All Products
Search
Document Center

Container Registry:Access a Container Registry Enterprise Edition instance across regions or from a data center

Last Updated:Feb 21, 2025

If you want to access a Container Registry Enterprise Edition instance across regions or from a data center to push or pull images, make sure that the virtual private cloud (VPC) of the access source and the VPC of the Enterprise Edition instance are connected. This topic describes how to obtain the IP address of an Enterprise Edition instance and configure a route to push or pull images from outside the region of the Enterprise Edition instance.

Scenarios

Scenario

Description

Operation

Access an Enterprise Edition instance from a data center

You can use Virtual Private Network (VPN) gateways, Express Connect circuits, and Smart Access Gateway to connect the data center to the VPC of the Enterprise Edition instance.

  1. Connect the data center to the VPC of the Enterprise Edition instance. For more information, see Connect a data center to a VPC.

  2. Obtain domain name information and configure a route in the data center. For more information, see Step 2: Obtain domain name information.

  3. After the IP address of the Enterprise Edition instance becomes accessible, configure a domain name system (DNS) resolution.

Access an Enterprise Edition instance across regions

You can use Cloud Enterprise Network (CEN) to connect the VPC of the access source to the VPC of the Enterprise Edition instance across regions.

Note

If you want to pull images from multiple regions, we recommend that you create multiple Enterprise Edition instances in these regions and use the global replication capability of Enterprise Edition instances to replicate images. For more information, see Replicate images within the same account.

  1. Use CEN to connect the VPC of the access source and the VPC of the Enterprise Edition instance.

  2. Obtain the IP address of the Enterprise Edition instance and configure a route in the access source.

  3. After the IP address of the Enterprise Edition instance becomes accessible, configure a DNS resolution.

Description

In this example, an access source in the China (Shanghai) region accesses an Enterprise Edition instance in the China (Hangzhou) region in the same Alibaba Cloud account. Environmental information:

  • VPC1

    • Region: China (Hangzhou).

    • IPv4 CIDR block: 10.0.0.0/16.

    • CIDR block of vSwitch 1 in Hangzhou Zone J: 10.0.0.0/24.

    • CIDR block of vSwitch 2 in Hangzhou Zone K: 10.0.1.0/24. vSwitches are created in different zones to implement multi-zone disaster recovery.

    • IP address of Elastic Compute Service (ECS) Instance 1: 10.0.0.1. The ECS instances in this topic are used to verify connectivity.

  • VPC2

    • Region: China (Shanghai).

    • IPv4 CIDR block: 172.16.0.0/16.

    • CIDR block of vSwitch 1 in Shanghai Zone M: 172.16.0.0/24.

    • CIDR block of vSwitch 2 in Shanghai zone N: 172.16.1.0/24.

    • IP address of ECS Instance 2: 172.16.0.1.

Procedure:

  1. Inter-region connection: Use CEN to connect the VPC of the access source in the China (Shanghai) region to the VPC of the Enterprise Edition instance in the China (Hangzhou) region. For more information, see Connect VPCs in different regions.

  2. Obtain the following domain name information of the Enterprise Edition instance in the China (Hangzhou) region:

    Note

    The ECS instance in the same region as the Enterprise Edition instance must access the Enterprise Edition instance over a VPC. For more information, see Configure a VPC ACL.

    • The domain name of the Enterprise Edition instance. The domain name is accessed by APIs to pull and push images.

    • The domain name of the authentication service. The domain name is accessed when the system performs identity authentication.

    • The domain name of the Object Storage Service (OSS) bucket. The OSS bucket is used to store the images on the Enterprise Edition instance.

  3. Configure a route table: Add the IP addresses or CIDR blocks to the route table to ensure that the access source can access the Enterprise Edition instance across regions.

  4. Test access to the Enterprise Edition instance in the China (Hangzhou) region from the access source in the China (Shanghai) region.

