliyuncs.com | 100.100.0.75/32 100.100.0.24/32 |
Thailand (Bangkok) | ap-southeast-7 | registry-ap-southeast-7-vpc.ack.aliyuncs.com | 100.100.0.62/32 100.100.0.34/32 |
Germany (Frankfurt) | eu-central-1 | registry-eu-central-1-vpc.ack.aliyuncs.com | 100.100.0.92/32 100.100.80.155/32 |
UK (London) | eu-west-1 | registry-eu-west-1-vpc.ack.aliyuncs.com | 100.100.0.175/32 100.100.0.18/32 |
SAU (Riyadh - Partner Region) | me-central-1 | registry-me-central-1-vpc.ack.aliyuncs.com | 100.100.0.109/32 100.100.0.18/32 |
Regions on Finance Cloud
Region | Region ID | VPC endpoint | Route |
China East 2 Finance | cn-shanghai-finance-1 | registry-cn-shanghai-finance-1-vpc.ack.aliyuncs.com | 100.100.0.54/32 100.100.80.227/32 |
OSS internal endpoints and VIP ranges
Regions on Public Cloud
Region | Region ID | OSS region ID | Internal endpoint for access over VPCs | VIP range |
China (Hangzhou) | cn-hangzhou | oss-cn-hangzhou | oss-cn-hangzhou-internal.aliyuncs.com |
|
China (Shanghai) | cn-shanghai | oss-cn-shanghai | oss-cn-shanghai-internal.aliyuncs.com |
|
China (Nanjing - Local Region) | cn-nanjing | oss-cn-nanjing | oss-cn-nanjing-internal.aliyuncs.com | 100.114.142.0/24 |
China (Qingdao) | cn-qingdao | oss-cn-qingdao | oss-cn-qingdao-internal.aliyuncs.com |
|
China (Beijing) | cn-beijing | oss-cn-beijing | oss-cn-beijing-internal.aliyuncs.com |
|
China (Zhangjiakou) | cn-zhangjiakou | oss-cn-zhangjiakou | oss-cn-zhangjiakou-internal.aliyuncs.com |
|
China (Hohhot) | cn-huhehaote | oss-cn-huhehaote | oss-cn-huhehaote-internal.aliyuncs.com |
|
China (Ulanqab) | cn-wulanchabu | oss-cn-wulanchabu | oss-cn-wulanchabu-internal.aliyuncs.com |
|
China (Shenzhen) | cn-shenzhen | oss-cn-shenzhen | oss-cn-shenzhen-internal.aliyuncs.com |
|
China (Heyuan) | cn-heyuan | oss-cn-heyuan | oss-cn-heyuan-internal.aliyuncs.com |
|
China (Guangzhou) | cn-guangzhou | oss-cn-guangzhou | oss-cn-guangzhou-internal.aliyuncs.com |
|
China (Chengdu) | cn-chengdu | oss-cn-chengdu | oss-cn-chengdu-internal.aliyuncs.com |
|
China (Hong Kong) | cn-hongkong | oss-cn-hongkong | oss-cn-hongkong-internal.aliyuncs.com |
|
US (Silicon Valley) * | us-west-1 | oss-us-west-1 | oss-us-west-1-internal.aliyuncs.com | 100.115.107.0/24 |
US (Virginia) * | us-east-1 | oss-us-east-1 | oss-us-east-1-internal.aliyuncs.com |
|
Japan (Tokyo) * | ap-northeast-1 | oss-ap-northeast-1 | oss-ap-northeast-1-internal.aliyuncs.com |
|
South Korea (Seoul) | ap-northeast-2 | oss-ap-northeast-2 | oss-ap-northeast-2-internal.aliyuncs.com | 100.99.119.0/24 |
Singapore * | ap-southeast-1 | oss-ap-southeast-1 | oss-ap-southeast-1-internal.aliyuncs.com |
|
Australia (Sydney) Closing Down * | ap-southeast-2 | oss-ap-southeast-2 | oss-ap-southeast-2-internal.aliyuncs.com | 100.98.201.0/24 |
Malaysia (Kuala Lumpur) * | ap-southeast-3 | oss-ap-southeast-3 | oss-ap-southeast-3-internal.aliyuncs.com |
|
Indonesia (Jakarta) * | ap-southeast-5 | oss-ap-southeast-5 | oss-ap-southeast-5-internal.aliyuncs.com | 100.114.98.0/24 |
Philippines (Manila) | ap-southeast-6 | oss-ap-southeast-6 | oss-ap-southeast-6-internal.aliyuncs.com | 100.115.16.0/24 |
Thailand (Bangkok) | ap-southeast-7 | oss-ap-southeast-7 | oss-ap-southeast-7-internal.aliyuncs.com | 100.98.249.0/24 |
Germany (Frankfurt) * | eu-central-1 | oss-eu-central-1 | oss-eu-central-1-internal.aliyuncs.com | 100.115.154.0/24 |
UK (London) | eu-west-1 | oss-eu-west-1 | oss-eu-west-1-internal.aliyuncs.com | 100.114.114.128/25 |
UAE (Dubai) * | me-east-1 | oss-me-east-1 | oss-me-east-1-internal.aliyuncs.com | 100.99.235.0/24 |
SAU (Riyadh) | me-central-1 | oss-me-central-1 | oss-me-central-1-internal.aliyuncs.com | 100.99.121.0/24 |
Regions on Finance Cloud
Region | Region ID | OSS Region ID | Internal endpoint for access over VPCs | VIP range |
China East 1 Finance | N/A | oss-cn-hzjbp |
|
|
China East 2 Finance | N/A | oss-cn-shanghai-finance-1 | oss-cn-shanghai-finance-1-internal.aliyuncs.com |
|
China North 2 Finance (Preview) | N/A | oss-cn-beijing-finance-1 | oss-cn-beijing-finance-1-internal.aliyuncs.com | 100.112.52.0/24 |
China South 1 Finance | N/A | oss-cn-shenzhen-finance-1 | oss-cn-shenzhen-finance-1-internal.aliyuncs.com | 100.112.15.0/24 |
