This topic applies when ACK Edge on-premises edge nodes connect over the public network to Alibaba Cloud Container Service. It lists the domains and ports you must allow through your firewall.
In the tables below, {region} is your cluster's region ID — for example, cn-hangzhou for China (Hangzhou). See Regions and zones.
Inbound ports on edge nodes
Control plane and monitoring components reach edge nodes from the cloud or other cluster nodes. Allow these inbound ports in each edge node's host CIDR block.
| Protocol | Port | Source | Purpose |
|---|---|---|---|
| TCP | 10250, 10255 | Host CIDR block of the edge node | Kubelet access for API Server and Metrics Server. Traffic is proxied by the Raven component. |
| TCP | 9100, 9445 | Host CIDR block of the edge node | Node-Exporter access for Prometheus. Traffic is proxied by the Raven component. |
| UDP | 8472 | Host CIDR block of the edge node | Flannel VXLAN tunnel. |
Outbound access from edge nodes
Edge nodes must reach the following endpoints. Required access differs between installation and runtime.
During node installation and upgrade
Allow access to these endpoints when installing or upgrading edge node components.
| Access object | Public endpoint | Port | Description |
|---|---|---|---|
| Component packages | aliacs-k8s-{region}.oss-{region}.aliyuncs.com |
TCP 443 (v1.26 or later)<br>TCP 80 and 443 (earlier than v1.26) | Downloads component packages from OSS: edgeadm, kubelet, CNI, runtime, and edgehub. |
| System tools | No extra domains required | N/A | Installs missing prerequisite tools: net-tools, iproute, chrony (or ntpdate), crontabs, pciutils, socat, ebtables, iptables, and conntrack-tools. Uses apt-get on Ubuntu or yum on CentOS. The endpoint depends on your package manager source. |
During ongoing cluster operations
Allow access to these endpoints at all times while the cluster runs.
| Access object | Public endpoint | Port | Description |
|---|---|---|---|
| Container Service control plane | cs-anony.aliyuncs.com<br>cs-anony.{region}.aliyuncs.com |
TCP 443 (v1.26 or later)<br>TCP 80 (earlier than v1.26) | Container Service management endpoint. |
| API Server | See Find the API Server endpoint | TCP 6443 | All kube-apiserver communication. |
| Raven cloud gateway Server Load Balancer (SLB) | See Find the Raven cloud gateway endpoints | TCP 10280–10284<br>UDP 4500 | Raven tunnel. |
| Tunnel server SLB (clusters earlier than v1.26 only) | See Find the tunnel server endpoint | TCP 10262, 10263 | Edge tunnel (deprecated in v1.26 and later). |
| System component images | dockerauth.{region}.aliyuncs.com<br>dockerauth-ee.{region}.aliyuncs.com<br>registry-{region}.ack.aliyuncs.com |
TCP 443 | Pulls system component images. |
| NTP | ntp1.aliyun.com<br>cn.ntp.org.cn |
Typically UDP 123 | Clock synchronization. Not required if selfHostNtpServer is set to true during node registration (clock already synchronized manually). |
In China (Zhangjiakou), replace dockerauth.{region}.aliyuncs.com with dockerauth-{region}.aliyuncs.com (hyphen, not dot, before the region).
Find dynamic endpoints
The API Server endpoint, Raven cloud gateway SLB addresses, and tunnel server SLB address are assigned per cluster.
Find the API Server endpoint
On the cluster details page in the ACK console, find the endpoint on the Basic Information tab.
Find the Raven cloud gateway endpoints
Look up the Raven cloud gateway Services in the kube-system namespace:
kubectl get svc -n kube-system x-raven-proxy-svc-gw-cloud-xxx
kubectl get svc -n kube-system x-raven-tunnel-svc-gw-cloud-xxx
The EXTERNAL-IP column shows the SLB address to allow.
Find the tunnel server endpoint (clusters earlier than v1.26)
kubectl get svc -n kube-system x-tunnel-server-svc
The EXTERNAL-IP column shows the SLB address to allow.