All Products
Search
Document Center

Container Service for Kubernetes:Configure routes to route packets from registered clusters to cloud resources over the internal network

Last Updated:Nov 20, 2024

Alibaba Cloud allows you to connect external Kubernetes clusters deployed in data centers to registered clusters in Alibaba Cloud and enable the workloads in the external clusters to access Alibaba Cloud resources over the internal network. To meet this goal, you need to use Alibaba Cloud services such as Cloud Enterprise Network (CEN), Express Connect, or VPN Gateway to connect the external clusters to the internal network where the cloud resources are deployed in Alibaba Cloud regions. You also need to configure routes that point to the internal CIDR blocks of the cloud resources. This topic describes the internal CIDR blocks of some Alibaba Cloud services in different regions in Alibaba Cloud Public Cloud or Alibaba Finance Cloud.

Usage notes

  • Each Alibaba Cloud service specifies a static internal virtual IP address (VIP) range for each region. To prevent connection failures, you must configure complete routes to regions based on the VIP ranges of different regions.

  • If you want to access an Alibaba Cloud service over the internal network from an Elastic Compute Service (ECS) instance, make sure that the security group of the ECS instance allows access to all VIP ranges of the cloud service. The VIP of the cloud service may vary within the VIP ranges. If you do not add complete routes based on the VIP ranges, the ECS instance may fail to access the service. In this case, you are responsible for any loss and damage arising therefrom.

  • In most cases, an Alibaba Cloud service uses the static VIP 100.103.22.120 in each region. To simplify route configurations, you can specify a subnet mask for the VIP. Example: 100.103.22.0/24.

Data center security and route configurations

After a data center is connected to Alibaba Cloud by using private networks, you need to configure the following settings to ensure that the external Kubernetes cluster in the data center can access the following domain names and IP addresses:

  • The outbound security policy of the data center must allow access to the private IP addresses or domain names of the cloud services that you want to access.

  • Configure inbound and outbound routes in the route tables of the data center, virtual border router (VBR), CEN instance, transit router, and virtual private cloud (VPC) that are used to connect the cluster to the cloud services.

Note
  • After you connect the external Kubernetes cluster in the data center to the registered cluster, the cluster can use the capabilities provided by Alibaba Cloud services, such as image hosting, resource elasticity based on ECS and Elastic Container Instance, networking, observability, and logging. To use these capabilities, you must configure routes to route packets from the cluster to the endpoints of these cloud services.

  • {region} in a service endpoint indicates the region ID of the service endpoint. For example, the region ID of the China (Hangzhou) region is cn-hangzhou.

  • To obtain the endpoints of a service, refer to the service documentation.

The following section describes the endpoints of some Alibaba Cloud services.

CIDR blocks of ACK components

After you connect the external Kubernetes cluster in the data center to the registered cluster, the cluster can use the capabilities provided by Alibaba Cloud services, such as resource elasticity based on ECS and Elastic Container Instance, networking, observability, and logging. When you deploy ack-cluster-agent in the registered cluster or install other components, you need to access the image registries of Container Service for Kubernetes (ACK) components over the internal network. In this case, you must configure routes that point to the image registries of ACK components. In addition, you must configure routes that point to Object Storage Service (OSS) because the images of ACK components are stored in OSS. The following tables describe the VIP ranges of Container Registry and OSS.