China East 1 Finance Public | N/A | oss-cn-hzfinance | oss-cn-hzfinance-internal.aliyuncs.com |
|
China East 2 Finance Public | N/A | oss-cn-shanghai-finance-1-pub | oss-cn-shanghai-finance-1-pub-internal.aliyuncs.com |
|
China South 1 Finance Public | N/A | oss-cn-szfinance | oss-cn-szfinance-internal.aliyuncs.com |
|
China North 2 Finance Public | N/A | oss-cn-beijing-finance-1-pub | oss-cn-beijing-finance-1-pub-internal.aliyuncs.com | 100.112.52.0/24 |
Resource elasticity based on Elastic Container Instance
Deploy the ack-virtual-node component in the registered cluster to allow the cluster to schedule pods to elastic container instances. Perform the following steps:
Install the ack-virtual-node component. For more information, see Schedule pods to elastic container instances that are deployed as virtual nodes.
Configure routes to route packets from the data center to the internal endpoint of the cloud service used to deploy the ack-virtual-node component. In this example, the ack-virtual-node component is deployed by using Elastic Container Instance. For more information about the endpoints of Elastic Container Instance, see Endpoints.
Query the VIP ranges of Elastic Container Instance. For more information, see Use the dig command to query the VIP ranges of a cloud service.
Networking
In most cases, network plug-ins are installed in external Kubernetes clusters deployed in data centers. After you connect an external Kubernetes cluster to a registered cluster, you can create ECS node pools that use the Terway network plug-in. To do this, perform the following steps:
Install Terway. For more information, see Deploy and configure Terway.
Configure routes to route packets from the data center to the internal endpoints of the cloud services used to deploy Terway. In this case, Terway is deployed by using ECS and VPC.
For more information about ECS endpoints, see ECS endpoints.
For more information about VPC endpoints, see VPC endpoints.
Query the VIP ranges of ECS and VPC. For more information, see Use the dig command to query the VIP ranges of a cloud service.
Prometheus Service monitoring
Deploy the arms-prometheus component in the registered cluster to use Managed Service for Prometheus to monitor the external cluster. Perform the following steps:
Install arms-prometheus. For more information, see Enable Managed Service for Prometheus for a registered cluster.
Configure routes to route packets from the data center to the internal endpoints of the cloud services used to deploy arms-prometheus. In this case, arms-prometheus is deployed by using Managed Service for Prometheus. For more information, see VPC endpoints and the corresponding CIDR blocks of Managed Service for Prometheus.
Use the dig command to query the VIP ranges of a cloud service
If the cloud services used are not included in the preceding sections, you can use the dig command to query the VIP ranges of the cloud services. For example, if ack-virtual-node is deployed in an external Kubernetes cluster in a data center, you can run the following command to query the internal API endpoint of Elastic Container Instance in the China (Shanghai) region:
dig eci-vpc.cn-shanghai.aliyuncs.com
Expected output:
; <<>> DiG 9.10.6 <<>> eci-vpc.cn-shanghai.aliyuncs.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11344
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;eci-vpc.cn-shanghai.aliyuncs.com. IN A
;; ANSWER SECTION:
eci-vpc.cn-shanghai.aliyuncs.com. 300 IN CNAME eci-vpc.cn-shanghai.aliyuncs.com.gds.alibabadns.com.
eci-vpc.cn-shanghai.aliyuncs.com.gds.alibabadns.com. 300 IN CNAME popunify-vpc.cn-shanghai.aliyuncs.com.
popunify-vpc.cn-shanghai.aliyuncs.com. 300 IN CNAME popunify-vpc.cn-shanghai.aliyuncs.com.gds.alibabadns.com.
popunify-vpc.cn-shanghai.aliyuncs.com.gds.alibabadns.com. 300 IN A 100.103.22.120
;; Query time: 93 msec
;; SERVER: 30.30.XX.XX#53(30.30.XX.XX)
;; WHEN: Tue Aug 27 13:59:01 CST 2024
;; MSG SIZE rcvd: 193
The output shows that the internal VIP of Elastic Container Instance in the China (Shanghai) region is 100.103.22.120.