Create an ACK Edge cluster-Container Service for Kubernetes(ACK)-阿里云帮助中心

This topic shows you how to create an ACK Edge cluster in the console, enabling unified management through cloud-edge integration.

Prerequisites

You have activated ACK.
You have enabled Auto Scaling.
You have activated Resource Access Management (RAM).

Limits

Item		Limit	Links for increasing quota limits/references
Costs		Your account must have a balance of at least CNY 100 and have completed real-name verification. Otherwise, you cannot create pay-as-you-go ECS instances and SLB instances.	Billing overview
Networks		ACK clusters support only VPCs.	What is VPC
Cloud resources	ECS	The pay-as-you-go and subscription billing methods are supported. After an ECS instance is created, you can change its billing method from pay-as-you-go to subscription in the ECS console.	Change the billing method of an ECS instance from pay-as-you-go to subscription
	VPC route entries	By default, you can add at most 200 route entries to the VPC of an ACK cluster that runs Flannel. VPCs of ACK clusters that run Terway do not have this limit. If you want to add more route entries to the VPC of your ACK cluster, request a quota increase for the VPC.	Quota Center
	Security groups	By default, you can create at most 100 security groups with each account.	Security groups
	SLB instances	By default, you can create at most 60 pay-as-you-go SLB instances with each account.	Quota Center
	EIP	By default, you can create at most 20 EIPs with each account.	Quota Center

Step 1: Log on to the console

Log on to the ACK console. In the left navigation pane, click Clusters.
In the top-left corner of the page, select the resource group and region where your target resources reside.
On the Clusters page, click Create Kubernetes Cluster.
On the Create Kubernetes Cluster page, click the ACK Edge tab.

Step 2: Configure the cluster

On the ACK Edge Cluster page, configure the basic and advanced settings for the cluster.

Basic settings

Parameter	Description
Cluster Name	Enter a custom cluster name.
Cluster Specification	Pro Edition: Provides an SLA guarantee and is suitable for enterprise production and testing environments. Basic Edition: Has quotas (each account can create up to two clusters) and is intended only for personal learning and testing. For a comparison of the two editions, see Cluster management.
Region	The region where cluster resources (such as ECS instances and cloud disks) are located. The closer the region is to your location and where your resources are deployed, the lower the network latency.
Kubernetes Version	Only the latest three minor versions are supported. We recommend using the latest available version. For details about ACK version support, see ACK version support overview.
Maintenance Window	ACK performs automated O&M operations on managed node pools—such as automatic OS CVE vulnerability fixes—during the maintenance window. Click Set to configure specific maintenance policies.