Step 1: Create an inter-region connection

Use CEN to connect the VPC of the access source in the China (Shanghai) region to the VPC of the Enterprise Edition instance in the China (Hangzhou) region. For more information, see Connect VPCs in different regions.

Step 2: Obtain domain name information

Important

Make sure that the IP addresses of the following domain names do not conflict with the IP addresses of the existing services in the access source. Otherwise, the services in the access source cannot be accessed.

  1. Log on to ECS Instance 1 in the China (Hangzhou) region and perform the following operations to obtain the IP addresses of the OSS bucket, the Enterprise Edition instance, and the authentication service in the VPC:

    • Obtain the IP address of the Enterprise Edition instance in the VPC.

      1. Log on to the Container Registry console.

      2. In the top navigation bar, select a region.

      3. In the left-side navigation pane, click Instances.

      4. On the Instances page, click the Enterprise Edition instance that you want to manage.

      5. In the left-side navigation pane of the management page of the Enterprise Edition instance, choose Repository > Access Control.

      6. On the VPC tab, copy the domain name of the Enterprise Edition instance in the VPC. Then, run the ping command on ECS Instance 1 to access the domain name of the Enterprise Edition instance. Obtain and record the IP address of the Enterprise Edition instance.

    • Obtain the IP address of the authentication service in the VPC.

      Note

      If you enable the feature that allows the Enterprise Edition instance to take over the authentication domain name, you can skip this step. For information about how to enable the feature, see the "Conflict with the CIDR block that is mapped to the domain name of the authentication service" section of this topic.

      1. Run the following command to obtain the domain name of the authentication service in the VPC: In the command, replace InstanceName with the name of the Enterprise Edition instance and RegionId with the region ID of the Enterprise Edition instance.

        curl -vv https://${InstanceName}-registry-vpc.${RegionId}.cr.aliyuncs.com/v2/

        77274699-B325-4a55-ACC0-D23719E29AF8.png

      2. Run the ping command to obtain the IP address of the authentication service and record the IP address.

        ping dockerauth-ee-vpc-beijing.aliyuncs.com  # Example
    • Obtain the IP address of the OSS bucket in the VPC.

      Note

      If you use PrivateLink to access the OSS bucket and add a CNAME record to point the domain name of the OSS bucket to the domain name of the PrivateLink connection, you can skip this step. For more information, see Access OSS by using PrivateLink.

      Run the ping command to obtain the IP address of the OSS bucket and record the IP address.

      1. Obtain the domain name of the OSS bucket in a VPC of the China (Hangzhou) region from the table in Internal OSS endpoints and VIP ranges in the public cloud.

      2. Run the ping command to obtain the IP address of the OSS bucket and record the IP address.

        ping oss-cn-hangzhou-internal.aliyuncs.com
      Note

      If you use a custom OSS bucket, the domain name of the OSS bucket is ${CustomizedOSSBucket}.oss-${RegionId}-internal.aliyuncs.com.

    The following table provides sample IP addresses of the domain names that are related to the Enterprise Edition instance in the China (Hangzhou) region:

    Item

    Domain name

    IP address

    Enterprise Edition instance

    xxxxxx-registry-vpc.cn-hangzhou.cr.aliyuncs.com

    10.94.205.198

    Authentication service

    dockerauth-ee-vpc-beijing.aliyuncs.com

    100.103.7.181/32

    OSS Bucket

    oss-cn-hangzhou-internal.aliyuncs.com

    100.118.28.43/32

Step 3: Configure a route table

  • In VPC 2 of the China (Shanghai) region, perform the following operations to use the IP addresses of the authentication service and the OSS bucket to configure the route table:

    1. Log on to the VPC console.

    2. In the left-side navigation pane, click Route Tables.

    3. On the Route Tables page, find the custom route table that you want to manage and click its ID.

    4. On the details page, choose Route Entry List > Custom Route and click Add Route Entry.

    5. In the Add Route Entry panel, configure the parameters and click OK. The following table describes the parameters.

      Parameter

      Description

      Destination CIDR block

      Enter the destination CIDR blocks.

