Tencent Container Registry (TCR) Enterprise Edition supports private network access control. A private network access linkage can be used to restrict instance access by clients in a Virtual Private Cloud (VPC). In actual production scenarios involving container computing, pulling container images through a VPC can effectively improve the pulling speed and reduce public network bandwidth costs. TCR allows users to connect their VPCs to a TCR Enterprise Edition instance to implement private network access and access control.
This document describes how to configure private network access control for a TCR enterprise edition instance. After completing the following configuration, you can use a Cloud Virtual Machine (CVM) in a specified VPC to pull images from a TCR instance through the private network, or pull container images in TKE and other container clusters through the cluster private network. For more information, see TKE Clusters Use the TCR Addon to Enable Secret-free Pulling of Container Images via Private Network.
Prerequisites
Make sure that the following conditions are met before configuring private network access control for a TCR Enterprise Edition instance:
If you are using a sub-account, the sub-account must have obtained operation permissions on the corresponding instance. For more information, see TCR Enterprise Authorization Management.
You have activated the VPC service and created a VPC and a subnet in the region where the TCR Enterprise Edition instance is deployed.
1. Log in to the TCR console and choose Access Control > Private Network Access in the left sidebar.
2. On the Private Network Access page, click Create.
3. In the Create a private network access linkage pop-up window, specify a VPC and a subnet, as shown in the figure below:
Associated Instance: Target instance for which the private network access policy is configured. To change the instance, select another instance name from the Instance Name drop-down list at the top of the Private Network Access page.
Region: Region where the VPC to access resides, which is the same as the region where the current instance is deployed by default. If the multi-region replication feature is enabled for the current instance and replicas are configured for the instance in multiple regions, you can select the region where a replica is deployed to access the VPC of the replica. For more information, see Configuring Instance Replication.
Virtual Private Cloud:
First, select the VPC that you want to connect to. The drop-down list displays all available VPCs in the region of the current instance.
Then, select a subnet with usable private IPs in the VPC. Creating a private network access linkage occupies a private IP in the subnet. The IP is also used as the destination IP for private network resolution of the instance domain name. The subnet is only used to assign private network access addresses. After the linkage is created, CVMs in subnets of the VPC can access the TCR Enterprise Edition instance through the linkage.
4. Click OK to start creating the private network access linkage.
If the access linkage status changes to Normal linkage and the private network parsing IP is not empty, the private network access linkage was successfully created.
Note
By default, only resolution for public network access is configured for the access domain name of the instance. After connecting the instance to the specified VPC and obtaining the private network parsing IP, click Manage Auto-parsing to configure the dedicated private network parsing for the instance domain name in the VPC.
Managing private network parsing
After the private network access linkage is established, CVMs in the associated VPC access the instance through the private network by accessing the private network parsing IP. By default, the default domain name of the instance (for example, tcr-demo.tencentcloudcr.com) and private network domain name (for example, tcr-demo-vpc.tencentcloudcr.com) will not be automatically resolved to the private network parsing IP in the VPC. You need to use the Manage Auto-parsing feature to configure private network parsing, or use an external DNS service to manage parsing.
Using Private DNS for automatic configuration (default method)
By default, Tencent Cloud Private DNS is used to configure domain name resolution in VPCs. You need to activate the service before using this feature.
1. Log in to the TCR console and choose Access Control > Private Network Access in the left sidebar.
2. On the Private Network Access page, click Manage Auto-parsing next to the created private network access linkage.
3. In the Manage Auto-parsing pop-up window that appears, configure domain name resolution for the linkage, as shown in the figure below:
DNS Service: Indicates whether Private DNS is activated. If the service is not activated, click Activate Service to activate it. No additional fees will be charged on the products using Private DNS.
Resolution Configuration: This feature is disabled by default. You can turn on the switch to enable automatic resolution of the default domain name. After this feature is enabled, the instance domain name will be resolved to the private IP in the VPC instead of being resolved to a public IP of the instance. The instance will be used to push and pull images in the private network without the need to configure the domain name resolution manually or by using the TCR add-on.
Advanced Configuration: You can configure the auto-parsing of VPC domain names. VPC domain names are dedicated domain names in VPCs. You can use a VPC domain name in VPCs to distinguish it from the default domain name used in the public network. By default, an image repository provides the access address of the default domain name and related operation instructions. If you use a dedicated VPC domain name, modify the access address configuration of the image repository.
4. Click OK.
Using the TCR add-on for automatic configuration
This solution is applicable to the scenarios where Private DNS has not provided services in the region where the TKE cluster is located. This solution is not recommended by default.
If you are using TKE, refer to TCR to install the TCR add-on in the TKE cluster and select Enable Private Network Parsing in the TCR Component Parameter Setting window. For nodes in the cluster, this add-on can automatically configure private network resolution for the associated TCR instance. This enables secret-free pulling of images in the instance through the private network.
Manually configuring a CVM host
This solution is applicable to CVMs or nodes located in self-built Kubernetes clusters in VPCs that require temporary access to TCR Enterprise Edition instances. It is not recommended by default.
Here, a Linux CVM is used as an example. Log in to the CVM and run the following command:
Yes
No
Was this page helpful?