Network settings

VPC	The VPC for the cluster. To ensure high availability, we recommend selecting two or more zones. Auto-create: ACK creates a vSwitch in each selected zone. Use existing: Select a vSwitch to specify the cluster zone. You can create a new vSwitch or use an existing one. We recommend using standard private CIDR blocks for the cluster VPC (for example, 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16). If you have special requirements, apply at the Quota Center (Create a cluster using a public CIDR block VPC). Cloud resource and billing information: VPC
Configure SNAT for VPC	Do not select this option when using a shared VPC. Select this option if nodes need public network access (to pull public images or access external services). ACK automatically configures a NAT Gateway and SNAT rules to enable public network access for cluster resources. VPC has no NAT Gateway: ACK automatically creates a NAT Gateway, purchases a new EIP, and configures SNAT rules for the cluster's vSwitches. VPC already has a NAT Gateway: ACK determines whether to purchase additional EIPs or configure SNAT rules. If no EIP is available, a new EIP is purchased. If no VPC-level SNAT rule exists, SNAT rules are configured for the cluster's vSwitches. If you do not select this option, you can manually configure a NAT Gateway and SNAT rules after cluster creation. For details, see Public NAT Gateway. Cloud resource and billing information: NAT Gateway, EIP
vSwitch	Select an existing vSwitch by zone from the list, or click Create vSwitch to create a new one. The control plane and default node pool use the specified vSwitch. For better high availability, we recommend selecting vSwitches in multiple zones.
Security Group	When using an existing VPC, you can select Select Existing Security Group This security group applies to the cluster control plane, default node pool, and any node pool without a custom security group. Compared with basic security groups, enterprise security groups can accommodate a larger number of private IP addresses but do not support intra-group connectivity. For more information, see Security Group Classification. Auto-create: All outbound traffic is allowed by default. Inbound rules follow recommended configurations. If you modify rules later, ensure inbound access to the `100.64.0.0/10` CIDR block is allowed. This CIDR block is used to access other Alibaba Cloud services for operations such as image pulling and querying ECS basic information. Use existing: ACK does not add extra access rules to the security group. You must manage security group rules yourself to avoid access issues. For details, see Configure cluster security groups.
Access to API Server	ACK automatically creates a pay-as-you-go private CLB instance as the internal endpoint for the API Server. This CLB instance cannot be reused or deleted. If deleted, the API Server becomes inaccessible and cannot be restored. To use an existing CLB instance, submit a ticket. After selecting Use Existing Gateway for the VPC, you can set the SLB Source to Use Existing Gateway. You can optionally enable Expose API server with EIP. Enabled: Binds an EIP to the private CLB instance of the API Server, allowing public network access to manage the cluster. This does not grant public network access to resources inside the cluster. To allow cluster resources to access the public network, select Configure SNAT for VPC. Disabled: Allows cluster connection and management via KubeConfig only from within the VPC. To enable this later, see Enable public network access to API Server. Starting December 1, 2024, newly created CLB instances will no longer support Subscription billing, and will incur instance fees. For details, see [Product Announcement] Discontinuation of subscription billing for new cluster API Server CLB instances, Adjustment announcement for Classic Load Balancer CLB billing items. Cloud resource and billing information: CLB, EIP Warning Edge nodes typically communicate with the cloud-based API server over the internet. We recommend that you select Expose API server with EIP. Edge nodes require an EIP for access. If you do not select this option during cluster creation, you can bind an EIP to the API server after you create the cluster. For more information, see Access the API server of an ACK cluster from the internet. ACK Edge clusters do not support changing or unbinding an EIP.
Network Plug-in	Select a network plug-in and configure its settings. The Flannel and Terway-edge network plug-ins are supported. For more information, see Network management and How to choose a network plug-in. Flannel: A simple and stable CNI plug-in based on the open source Flannel project. It uses the VXLAN mode to create an overlay network and provides basic features. Terway-edge: A network plug-in developed by Alibaba Cloud Container Service. In the cloud, it assigns Alibaba Cloud elastic network interfaces to containers. On the edge, it assigns IP addresses to containers from a pre-configured container CIDR block and forwards traffic by using host routes.
Pod vSwitch	This parameter is required only if you select Terway-edge as the network plug-in. You must specify the vSwitches from which to assign IP addresses to pods in the cloud node pool. Each Pod vSwitch must be in the same availability zone as the vSwitch of the corresponding worker node.
Edge Container CIDR Block	This CIDR block provides the IP addresses for containers. If you select Flannel as the network plug-in, containers in the cloud and on the edge are assigned IP addresses from this CIDR block. If you select Terway-edge as the network plug-in, containers on the edge are assigned IP addresses from this CIDR block.
Number of Pods per Node	Defines the maximum number of pods allowed on a single node.
Service CIDR	Also known as Service CIDR, this is the IP address pool for assigning IPs to internal cluster services. This CIDR block must not overlap with the VPC or any existing cluster CIDR blocks in the VPC, and must not overlap with the Container CIDR Block.

Advanced settings

Click Advanced Options (Optional) to configure the service forwarding mode.

Parameter

Description

Forwarding Mode

Select the kube-proxy proxy mode, which determines how cluster Services distribute requests to backend pods.

iptables: Uses Linux firewall rules for traffic forwarding. Stable but limited in performance. As the number of Services increases, firewall rules grow exponentially, slowing request processing. Suitable for clusters with few Services.
IPVS: A high-performance traffic distribution solution that uses hash tables for fast pod targeting, delivering lower latency under heavy Service loads. Suitable for large-scale production clusters or scenarios requiring high network performance.

