Tencent Container Registry (TCR) Enterprise Edition supports private network access control. A private network access link can be used to restrict instance access by clients in a Virtual Private Cloud (VPC). In actual production scenarios involving container computing, pulling container images through a VPC can effectively improve the pulling speed and reduce public network bandwidth costs. TCR allows users to connect their VPCs to a TCR enterprise edition instance to implement private network access and access control.
This document describes how to configure private network access control for a TCR enterprise edition instance. After completing the following configuration, you can use a CVM in a specified VPC to pull images from a TCR instance through the private network, or pull container images in TKE and other container clusters through the cluster private network. For more information, see TKE Clusters Use the TCR Plug-In to Enable Secret-Free Pulling of Container Images Through the Private Network.
Before configuring private network access control for a TCR enterprise edition instance, complete the following tasks:
After the private network access link is established, CVMs in the associated VPC access the instance through the private network by accessing the private network resolution IP address. By default, the default domain name of the instance (for example, tcr-demo.tencentcloudcr.com) and private network domain name (for example, tcr-demo-vpc.tencentcloudcr.com) will not be automatically resolved to the private network resolution IP address in the VPC. You can implement private network domain name resolution by using the VPCDNS for automatic configuration or using the TCR plug-in for automatic configuration.
To use the TCR service in Chinese regions (excluding financial regions), we recommend you use the VPCDNS to manage the private network resolution of instance domain names. If the VPCDNS feature is not available in your region, use the TCR plug-in (recommended for TKE users) or manually configure the CVM host (temporary configuration).
Tencent Cloud DNS resolution feature DNSPod provides a VPC resolution feature to create private zones for VPC dedicated domain name resolution. This feature is now available in the Beijing, Shanghai, Guangzhou, Chongqing, Chengdu, and Hong Kong regions.
If you are using TKE, refer to TCR to install the TCR plug-in in the TKE cluster and select "Enable Private Network Parsing" in the "TCR Component Parameter Setting" window. For nodes in the cluster, this plug-in can automatically configure private network resolution for the associated TCR instance. This enables secret-free pulling of images in the instance through the private network.
This solution is applicable to CVMs or nodes located in self-built Kubernetes clusters in VPCs that require temporary access to TCR enterprise edition instances.
Here, a Linux CVM is used as an example. Log in to the CVM and run the following command:
echo '172.16.1.95 techo-demo.tencentcloudcr.com' >> /etc/hosts
demo.tencentcloudcr.com with the private network resolution IP address and TCR instance domain name that you use.