Private addresses of ACK components and routes

Regions on Public Cloud

Region

Region ID

VPC endpoint

Route

China (Hangzhou)

cn-hangzhou

registry-cn-hangzhou-vpc.ack.aliyuncs.com

100.103.9.188/32

100.103.7.181/32

China (Shanghai)

cn-shanghai

registry-cn-shanghai-vpc.ack.aliyuncs.com

100.103.94.158/32

100.103.7.57/32

China (Fuzhou - Local Region)

cn-fuzhou

registry-cn-fuzhou-vpc.ack.aliyuncs.com

100.100.0.43/32 100.100.0.28/32

China (Qingdao)

cn-qingdao

registry-cn-qingdao-vpc.ack.aliyuncs.com

100.100.0.172/32

100.100.0.207/32

China (Beijing)

cn-beijing

registry-cn-beijing-vpc.ack.aliyuncs.com

100.103.99.73/32

100.103.0.251/32

China (Zhangjiakou)

cn-zhangjiakou

registry-cn-zhangjiakou-vpc.ack.aliyuncs.com

100.100.1.179/32

100.100.80.152/32

China (Hohhot)

cn-huhehaote

registry-cn-huhehaote-vpc.ack.aliyuncs.com

100.100.0.194/32

100.100.80.55/32

China (Ulanqab)

cn-wulanchabu

registry-cn-wulanchabu-vpc.ack.aliyuncs.com

100.100.0.122/32

100.100.0.58/32

China (Shenzhen)

cn-shenzhen

registry-cn-shenzhen-vpc.ack.aliyuncs.com

100.103.96.139/32

100.103.6.153/32

China (Heyuan)

cn-heyuan

registry-cn-heyuan-vpc.ack.aliyuncs.com

100.100.0.150/32

100.100.0.193/32

China (Guangzhou)

cn-guangzhou

registry-cn-guangzhou-vpc.ack.aliyuncs.com

100.100.0.101/32

100.100.0.21/32

China (Chengdu)

cn-chengdu

registry-cn-chengdu-vpc.ack.aliyuncs.com

100.100.0.48/32

100.100.0.64/32

Zhengzhou (CUCC Joint Venture)

cn-zhengzhou-jva

registry-cn-zhengzhou-jva-vpc.ack.aliyuncs.com

100.100.0.111/32 100.100.0.84/32

China (Hong Kong)

cn-hongkong

registry-cn-hongkong-vpc.ack.aliyuncs.com

100.103.85.19/32

100.100.80.157/32

US (Silicon Valley)

us-west-1

registry-us-west-1-vpc.ack.aliyuncs.com

100.103.13.55/32

100.100.80.93/32

US (Virginia)

us-east-1

registry-us-east-1-vpc.ack.aliyuncs.com

100.103.12.19/32

100.100.80.11/32

Japan (Tokyo)

ap-northeast-1

registry-ap-northeast-1-vpc.ack.aliyuncs.com

100.100.0.167/32

100.100.80.198/32

South Korea (Seoul)

ap-northeast-2

registry-ap-northeast-2-vpc.ack.aliyuncs.com

100.100.0.71/32

100.100.0.33/32

Singapore

ap-southeast-1

registry-ap-southeast-1-vpc.ack.aliyuncs.com

100.103.103.254/32

100.100.80.136/32

Malaysia (Kuala Lumpur)

ap-southeast-3

registry-ap-southeast-3-vpc.ack.aliyuncs.com

100.100.0.17/32

100.100.80.137/32

Indonesia (Jakarta)

ap-southeast-5

registry-ap-southeast-5-vpc.ack.aliyuncs.com

100.100.0.226/32

100.100.80.200/32

Philippines (Manila)

ap-southeast-6

registry-ap-southeast-6-vpc.ack.aliyuncs.com

100.100.0.75/32

100.100.0.24/32

Thailand (Bangkok)

ap-southeast-7

registry-ap-southeast-7-vpc.ack.aliyuncs.com

100.100.0.62/32

100.100.0.34/32

Germany (Frankfurt)

eu-central-1

registry-eu-central-1-vpc.ack.aliyuncs.com

100.100.0.92/32

100.100.80.155/32

UK (London)

eu-west-1

registry-eu-west-1-vpc.ack.aliyuncs.com

100.100.0.175/32

100.100.0.18/32

SAU (Riyadh - Partner Region)