Click Advanced Options (Optional) to configure other advanced settings.

Expand to view advanced settings

Parameter	Description
Cluster Deletion Protection	We recommend enabling this to prevent accidental cluster deletion via the console or OpenAPI.
Resource Group	Assign the cluster to the selected resource group for easier permission management and cost allocation. A resource can belong to only one resource group.
Label	Bind key-value tags to the cluster as cloud resource identifiers.
Secret Encryption	Select Select Key to encrypt Kubernetes Secrets with a key from Alibaba Cloud KMS. For more information, see Encrypt Secrets at rest by using Alibaba Cloud KMS.
RRSA OIDC	The cluster creates an OIDC Provider. Using temporary OIDC tokens from its ServiceAccount, application pods can call Alibaba Cloud RAM services and assume specified RAM roles, securely obtaining temporary authorization to access cloud resources and implementing least-privilege permission management at the pod level. To enable this later, see Use RRSA to configure ServiceAccount RAM permissions for pod-level permission isolation.

Step 3: Configure cloud node pool

Important

You must configure at least two worker nodes in the cloud node pool to deploy the control plane components.

Basic node pool settings

Parameter		Description
Node Pool Name		Enter a custom node pool name.
Container Runtime		Select a Container Runtime based on the Kubernetes Version. containerd (recommended): supports all cluster versions. docker: supports Kubernetes 1.22 and earlier versions.
Managed node pool settings	Managed Node Pool	Enable managed node pool to use ACK's automated O&M capabilities. If your business is sensitive to underlying node changes and cannot tolerate node restarts or application pod migrations, we do not recommend enabling this. To enable this later, you can edit the node pool.
	Auto Repair	ACK automatically monitors node status and performs self-healing tasks when nodes become abnormal. If you select Restart Faulty Node, node self-healing may involve draining nodes and replacing disks. For trigger conditions and related events, see Enable node self-healing.
	Auto Update Rule	When a new kubelet version is available, ACK automatically upgrades. For details, see Upgrade node pools.
	Auto CVE Patching	Fix CVE vulnerabilities in node pool OS, supporting configurable vulnerability fix levels. Cloud resource and billing information: Security Center
	Maintenance Window	ACK performs automated O&M operations on managed node pools only during the defined maintenance window.

