Access Enterprise Edition instances across regions or from a data center - Container Registry

To access a Container Registry Enterprise Edition instance across regions or from a data center for pushing or pulling images, ensure that the virtual private cloud (VPC) of the access source and the VPC of the Enterprise Edition instance are connected. This topic explains how to retrieve the IP address of an Enterprise Edition instance and configure a route to push or pull images from outside the instance's region.

Scenarios

Scenario	Description	Instructions

Scenario	Description	Instructions
Access an Enterprise Edition instance from a data center	Connect the data center to the VPC of the Enterprise Edition instance using Virtual Private Network (VPN) gateways, Express Connect circuits, or Smart Access Gateway.	For detailed steps on connecting the data center to the VPC, see Connect a local IDC. Configure routing in the data center based on Step 2: Obtain domain name information. Once the IP address is accessible, set up the corresponding domain name resolution.
Access an Enterprise Edition instance across regions	Use Cloud Enterprise Network (CEN) to connect the VPCs of the access source and the Enterprise Edition instance across regions. Note To pull images from multiple regions, it is recommended to create Enterprise Edition instances in each of these regions and utilize the global replication feature of Enterprise Edition instances for image synchronization. For detailed instructions, see Synchronize instances in the same account.	Connect the VPCs of the access source and the Enterprise Edition instance across regions using CEN. Configure the corresponding route on the access source based on the obtained IP address. Once the IP address is accessible, set up the domain name resolution.

Instructions

This example shows how to access an Enterprise Edition instance in the China (Hangzhou) region from the China (Shanghai) region within the same Alibaba Cloud account. The environmental details are as follows:

VPC1
- Region: China (Hangzhou)
- IPv4 CIDR block: 10.0.0.0/16
- CIDR block of vSwitch 1 in Hangzhou Zone J: 10.0.0.0/24
- CIDR block of vSwitch 2 in Hangzhou Zone K: 10.0.1.0/24. vSwitches are created in different zones for multi-zone disaster recovery.
- IP address of Elastic Compute Service (ECS) Instance 1: 10.0.0.1. These ECS instances are used to verify connectivity.
VPC2
- Region: China (Shanghai)
- IPv4 CIDR block: 172.16.0.0/16
- CIDR block of vSwitch 1 in Shanghai Zone M: 172.16.0.0/24
- CIDR block of vSwitch 2 in Shanghai Zone N: 172.16.1.0/24.
- IP address of ECS Instance 2: 172.16.0.1.

To collect statistics, follow these steps:

Inter-region connection: Connect the VPC in the China (Shanghai) region to the VPC in the China (Hangzhou) region using CEN. For more information, see Inter-region VPC connectivity.
Obtain the following domain name information for the Enterprise Edition instance in the China (Hangzhou) region:
Note
An ECS instance within the same region must use a VPC to access the Enterprise Edition instance. For more information, see Configure resource access management for a virtual private cloud.
- The domain name for the Enterprise Edition instance, which APIs use to pull and push images.
- The domain name for the authentication service, accessed during identity authentication processes.
- The domain name of the OSS bucket, which stores images for the Enterprise Edition instance.
Configure a route table: Add the IP addresses or CIDR blocks to the route table to enable the access source to reach the Enterprise Edition instance across regions.
Test access to the Enterprise Edition instance in the China (Hangzhou) region from the access source in the China (Shanghai) region.

Step 1: inter-region connection

Connect VPC1 in the China (Hangzhou) region to VPC2 in the China (Shanghai) region using CEN. For more information, see Inter-region VPC connectivity.

Step 2: obtain domain name information

Important

Ensure that the IP addresses for the following three domain names do not overlap with those of any existing services at the access source, as this would prevent access to the services on the access source.

Log in to ECS Instance 1 in the China (Hangzhou) region and retrieve the IP addresses of the OSS bucket, Enterprise Edition instance, and authentication service within the VPC.

Retrieve the VPC access IP address of the Enterprise Edition instance.
1. Log on to the Container Registry console.
2. In the top navigation bar, select a region.
3. In the left-side navigation pane, click Instances.
4. On the Instances page, click the Enterprise Edition instance that you want to manage.
5. In the left-side navigation pane of the Enterprise Edition instance management page, select Repository Management > Resource Access Management.
6. Under the Virtual Private Cloud tab, copy the ACR Enterprise Edition instance VPC endpoint. Then, use the ping command on ECS to access the endpoint, retrieve the corresponding IP address, and record it.
Retrieve the IP address of the authentication service within the VPC.

Note

You can enable the instance to take over the authentication domain name to bypass this step.
1. Run the following command to obtain the endpoint of the authentication service within the VPC. InstanceName indicates the name of the Enterprise Edition instance. RegionId indicates the region where the instance is located.
```
curl -vv https://${InstanceName}-registry-vpc.${RegionId}.cr.aliyuncs.com/v2/
```
2. Use the ping command to retrieve the corresponding IP address and record it.
```
ping dockerauth-vpc.cn-hangzhou.aliyuncs.com  
```
Retrieve the IP address of the OSS bucket within the VPC.

Note

You can use PrivateLink to access OSS resources over a private network and point the CNAME record of the OSS endpoint in the China (Hangzhou) region to the PrivateLink endpoint to bypass this step.
Use the ping command to retrieve the corresponding IP address and record it.
1. Retrieve the VPC endpoint of the OSS bucket in the China (Hangzhou) region from the mapping table of internal same-region endpoints and VIP CIDR blocks.
2. Use the Ping command to retrieve the IP address corresponding to the endpoint and record it.
```
ping oss-cn-hangzhou-internal.aliyuncs.com
```
Note

If you use a custom OSS bucket, the endpoint is ${CustomizedOSSBucket}.oss-${RegionId}-internal.aliyuncs.com.