me-central-1

registry-me-central-1-vpc.ack.aliyuncs.com

100.100.0.109/32 100.100.0.18/32

Regions on Finance Cloud

Region

Region ID

VPC endpoint

Route

China East 2 Finance

cn-shanghai-finance-1

registry-cn-shanghai-finance-1-vpc.ack.aliyuncs.com

100.100.0.54/32 100.100.80.227/32

OSS internal endpoints and VIP ranges

Regions on Public Cloud

Region

Region ID

OSS region ID

Internal endpoint for access over VPCs

VIP range

China (Hangzhou)

cn-hangzhou

oss-cn-hangzhou

oss-cn-hangzhou-internal.aliyuncs.com

  • 100.118.28.0/24

  • 100.114.102.0/24

  • 100.98.170.0/24

  • 100.118.31.0/24

China (Shanghai)

cn-shanghai

oss-cn-shanghai

oss-cn-shanghai-internal.aliyuncs.com

  • 100.98.35.0/24

  • 100.98.110.0/24

  • 100.98.169.0/24

  • 100.118.102.0/24

China (Nanjing - Local Region)

cn-nanjing

oss-cn-nanjing

oss-cn-nanjing-internal.aliyuncs.com

100.114.142.0/24

China (Qingdao)

cn-qingdao

oss-cn-qingdao

oss-cn-qingdao-internal.aliyuncs.com

  • 100.115.173.0/24

  • 100.99.113.0/24

  • 100.99.114.0/24

  • 100.99.115.0/24

China (Beijing)

cn-beijing

oss-cn-beijing

oss-cn-beijing-internal.aliyuncs.com

  • 100.118.58.0/24

  • 100.118.167.0/24

  • 100.118.170.0/24

  • 100.118.171.0/24

  • 100.118.172.0/24

  • 100.118.173.0/24

China (Zhangjiakou)

cn-zhangjiakou

oss-cn-zhangjiakou

oss-cn-zhangjiakou-internal.aliyuncs.com

  • 100.118.90.0/24

  • 100.98.159.0/24

  • 100.114.0.0/24

  • 100.114.1.0/24

China (Hohhot)

cn-huhehaote

oss-cn-huhehaote

oss-cn-huhehaote-internal.aliyuncs.com

  • 100.118.195.0/24

  • 100.99.110.0/24

  • 100.99.111.0/24

  • 100.99.112.0/24

China (Ulanqab)

cn-wulanchabu

oss-cn-wulanchabu

oss-cn-wulanchabu-internal.aliyuncs.com

  • 100.114.11.0/24

  • 100.114.12.0/24

  • 100.114.100.0/24

  • 100.118.214.0/24

China (Shenzhen)

cn-shenzhen

oss-cn-shenzhen

oss-cn-shenzhen-internal.aliyuncs.com

  • 100.118.78.0/24

  • 100.118.203.0/24

  • 100.118.204.0/24

  • 100.118.217.0/24

China (Heyuan)

cn-heyuan

oss-cn-heyuan

oss-cn-heyuan-internal.aliyuncs.com

  • 100.98.83.0/24

  • 100.118.174.0/24

China (Guangzhou)

cn-guangzhou

oss-cn-guangzhou

oss-cn-guangzhou-internal.aliyuncs.com

  • 100.115.33.0/24

  • 100.114.101.0/24

China (Chengdu)

cn-chengdu

oss-cn-chengdu

oss-cn-chengdu-internal.aliyuncs.com

  • 100.115.155.0/24

  • 100.99.107.0/24

  • 100.99.108.0/24

  • 100.99.109.0/24

China (Hong Kong)