Instance and image settings

Parameter		Description
Billing Method		The default billing method used when scaling out nodes in the node pool. Pay-As-You-Go: Can be enabled and released on demand. Subscription: Requires configuring Duration and Auto Renewal. Preemptible Instance: Currently, only spot instances with a protection period are supported. You must also configure the Instance Price Cap. The instance is created successfully when the real-time price of the specified instance type is below the maximum bid price. After the protection period (1 hour), the system checks the real-time price and inventory every 5 minutes. If the market price exceeds the bid price or inventory is insufficient, the spot instance is released. For usage recommendations, see Spot instance node pool best practices To maintain node pool consistency, you cannot change a Pay-As-You-Go or Subscription node pool to a Preemptible Instance node pool, or vice versa.
Instance settings		When scaling out, nodes are allocated from the configured ECS instance families. To improve scale-out success rates, select multiple instance types across multiple zones to avoid unavailability or insufficient inventory. The specific instance type used for scaling is determined by the configured Scaling Policy. To ensure business stability and accurate resource scheduling, do not mix GPU and non-GPU instance types in the same node pool. Configure instance types for scaling in one of two ways: Specific types: Specify exact instance types based on vCPU, memory, family, architecture, and other dimensions. Generalized configuration: Select instance types to use or exclude based on attributes (vCPU, memory, etc.) to further improve scale-out success rates. For details, see Configure node pools using specified instance attributes. Refer to the console's elasticity strength recommendations for configuration, or view node pool elasticity strength after creation. For ACK-unsupported instance types and node configuration recommendations, see ECS instance type configuration recommendations. Cloud resource and billing information: ECS instance, GPU instance Note Enhanced features of ACK Edge clusters, such as logging, monitoring, and reverse tunneling, require components to be deployed in the cloud. Therefore, you must create at least one ECS instance as a worker node by default.
Operating System		Marketplace Image is in phased release. Public Image: A public image from Container Service for Kubernetes. Public images include Alibaba Cloud Linux 3 Container-Optimized Image, ContainerOS, Alibaba Cloud Linux 3, and Ubuntu. For more information, see Operating system. Custom Image: Uses a custom OS image. For details, see How to create a custom image from an existing ECS instance and use it to create nodes. Marketplace Image: Uses Alibaba Cloud Marketplace images. Cloud resource and billing information: ECS Alibaba Cloud Marketplace image To upgrade or change the operating system later, see Change operating system.
Security Hardening		When creating nodes, ACK applies the selected security baseline policy. Disable: No security hardening is applied to ECS instances. MLPS Security Hardening: Alibaba Cloud provides baseline check standards and scanning tools for Alibaba Cloud Linux MLPS 2.0 Level 3 images that comply with classified protection requirements. While ensuring native image compatibility and performance, these images are adapted for MLPS compliance to meet "GB/T22239-2019 Information Security Technology—Cybersecurity Classified Protection Basic Requirements." For details, see ACK MLPS hardening usage guide. In this mode, the root user cannot log on remotely via SSH. Connect to the instance via VNC in the ECS console and create a regular user that supports SSH logon. OS Security Hardening: Supported only for Alibaba Cloud Linux 2 or Alibaba Cloud Linux 3.
Logon Type		Key Pair: Alibaba Cloud SSH key pairs provide a secure and convenient logon authentication method comprising a public key and a private key. Supported only for Linux instances. Configure both the Username (root or ecs-user) and the required Key Pair. Password: Configure the Username (root or ecs-user) and password.

Storage settings

Parameter		Description
System Disk		Select a cloud disk type based on your business needs, including ESSD AutoPL, ESSD, ESSD Entry, and previous-generation disks (SSD and ultra disk). Configure capacity, IOPS, and other parameters. Available system disk types depend on the selected instance family. Disk types not displayed are unsupported. ESSD custom capabilities Supports custom performance levels. Larger disk capacity allows higher performance levels (PL2 for capacities over 460 GiB, PL3 for over 1260 GiB). For details, see ESSD. Only ESSD system disks support Encrypted. By default, Alibaba Cloud uses the service key (Default Service CMK) for encryption. You can also select a custom key (BYOK) pre-created in KMS. Supports selecting More Disk Categories to configure disk types different from the primary System Disk, improving scale-out success rates. When creating nodes, ACK selects the first matching disk type from the specified order. Cloud resource and billing information: ECS block storage
Data Disk		Select a cloud disk type based on your business needs, including ESSD AutoPL, ESSD, ESSD Entry, and previous-generation disks (SSD and ultra disk). Configure capacity, IOPS, and other parameters. Available data disk types depend on the selected instance family. Disk types not displayed are unsupported. ESSD AutoPL support Provisioned performance: Decouples disk capacity from performance, allowing flexible configuration of provisioned performance based on actual business needs without changing storage capacity. Performance burst: Temporarily boosts performance to handle peak read/write demands until business stabilizes. ESSD support Supports custom performance levels. Larger disk capacity allows higher performance levels (PL2 for capacities over 460 GiB, PL3 for over 1260 GiB). For details, see ESSD. When mounting data disks, all cloud disk types support Encrypted. By default, Alibaba Cloud uses the service key (Default Service CMK) for encryption. You can also select a custom key (BYOK) pre-created in KMS. During node creation, the last data disk is automatically formatted, and `/var/lib/container` is mounted to this disk. `/var/lib/kubelet` and `/var/lib/containerd` are mounted to `/var/lib/container`. To customize mount directories, adjust the data disk initialization configuration. You can select only one data disk as the container runtime directory. For details, see Can I customize directory mounting for data disks in ACK node pools? For scenarios requiring container image acceleration or rapid large model loading, use snapshots to create data disks, improving system response speed and processing capability. Select Add Data Disk Type to configure disk types different from the primary Data Disk, improving scale-out success rates. When creating nodes, ACK selects the first matching disk type from the specified order. An ECS instance can mount up to 64 data disks. The maximum number of disks supported varies by instance type. Query the disk quantity limit for an instance type using the DescribeInstanceTypes API (DiskQuantity). Cloud resource and billing information: ECS block storage
Elastic Ephemeral Disk		Whitelist feature. Submit a ticket to apply. Elastic ephemeral disk provides high-performance, cost-effective temporary storage for ECS instances, suitable for temporary data (such as intermediate computation results, cached data, temporary files) and high-performance computing scenarios requiring high IOPS and throughput. Supported only in specific regions and ECS instance types. For details, see Region limits, Instance type limits. You can choose whether to configure initialization for the elastic ephemeral disk and customize its mount directory. Cloud resource and billing information: ECS block storage