      Select IPv4 CIDR Block and then enter 100.103.7.181/32 and 100.118.28.43/32. Separately configure the IP addresses.

      Next Hop Type

      Select the type of the next hop.

      Select Transit Router. Traffic destined for the destination CIDR block is routed to the specified transit router. For more information about transit routers, see How transit routers work.

      Then, select the transit router that you created in Step 1: Create an inter-region connection.

  • In VPC 1 of the China (Hangzhou) region, perform the following operations to use the CIDR block that covers the IP addresses of the authentication service and the OSS bucket to configure the route table and then advertise the route table:

    1. On the Route Tables page, find the custom route table that you want to manage in VPC 1 and click the ID of the custom route table.

    2. In the Add Route Entry panel, configure the parameters and click OK. The following table describes the parameters.

      Parameter

      Description

      Destination CIDR block

      Enter the destination CIDR block.

      Select IPv4 CIDR Block and then enter 100.0.0.0/8. This CIDR block covers the IP addresses of the authentication service and the OSS bucket.

      Next Hop Type

      Select the type of the next hop.

      ECS Instance: Traffic destined for the destination CIDR block is routed to the specified ECS Instance.

      Select ECS Instance and then select the ECS instance in VPC 1. After the route is created, click Advertise in the Route Advertisement Status section.

Step 4: Test access to the Enterprise Edition instance

  1. Log on to ECS Instance 2 in the China (Shanghai) region. Run the ping command on ECS Instance 2 to test access to the three IP addresses of the Enterprise Edition instance, the authentication service, and the OSS bucket in the China (Hangzhou) region that you obtained in Step 2. Use the three domain names that are related to the Enterprise Edition instance to configure local DNS resolution on ECS Instance 2 and check whether the domain names are resolved to the IP addresses that are related to the Enterprise Edition instance.

    vim /etc/hosts
    
    10.94.205.198 xxxxxx-registry-vpc.cn-hangzhou.cr.aliyuncs.com
    100.103.7.181 dockerauth-vpc.cn-hangzhou.aliyuncs.com
    100.118.28.43 oss-cn-hangzhou-internal.aliyuncs.com
  2. Run the docker login command to log on to an image repository on the Enterprise Edition instance and then run the docker pull command to pull an image from the image repository.

    Note

    For more information about how to push and pull images, see Use a Container Registry Enterprise Edition instance to push and pull images.

    拉取镜像

Solutions to 100 CIDR block conflicts

When you configure the routing rule, the domain names of the authentication service and the OSS bucket are mapped to IP addresses that belong to the 100 CIDR block. If the 100 CIDR block is assigned to a VPC in which the Enterprise Edition instance resides, domain name conflicts may occur when you access the Enterprise Edition instance. To prevent the conflicts from occurring, you can use the following solutions:

Conflict with the CIDR block that is mapped to the domain name of the authentication service

Enable the feature that allows an Enterprise Edition instance to take over the authentication domain name

  1. Log on to the Container Registry console.

  2. In the top navigation bar, select a region.

  3. On the Instances page, click the Enterprise Edition instance that you want to manage.

  4. In the left-side navigation pane of the management page of the Enterprise Edition instance, choose Repository > Domain. On the Domain page, turn on Instance Taking over Authentication Domain Name.

    Important

    If you want to use the feature that allows the Enterprise Edition instance to take over the authentication domain name, submit a ticket to request to add the Enterprise Edition instance to the whitelist.

  5. In the Confirm to Enable Instance Taking over Authentication Domain Name message, click OK.

Conflict with the CIDR block that is mapped to the domain name of the OSS bucket

To prevent the conflict with the CIDR block that is mapped to the domain name of the OSS bucket from occurring, you can use PrivateLink to access the OSS bucket and add a CNAME record to point the domain name of the OSS bucket to the domain name of the PrivateLink connection. For more information, see Access OSS by using PrivateLink.