If you want to access a Container Registry Enterprise Edition instance across regions or from a data center to push or pull images, make sure that the virtual private cloud (VPC) of the access source and the VPC of the Container Registry Enterprise Edition instance are connected. This topic describes how to obtain IP addresses that are used to configure routing rules. This topic also describes how to implement cross-region image pushes and pulls based on routing rules.
Scenarios
Access a Container Registry Enterprise Edition instance from a data center: You can use VPN Gateway, Express Connect circuits, and Smart Access Gateway to connect the VPC of the data center and the VPC of the Container Registry Enterprise Edition instance.
Access a Container Registry Enterprise Edition instance across regions: You can use Cloud Enterprise Network (CEN) to connect the VPC of the access source and the VPC of the Enterprise Edition instance.
Prerequisites
Elastic Compute Service (ECS) instances in the VPC can access the Container Registry Enterprise Edition instance. For more information, see Configure a VPC ACL.
If you want to access a Container Registry Enterprise Edition instance from a data center, you must connect the VPC of the data center and the VPC of the Enterprise Edition instance. For more information, see Connect a data center to a VPC.
If you want to access a Container Registry Enterprise Edition instance across regions, you must connect the VPC of the access source and the VPC of the Enterprise Edition instance. For more information, see Use Enterprise Edition transit routers to connect VPCs across regions and accounts.
ImportantBasic Edition transit routers do not support cross-region routing. Use Enterprise Edition transit routers for cross-region routing.
If you want to pull images from multiple Container Registry Enterprise Edition instances that reside in different regions, we recommend that you use the global replication capability of Container Registry Enterprise Edition instances to replicate images. For more information, see Replicate images between instances that belong to the same account.
Obtain the IP addresses that are used to create routing rules
You must obtain the IP addresses of the Object Storage Service (OSS) bucket that is used as the backend storage, Container Registry Enterprise Edition instance, and authentication service in the VPC. You can create routing rules in the data center based on the obtained IP addresses.
Obtain the following domain names:
ImportantMake sure that the IP addresses of the following domain names do not conflict with the IP addresses of existing services in the access source. Otherwise, the services in the access source cannot be accessed.
The domain name of the OSS bucket in the VPC. For more information about internal domain names of OSS buckets, see Internal endpoints of OSS buckets and VIP ranges.
The domain name of an OSS bucket in a VPC is
${InstanceId}-registry.oss-${RegionId}-internal.aliyuncs.com
.NoteIf you use a custom OSS bucket, the domain name of the OSS bucket is
${CustomizedOSSBucket}.oss-${RegionId}-internal.aliyuncs.com
.The domain name of the Container Registry Enterprise Edition instance in the VPC.
The default domain name of a Container Registry Enterprise Edition instance in a VPC is
${InstanceName}-registry-vpc.${RegionId}.cr.aliyuncs.com
.The domain name of the authentication service in the VPC.
Run the following command to obtain the domain name of the authentication service in the VPC:
curl -vv https://${InstanceName}-registry-vpc.${RegionId}.cr.aliyuncs.com/v2/
Obtain the IP addresses that are used to create routing rules.
Ping the domain names that you obtained in Step 1 on an ECS instance in the VPC to obtain the IP addresses.
NoteAfter you obtain the IP addresses, you can create routing rules based on the IP addresses. The method that is used to create routing rules varies based on the data center type. Create routing rules based on the type of your data center.
The configurations for cross-region routing may generate additional fees. For more information about the pricing, consult the technical support of the network service that you use.
Check the access to the Container Registry Enterprise Edition instance from the data center or across regions
Run the docker login
command to log on to the container image repository, and then run the docker pull
command to pull an image of the Container Registry instance from the data center.
For more information about how to push and pull images, see Push an image to a Container Registry Enterprise Edition instance and pull an image from the instance.
You can view the image pull progress bar, which indicates that you can access the Container Registry Enterprise Edition instance after the VPCs are connected.