Instance quantity

Parameter		Description
Expected Number of Nodes		The total number of nodes that the node pool maintains. You can scale the node pool in or out by adjusting this value. We recommend that you maintain at least two nodes in the cloud node pool.

Advanced node pool settings

Expand Advanced Options (Optional) to configure the node scaling policy.

Parameter	Description
Scaling Policy	Configure how the node pool selects instances during scaling. Priority-based Policy: Scales based on the vSwitch priority configured in the cluster (vSwitch order from top to bottom indicates decreasing priority). If instances cannot be created in the higher-priority zone, the next priority vSwitch is used automatically. Cost Optimization: Scales from lowest to highest vCPU unit price. When the node pool uses Preemptible Instance, spot instances are prioritized. You can configure the Percentage of pay-as-you-go instances (%) to automatically supplement with pay-as-you-go instances when spot instances cannot be created due to inventory or other reasons. Distribution Balancing: Distributes ECS instances evenly across multiple zones, but only in multi-zone scenarios. If zone distribution becomes unbalanced due to inventory shortages, you can rebalance.
Use Pay-as-you-go Instances When Spot Instances Are Insufficient	Requires selecting spot instances as the billing method. When enabled, if sufficient spot instances cannot be created due to price or inventory reasons, ACK automatically attempts to create pay-as-you-go instances as a supplement. Cloud resource and billing information: ECS instance
Enable Supplemental Spot Instance	Requires selecting spot instances as the billing method. When enabled, upon receiving a system notification that a spot instance will be reclaimed (5 minutes before reclamation), ACK attempts to scale out new instances for compensation. Compensation successful: ACK drains the old node and removes it from the cluster. Compensation failed: ACK does not drain the old node, and the instance is reclaimed after 5 minutes. When inventory is restored or price conditions are met, ACK automatically purchases instances to maintain the desired node count. For details, see Spot instance node pool best practices. Active release of spot instances may cause business disruptions. To improve compensation success rates, we recommend also enabling Use Pay-as-you-go Instances When Spot Instances Are Insufficient. Cloud resource and billing information: ECS instance

Expand Advanced Options (Optional) to configure ECS tags, taints, and other settings.