cn-hongkong

oss-cn-hongkong

oss-cn-hongkong-internal.aliyuncs.com

  • 100.115.61.0/24

  • 100.99.103.0/24

  • 100.99.104.0/24

  • 100.99.106.0/24

US (Silicon Valley) *

us-west-1

oss-us-west-1

oss-us-west-1-internal.aliyuncs.com

100.115.107.0/24

US (Virginia) *

us-east-1

oss-us-east-1

oss-us-east-1-internal.aliyuncs.com

  • 100.115.60.0/24

  • 100.99.100.0/24

  • 100.99.101.0/24

  • 100.99.102.0/24

Japan (Tokyo) *

ap-northeast-1

oss-ap-northeast-1

oss-ap-northeast-1-internal.aliyuncs.com

  • 100.114.211.0/24

  • 100.114.114.0/25

South Korea (Seoul)

ap-northeast-2

oss-ap-northeast-2

oss-ap-northeast-2-internal.aliyuncs.com

100.99.119.0/24

Singapore *

ap-southeast-1

oss-ap-southeast-1

oss-ap-southeast-1-internal.aliyuncs.com

  • 100.118.219.0/24

  • 100.99.213.0/24

  • 100.99.116.0/24

  • 100.99.117.0/24

Australia (Sydney) Closing Down *

ap-southeast-2

oss-ap-southeast-2

oss-ap-southeast-2-internal.aliyuncs.com

100.98.201.0/24

Malaysia (Kuala Lumpur) *

ap-southeast-3

oss-ap-southeast-3

oss-ap-southeast-3-internal.aliyuncs.com

  • 100.118.165.0/24

  • 100.99.125.0/24

  • 100.99.130.0/24

  • 100.99.131.0/24

Indonesia (Jakarta) *

ap-southeast-5

oss-ap-southeast-5

oss-ap-southeast-5-internal.aliyuncs.com

100.114.98.0/24

Philippines (Manila)

ap-southeast-6

oss-ap-southeast-6

oss-ap-southeast-6-internal.aliyuncs.com

100.115.16.0/24

Thailand (Bangkok)

ap-southeast-7

oss-ap-southeast-7

oss-ap-southeast-7-internal.aliyuncs.com

100.98.249.0/24

Germany (Frankfurt) *

eu-central-1

oss-eu-central-1

oss-eu-central-1-internal.aliyuncs.com

100.115.154.0/24

UK (London)

eu-west-1

oss-eu-west-1

oss-eu-west-1-internal.aliyuncs.com

100.114.114.128/25

UAE (Dubai) *

me-east-1

oss-me-east-1

oss-me-east-1-internal.aliyuncs.com

100.99.235.0/24

SAU (Riyadh)

me-central-1

oss-me-central-1

oss-me-central-1-internal.aliyuncs.com

100.99.121.0/24

Regions on Finance Cloud

Region

Region ID

OSS Region ID

Internal endpoint for access over VPCs

VIP range

China East 1 Finance

N/A

oss-cn-hzjbp

  • oss-cn-hzjbp-a-internal.aliyuncs.com

  • oss-cn-hzjbp-b-internal.aliyuncs.com

  • 100.103.4.210/32

  • 100.115.6.0/24

China East 2 Finance

N/A

oss-cn-shanghai-finance-1

oss-cn-shanghai-finance-1-internal.aliyuncs.com

  • 100.115.105.0/24

  • 100.100.36.8/32

China North 2 Finance (Preview)

