All Products
Search
Document Center

Container Registry:Configure a VPC ACL

Last Updated:Aug 12, 2024

If you want to establish a connection between your Container Registry Enterprise Edition instance and an Elastic Compute Service (ECS) instance that resides in a virtual private cloud (VPC), you must configure a VPC access control list (ACL) for your Enterprise Edition instance. This topic describes how to configure a VPC ACL for a Container Registry Enterprise Edition instance.

Prerequisites

Background information

After you configure a VPC ACL for a Container Registry Enterprise Edition instance, the Enterprise Edition instance consumes an IP address in the VPC. The system must resolve VPC domain names of the Enterprise Edition instance to the IP address to allow ECS to access the Enterprise Edition instance by using the VPC domain names. Container Registry uses PrivateZone to automatically configure domain name resolution.

Note

When you configure a VPC ACL for a Container Registry Enterprise Edition instance, you can select a vSwitch that has sufficient IP addresses. After you configure the VPC ACL, all ECS instances in the VPC can access the Container Registry Enterprise Edition instance by using the VPC domain names of the Enterprise Edition instance.

When you configure a VPC ACL for an Enterprise Edition instance, Container Registry automatically creates the service-linked role AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone for PrivateZone. Then, the Enterprise Edition instance can access PrivateZone, and PrivateZone can automatically resolve the domain names of the Enterprise Edition instance. For more information about AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone, see The service-linked role for Alibaba Cloud DNS PrivateZone.

Warning

Do not change the DNS zone that is automatically created in PrivateZone. If you change the DNS zone, exceptions occur in image pulling or image deletion.

Procedure

Note

The number of VPCs that can be added to an ACL varies based on the sub-edition of Container Registry Enterprise Edition instances. If the default VPC quota cannot meet your requirements, you can purchase additional quota. For more information, see Billing of Container Registry Enterprise Edition instances.

  1. Log on to the Container Registry console.

  2. In the top navigation bar, select a region.

  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, click the Enterprise Edition instance that you want to manage.

  5. In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose Repository > Access Control.

    Note

    If you want to configure ACLs for Helm charts, choose Helm Chart > Access Control.

  6. On the VPC tab, click Add VPC.

  7. In the Add VPC dialog box, select a VPC and a vSwitch, and click Confirm.

    Note

    You only need to select a vSwitch and a VPC. Then, all ECS instances in the VPC can access the Container Registry Enterprise Edition instance.

    After the status of the VPC association changes from Creating to Running, the VPC is added.

  8. Optional: View the DNS zone in PrivateZone.

    After the VPC is added, Container Registry automatically creates a DNS zone in PrivateZone to resolve the domain names of the Container Registry Enterprise Edition instance. You can view the DNS zone in PrivateZone.

    1. Log on to the Alibaba Cloud DNS console.

    2. In the left-side navigation pane, click PrivateZone.

      On the Authoritative Zones tab, view the DNS zone.