View advanced options

Parameter	Description
ECS Tags	Add tags to ECS instances automatically created by ACK as cloud resource identifiers. Each ECS instance can have up to 20 tags. To increase this limit, apply on the Quota Platform. Because ACK and ESS occupy some tags, you can specify up to 17 custom tags per instance. Expand to view tag usage details ACK occupies two ECS tags by default. `ack.aliyun.com:<Your cluster ID>` `ack.alibabacloud.com/nodepool-id:<Your node pool ID>` ESS occupies one ECS tag by default: `acs:autoscaling:scalingGroupId:<Your node pool scaling group ID>`. After enabling node autoscaling, Auto Scaling occupies two ECS tags by default, so the node pool occupies two additional ECS tags: `k8s.io/cluster-autoscaler:true` and `k8s.aliyun.com:true`. After enabling node autoscaling, components use ECS tags to record node labels and taints for pre-checking scheduling behavior of scaled-out nodes. Each node label is converted to `k8s.io/cluster-autoscaler/node-template/label/<Label key>:<Label value>`. Each node taint is converted to `k8s.io/cluster-autoscaler/node-template/taint/<Taint key>/<Taint value>:<Taint effect>`.
Taints	Add key-value taints to nodes. A valid taint key includes an optional prefix and a name. If a prefix is specified, separate it from the name with a forward slash (/). Expand to view details Key: The name must be 1–63 characters long, start and end with a letter, digit, or character `[a-z0-9A-Z]`, and can contain letters, digits, hyphens (-), underscores (_), and periods (.). If a prefix is specified, it must be a DNS subdomain, meaning a series of DNS labels separated by periods (.), up to 253 characters long, ending with a forward slash (/). Value: Can be empty, up to 63 characters long, must start and end with a letter, digit, or character `[a-z0-9A-Z]`, and can contain letters, digits, hyphens (-), underscores (_), and periods (.). Effect: NoSchedule: Prevents new pods that do not tolerate this taint from being scheduled to the node, but does not affect pods already running. NoExecute: Prevents new pods that do not tolerate this taint from being scheduled to the node and evicts any running pods that do not tolerate this taint. PreferNoSchedule: ACK tries to avoid scheduling pods to nodes with taints they cannot tolerate, but does not enforce this strictly.
Node Labels	Add key-value labels to nodes. A valid key includes an optional prefix and a name. If a prefix is specified, separate it from the name with a forward slash (/). Expand to view details Key: The name must be 1–63 characters long, start and end with an alphanumeric character `[a-z0-9A-Z]`, and can contain letters, digits, hyphens (-), underscores (_), and periods (.). If a prefix is specified, it must be a DNS subdomain, meaning a series of DNS labels separated by periods (.), up to 253 characters long, ending with a forward slash (/). The following prefixes are reserved by Kubernetes core components and cannot be specified `kubernetes.io/` `k8s.io/` Prefixes ending with `kubernetes.io/` or `k8s.io/`. For example, `test.kubernetes.io/`. Exceptions: `kubelet.kubernetes.io/` `node.kubernetes.io` Prefixes ending with `kubelet.kubernetes.io/`. Prefixes ending with `node.kubernetes.io`. Value: Can be empty, up to 63 characters long, must start and end with an alphanumeric character `[a-z0-9A-Z]`, and can contain letters, digits, hyphens (-), underscores (_), and periods (.).
Set to Unschedulable	Newly added nodes are set as unschedulable by default when registered to the cluster. Manually adjust the node scheduling status in the node list. This setting applies only to clusters running Kubernetes versions earlier than 1.34. For details, see Kubernetes 1.34 version notes.
CPU Policy	Specify the CPU management policy for kubelet nodes. None: Default policy. Static: Allows pods with certain resource characteristics on the node to have enhanced CPU affinity and exclusivity. We recommend using Custom node pool kubelet configuration.
Custom Node Name	Node names consist of a prefix, node IP address, and suffix. When enabled, node names, ECS instance names, and ECS instance hostnames change accordingly. Example: Node IP address is 192.XX.YY.55, prefix is aliyun.com, suffix is test. Linux node: Node name, ECS instance name, and ECS instance hostname are all aliyun.com192.XX.YY.55test. Windows node: Hostname is fixed as the IP address, with `-` replacing `.` in the IP address, and no prefix or suffix included. Thus, the ECS instance hostname is 192-XX-YY-55, while the node name and ECS instance name are aliyun.com192.XX.YY.55test. Important When the custom node name format depends on truncating part of the IP address, if the VPC CIDR block is large and the truncated IP length (`lenOfIP`) is insufficient, node name conflicts may occur, causing node scale-out failures in instant node elasticity scenarios. Based on your VPC CIDR block, set the IP truncation length as follows: For large CIDR blocks like 10.0.0.0/8 and 172.16.0.0/12, set `lenOfIP` to at least 9. For the 192.168.0.0/16 CIDR block, set `lenOfIP` to at least 6.
Pre-defined Custom Data	Before nodes join the cluster, run the specified instance pre-user User-Data script. Example: If the pre-user data is `touch /tmp/pre-script`, the combined script execution order on the node is as follows. `#!/bin/bash # Input instance pre-user data executes here touch /tmp/pre-script # ACK node initialization script executes here` For the execution logic of this configuration during node initialization, see Node initialization process overview.
User Data	After nodes join the cluster, run the specified instance user User-Data script. Example: If the instance user data is `touch /tmp/post-script`, the combined script execution order on the node is as follows. `#!/bin/bash # ACK node initialization script executes here # Input instance user data executes here touch /tmp/post-script` For the execution logic of this configuration during node initialization, see Node initialization process overview. Successful cluster creation or node scale-out does not guarantee successful execution of the instance user script. Log on to the node and run `grep cloud-init /var/log/messages` to view execution logs.
CloudMonitor Agent	View and monitor node and application status in the CloudMonitor console. This setting applies only to new nodes added to the node pool, not existing nodes. To enable this for existing nodes, install it in the CloudMonitor console. Cloud resource and billing information: Cloud Monitor
Public IP	ACK assigns an IPv4 public IP address to nodes. This setting applies only to new nodes added to the node pool, not existing nodes. To grant public network access to existing nodes, configure and bind an EIP. For details, see Bind EIP to cloud resources. Cloud resource and billing information: ECS public network
Custom Security Group	Specify a basic or enterprise security group for the node pool. ACK does not add extra access rules to the security group. You must manage security group rules yourself to avoid access issues. For details, see Configure cluster security groups. Each ECS instance has a limit on the number of security groups it can join. Ensure sufficient security group quota.
RDS Whitelist	Add node IPs to the RDS instance whitelist.
[Deprecated] Private pool type	This configuration item is deprecated. Switch to using Resource Pool Policy to specify private pools. The private pool resources available for the selected zone and instance type. Types include the following: Open: Instances automatically match open-type private capacity pools. If no eligible private pool exists, public pool resources are used for startup. Do Not Use: Instances do not use any private pool capacity and start directly using public pool resources. Specified: Requires selecting a private pool ID to restrict instances to use only that private pool capacity for startup. If the private pool is unavailable, instance startup fails.