N/A

oss-cn-beijing-finance-1

oss-cn-beijing-finance-1-internal.aliyuncs.com

100.112.52.0/24

China South 1 Finance

N/A

oss-cn-shenzhen-finance-1

oss-cn-shenzhen-finance-1-internal.aliyuncs.com

100.112.15.0/24

China East 1 Finance Public

N/A

oss-cn-hzfinance

oss-cn-hzfinance-internal.aliyuncs.com

  • 100.103.4.95/32

  • 100.103.5.142/32

  • 100.103.5.143/32

  • 100.103.5.144/32

  • 100.115.6.0/24

China East 2 Finance Public

N/A

oss-cn-shanghai-finance-1-pub

oss-cn-shanghai-finance-1-pub-internal.aliyuncs.com

  • 100.100.36.24/32

  • 100.100.36.8/32

China South 1 Finance Public

N/A

oss-cn-szfinance

oss-cn-szfinance-internal.aliyuncs.com

  • 100.112.15.0/24

  • 100.100.80.70/32

China North 2 Finance Public

N/A

oss-cn-beijing-finance-1-pub

oss-cn-beijing-finance-1-pub-internal.aliyuncs.com

100.112.52.0/24

Resource elasticity based on Elastic Container Instance

Deploy the ack-virtual-node component in the registered cluster to allow the cluster to schedule pods to elastic container instances. Perform the following steps:

  1. Install the ack-virtual-node component. For more information, see Schedule pods to elastic container instances that are deployed as virtual nodes.

  2. Configure routes to route packets from the data center to the internal endpoint of the cloud service used to deploy the ack-virtual-node component. In this example, the ack-virtual-node component is deployed by using Elastic Container Instance. For more information about the endpoints of Elastic Container Instance, see Endpoints.

  3. Query the VIP ranges of Elastic Container Instance. For more information, see Use the dig command to query the VIP ranges of a cloud service.

Networking

In most cases, network plug-ins are installed in external Kubernetes clusters deployed in data centers. After you connect an external Kubernetes cluster to a registered cluster, you can create ECS node pools that use the Terway network plug-in. To do this, perform the following steps:

  1. Install Terway. For more information, see Deploy and configure Terway.

  2. Configure routes to route packets from the data center to the internal endpoints of the cloud services used to deploy Terway. In this case, Terway is deployed by using ECS and VPC.

  3. Query the VIP ranges of ECS and VPC. For more information, see Use the dig command to query the VIP ranges of a cloud service.

Prometheus Service monitoring

Deploy the arms-prometheus component in the registered cluster to use Managed Service for Prometheus to monitor the external cluster. Perform the following steps:

  1. Install arms-prometheus. For more information, see Enable Managed Service for Prometheus for a registered cluster.

  2. Configure routes to route packets from the data center to the internal endpoints of the cloud services used to deploy arms-prometheus. In this case, arms-prometheus is deployed by using Managed Service for Prometheus. For more information, see VPC endpoints and the corresponding CIDR blocks of Managed Service for Prometheus.

Use the dig command to query the VIP ranges of a cloud service

If the cloud services used are not included in the preceding sections, you can use the dig command to query the VIP ranges of the cloud services. For example, if ack-virtual-node is deployed in an external Kubernetes cluster in a data center, you can run the following command to query the internal API endpoint of Elastic Container Instance in the China (Shanghai) region:

dig eci-vpc.cn-shanghai.aliyuncs.com

Expected output:

; <<>> DiG 9.10.6 <<>> eci-vpc.cn-shanghai.aliyuncs.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11344
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;eci-vpc.cn-shanghai.aliyuncs.com. IN	A

;; ANSWER SECTION:
eci-vpc.cn-shanghai.aliyuncs.com. 300 IN CNAME	eci-vpc.cn-shanghai.aliyuncs.com.gds.alibabadns.com.
eci-vpc.cn-shanghai.aliyuncs.com.gds.alibabadns.com. 300 IN CNAME popunify-vpc.cn-shanghai.aliyuncs.com.
popunify-vpc.cn-shanghai.aliyuncs.com. 300 IN CNAME popunify-vpc.cn-shanghai.aliyuncs.com.gds.alibabadns.com.
popunify-vpc.cn-shanghai.aliyuncs.com.gds.alibabadns.com. 300 IN A 100.103.22.120

;; Query time: 93 msec
;; SERVER: 30.30.XX.XX#53(30.30.XX.XX)
;; WHEN: Tue Aug 27 13:59:01 CST 2024
;; MSG SIZE  rcvd: 193

The output shows that the internal VIP of Elastic Container Instance in the China (Shanghai) region is 100.103.22.120.