DocsICP FilingConsole
官方文档
首页

Configure VPC access control

更新时间:
复制 MD 格式
产品详情
我的收藏

If your ECS instances are in a VPC, you must configure VPC access control for your Container Registry Enterprise Edition instance before those instances can connect to it.

Prerequisites

How VPC access control works

Connecting a VPC to a Container Registry Enterprise Edition instance consumes one IP address in the VPC. ACR uses Alibaba Cloud DNS PrivateZone to automatically resolve the instance's VPC domain name to this IP address.

Note

Access control is configured at the VPC level. Select any vSwitch with available IP addresses. After configuration, all resources in the VPC can access the instance through its VPC domain name.

Configuring VPC access control automatically creates a service-linked role named AliyunServiceRoleForContainerRegistryAccessCustomerPrivateZone for domain name resolution through Alibaba Cloud DNS PrivateZone. Service-linked role for Alibaba Cloud DNS PrivateZone.

Warning

Do not change the DNS zone that is automatically created in Alibaba Cloud DNS PrivateZone. Otherwise, operations such as pulling or deleting images may fail.

Procedure

Note

The VPC access control quota varies by ACR instance edition. If the default quota is insufficient, purchase additional quota. Billing of Enterprise Edition instances.

  1. Log on to the Container Registry console.

  2. In the top navigation bar, select a region.

  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, click the Enterprise Edition instance that you want to manage.

  5. On the instance management page, in the navigation pane on the left, choose Repository > Access Control.

    Note

    To configure access control for a Helm chart, choose Helm Chart > Access Control.

  6. On the VPC tab, click Add VPC .

  7. In the Add VPC dialog box, select a VPC and a vSwitch, and then click Confirm.

    Note

    Select one vSwitch from the VPC. All ECS instances in the VPC can then access the Container Registry Enterprise Edition instance.

    The VPC is added when its status changes from Creating to Running.

  8. Optional: View the DNS zone in Alibaba Cloud DNS PrivateZone.

    After you add the VPC, ACR automatically creates a DNS zone in Alibaba Cloud DNS PrivateZone. You can view this zone in the PrivateZone console.

    1. Log on to the Alibaba Cloud DNS console.

    2. In the navigation pane on the left, choose Configurations > Private Zone.

      On the User Defined Zones tab, view the DNS zone.

Related topics

To access an instance from a different region or from on-premises, Access an Enterprise Edition instance across regions or from an on-premises data center.

Previous:VPC access controlNext:Use a shared VPC to enable cross-account access to a Container Registry Enterprise Edition instance