Step 4: Component configuration

Click Next: Component Configuration to configure basic and advanced component options.

Parameter	Description
Cloud-edge Communication Component	The Raven component builds a network tunnel over the public network to enable cross-region communication between the cloud and the edge. It enables features such as edge node monitoring and O&M. If your cluster uses an Express Connect circuit for cloud-edge network communication, you do not need to install the Raven component. For more information, see Raven: A Cross-Region O&M Communication Component.
CloudMonitor Agent	View and monitor node and application status in the CloudMonitor console. This setting applies only to new nodes added to the node pool, not existing nodes. To enable this for existing nodes, install it in the CloudMonitor console. Cloud resource and billing information: Cloud Monitor
Log Service	Use an existing SLS Project or create a new one to collect cluster application logs. Also enables the cluster API Server audit feature to collect requests to the Kubernetes API and their results. To enable this later, see Collect ACK cluster container logs, Use cluster API Server audit feature. Create Ingress Dashboard: Creates an Ingress Dashboard in the SLS console to collect Nginx Ingress access logs. For details, see Collect and analyze Nginx Ingress access logs. Install node-problem-detector and create Event Hub: Adds an Event Hub in the SLS console to collect all Kubernetes Events in real time. For details, see Create and use K8s Event Hub. Cloud resource and billing information: SLS

Step 5: Confirm configuration and billing

On the Confirm Configuration page, confirm the cluster configuration, including feature configurations, resource billing, and cloud product dependency checks. Then, read the Terms of Service.

An ACK Edge cluster incurs cluster management fees (for the Pro edition only) and cloud resource costs. You can view a cost summary for the cluster at the bottom of the creation page, or refer to Billing for ACK Edge clusters.

You can also click Equivalent Code in the upper-right corner of the Confirm Configuration page to generate Terraform or SDK example parameters for the current cluster configuration.

Billing

For details about ACK Edge cluster billing, see Billing for ACK Edge clusters.