The table below provides sample IP addresses for the domain names associated with the Enterprise Edition instance in the China (Hangzhou) region:

Name	Domain name	IP address

Name	Domain name	IP address
Enterprise Edition instance	xxxxxx-registry-vpc.cn-hangzhou.cr.aliyuncs.com	10.94.205.198
Authentication service	dockerauth-vpc.cn-hangzhou.aliyuncs.com	100.103.7.181/32
OSS bucket	oss-cn-hangzhou-internal.aliyuncs.com	100.118.28.43/32

Step 3: configure a route table

In VPC2 of the China (Shanghai) region, perform the following steps to configure the route table using the IP addresses of the authentication service and the OSS bucket.

Log on to the VPC console.
In the left-side navigation pane, click Route Tables.
On the Route Tables page, locate the desired custom route table and click its ID.
On the custom route table details page, select the Route Entries > Custom Route Entries tab and click Add Route Entry.

In the Add Route Entry panel, configure the route entry with the following information. Then click OK .

Configuration	Description	Screenshot

Configuration

Description

Screenshot

Destination CIDR Block

Enter the destination CIDR block to which network traffic is forwarded.

Ipv4 CIDR Block: 100.103.7.181/32 and 100.118.28.43/32. You can configure only one IP address at a time. Configure the IP addresses in sequence.

Next Hop Type

Select the type of the next hop.

Transit Router: Route the traffic whose destination address is within the destination CIDR block to the selected transit router.

Then, select the Transit Router that is created in Step 1: Inter-region connection.

Add a route entry for the destination CIDR block 100.0.0.0/8, which includes the CIDR blocks of the authentication service and the OSS bucket, to the transit router's route table in the Cloud Enterprise Network (CEN) instance in the China (Shanghai) region.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Settings > Transit Routertab, locate the transit router instance in the China (Shanghai) region and click its ID.
On the details page of the transit router, click the Route Table tab.
In the left-side section of the tab, click the ID of the target route table. On the route table's details page, click the Route Entries tab, and then click Create Route Entry.

In the Add Route Entry dialog box, configure the route entry and click Confirm.

Configuration item	Description	Screenshot

Configuration item	Description	Screenshot
Destination CIDR Block	Enter a destination CIDR block for the route entry. IPV4: 100.0.0.0/8 (which covers the CIDR blocks of the authentication service and the OSS bucket).
Blackhole Route	Blackhole Route: No
Next Hop Connection	Next Hop Connection: The connection type is TR. Select the instance ID that is created in Step 1: Configure inter-region connection.

On the Basic Settings > Transit Routertab, locate the transit router instance in the China (Hangzhou) region and click its ID.
On the details page of the transit router, click the Route Table tab.
In the left-side section of the tab, click the ID of the target route table. On the route table's details page, click the Route Entries tab, and then click Create Route Entry.

In the Add Route Entry dialog box, configure the route entry and click Confirm.

Configuration item	Description	Screenshot

Configuration item	Description	Screenshot
Destination CIDR Block	Enter a destination CIDR block for the route entry. IPV4: 100.0.0.0/8 (which covers the CIDR blocks of the authentication service and the OSS bucket)
Blackhole Route	Blackhole Route: No
Next Hop Connection	Next Hop Connection: The connection type is VPC. Select the VPC instance ID in the China (Hangzhou) region.

Step 4: test access to the Enterprise Edition instance

Log on to ECS Instance 2 in the China (Shanghai) region and use the ping command to test the three IP addresses of the Enterprise Edition instance in the China (Hangzhou) region, and perform local domain name resolution.
```
vim /etc/hosts

10.94.205.198 xxxxxx-registry-vpc.cn-hangzhou.cr.aliyuncs.com
100.103.7.181 dockerauth-vpc.cn-hangzhou.aliyuncs.com
100.118.28.43 oss-cn-hangzhou-internal.aliyuncs.com
```
Use the docker login command to log on to the image repository. Then, run the docker pull command to retrieve images.

Note

For more information about how to push and pull images, see Push and Pull Images Using an Enterprise Edition Instance.

How to resolve IP conflicts in the 100 CIDR block

When configuring a routing rule, the domain names for the authentication service and OSS bucket are mapped to IP addresses within the 100 CIDR block. If this block is allocated to a VPC hosting an Enterprise Edition instance, domain name conflicts may arise during access. To avoid these conflicts, consider the following solutions:

Authentication domain name CIDR block conflict

Enable the instance to assume control of the authentication domain name. This allows you to resolve the conflict by accessing only the instance's domain name.

Log on to the Container Registry console.
In the top navigation bar, select a region.
On the Instances page, click the Enterprise Edition instance that you want to manage.
In the left-side navigation pane of the Enterprise Edition instance management page, select Repository Management > Domain Name Management . On the Domain Name Management page, turn on the switch for Instance Takeover Authentication Domain Name.
Important
To utilize the instance takeover authentication domain name feature, you must submit a ticket to whitelist the Enterprise Edition instance.
In the Confirm To Enable Instance Takeover Authentication Domain Name dialog box, click Confirm.

OSS domain name CIDR block conflict

You can access OSS resources over a private network using PrivateLink and redirect the CNAME record of the original OSS endpoint to the PrivateLink endpoint.