All Products
Search

This Product

    Container Registry:Build a container image in a VPC

    Document Center

    Container Registry:Build a container image in a VPC

    Last Updated:Sep 29, 2024

    Container Registry allows you to build images in a virtual private cloud (VPC). You can create GitLab source code repositories and VPC-based services, such as Maven repositories, in a VPC or data center without exposing the public endpoint. Data centers are connected to VPCs by using Express Connect circuits. This topic describes how to build a container image in a VPC.

    Prerequisites

    • A Container Registry Enterprise Edition instance is created. For more information, see Push an image to a Container Registry Enterprise Edition instance and pull an image from the instance.

    • A self-managed GitLab service is created in a VPC or data center of the region in which the Container Registry Enterprise Edition instance resides. If the self-managed GitLab service in a VPC is accessed over the IP address of an Elastic Compute Service (ECS) instance, the inbound rules of the security group to which the ECS instance belongs must open 100.104.0.0/16 for access to the GitLab service. If the self-managed GitLab service is accessed by using Server Load Balancer (SLB), no restrictions are applied to the security group to which the ECS instance belongs.

    • If the self-managed GitLab service or VPC-based service is created in a data center, the CIDR block of the data center cannot overlap with the reverse access CIDR block (100.104.0.0/16). In addition, you must configure the return route for the reverse access CIDR block (100.104.0.0/16) in a virtual border router (VBR) and data center of Express Connect. For more information, see What is Express Connect and What is a VBR?

    • A VPC and a vSwitch are created in a zone that supports the VPC mode. The following table describes the zones that support the VPC mode:

      Cloud type

      Region

      Zone

      Alibaba Cloud public cloud

      China (Beijing)

      • cn-beijing-c

      • cn-beijing-d

      • cn-beijing-e

      • cn-beijing-f

      • cn-beijing-i

      • cn-beijing-j

      • cn-beijing-k

      • cn-beijing-g

      • cn-beijing-h

      China (Hangzhou)

      • cn-hangzhou-e

      • cn-hangzhou-f

      • cn-hangzhou-g

      • cn-hangzhou-h

      • cn-hangzhou-i

      • cn-hangzhou-j

      • cn-hangzhou-k

      China (Shenzhen)

      • cn-shenzhen-a

      • cn-shenzhen-b

      • cn-shenzhen-c

      • cn-shenzhen-d

      • cn-shenzhen-e

      • cn-shenzhen-f

      China (Shanghai)

      • cn-shanghai-a

      • cn-shanghai-b

      • cn-shanghai-c

      • cn-shanghai-d

      • cn-shanghai-e

      • cn-shanghai-f

      • cn-shanghai-g

      • cn-shanghai-i

      China (Zhangjiakou)

      • cn-zhangjiakou-a

      • cn-zhangjiakou-b

      • cn-zhangjiakou-c

      China (Hong Kong)

      • cn-hongkong-b

      • cn-hongkong-c

      • cn-hongkong-d

      Singapore

      • ap-southeast-1a

      • ap-southeast-1b

      • ap-southeast-1c

      Indonesia (Jakarta)

      • ap-southeast-5a

      • ap-southeast-5b

      US (Virginia)

      • us-east-1a

      • us-east-1b

      US (Silicon Valley)

      • us-west-1a

      • us-west-1b

      UK (London)

      • eu-west-1a

      • eu-west-1b

      Germany (Frankfurt)

      • eu-central-1a

      • eu-central-1b

      Japan (Tokyo)

      • ap-northeast-1a

      • ap-northeast-1b

      Australia (Sydney) Closing Down

      • ap-southeast-2a

      • ap-southeast-2b

      China (Chengdu)

      • cn-chengdu-a

      • cn-chengdu-b

      China (Heyuan)

      • cn-heyuan-a

      • cn-heyuan-b

      Alibaba Finance Cloud

      China (Hangzhou)

      • cn-hangzhou-finance-i

      • cn-hangzhou-finance-j

      • cn-hangzhou-finance-k

      • cn-hangzhou-finance-h

    Managed security groups

    When you bind a VPC-based source code repository, Container Registry calls an ECS API operation to create a managed security group. The managed security group allows services that are created by Container Registry to access the self-managed GitLab service in your VPC. For more information, see Managed security groups.

    Note

    • The managed security group is managed by the Container Registry system. You can view the managed security group but cannot perform operations on the managed security group. The managed security group denies all inbound access. You can specify only the private endpoints of the GitLab service and the Maven repository as the allowed outbound addresses.

    • Container Registry Enterprise Edition instances can access your self-managed GitLab service by using the managed security group after you bind the elastic network interface (ENI) on the vSwitch to the Container Registry Enterprise Edition instances.

    Step 1: Manage the link

    1. Log on to the Container Registry console.

    2. In the top navigation bar, select a region.

    3. In the left-side navigation pane, click Instances.

    4. On the Instances page, click the card of the Container Registry Enterprise Edition instance to which you want to bind the source code repository.

    5. On the Overview page, choose Repository > Code Source.

    6. On the Code Source page, find GitLab and click Manage Link in the Actions column.

    7. In the Manage Link dialog box, configure the following parameters to create a VPC link. Then, click Create.

      Table 1. Parameters used to create a VPC access link

      Parameter

      Description

      Private IP address of the GitLab Server

      Enter the private IP address of the self-managed GitLab source code repository.

      Other IP addresses that need to be allowed

      Enter other VPC endpoints that you want to allow.

      Existing VPC

      Select the VPC that is created in the prerequisites.

      vSwitch

      Select the vSwitch that is created in the prerequisites.

    Step 2: Bind the GitLab source code repository to the Container Registry Enterprise Edition instance

    1. On the Code Source page, find GitLab and click Bind Account in the Actions column.

    2. In the Private GitLab dialog box, configure the following parameters to bind the GitLab source code repository. Then, click Confirm.

      Table 2. Parameters used to bind the GitLab source code repository

      Parameter

      Description

      Network Type

      Select VPC.

      Link Information

      Enter the information about the VPC link that you created in Step 1: Manage the link.

      Endpoint

      Enter the endpoint of the GitLab service.

      • If you use a private GitLab service, enter the logon URL of the private GitLab service.

      • If you use a public GitLab service, enter the logon URL of the public GitLab service.

      Username

      Enter the username that you use to log on to the GitLab service.

      Private Token

      Enter your access token. For more information about how to create an access token, see Bind a source code hosting platform.

      If Bound is displayed in the Status column of the GitLab service, the internal source code repository is bound to the Container Registry Enterprise Edition instance.

    Step 3: Use the Container Registry Enterprise Edition instance to build an image

    Warning

    When you create container images in a VPC, you must clear Build With Servers Deployed Outside Chinese Mainland.

    After you bind the VPC-based source code repository to the Container Registry Enterprise Edition instance, you need to build an image. For more information, see Use Container Registry Enterprise Edition instances to build images.