Tencent Container Registry (TCR) Enterprise Edition supports private-network access control. A Virtual Private Cloud (VPC) access link can be used to restrict instance access by clients in the VPC. In actual production scenarios involving container computing, pulling container images through the VPC can effectively improve the pulling speed and reduce public-network bandwidth costs. TCR allows users to connect their VPCs to a TCR Enterprise Edition instance to implement private-network access and access control.
This document describes how to configure private-network access control for a TCR Enterprise Edition instance.
Before configuring private-network access control for a TCR Enterprise Edition instance, complete the following tasks:
After the private-network access link is established, CVMs in the associated VPC can access the instance through the private network by accessing the private-network resolution IP address. By default, the default domain name of the instance (for example, tcr-demo.tencentcloudcr.com) and private network domain name (for example, tcr-demo-vpc.tencentcloudcr.com) will not be automatically resolved to the private-network resolution IP address in the VPC. You can implement private-network domain name resolution by using the TCR plug-in for automatic configuration or using the VPC resolution VPCDNS for automatic configuration.
If you are using TKE, refer to Using a Container Image in a TCR Enterprise Edition Instance to Create a Workload to install the TCR plug-in in the TKE cluster. This plug-in can automatically configure private-network resolution for the associated TCR instance for nodes in the cluster. This enables secret-free pulling of images in the instance through the private network, as shown in the figure below:
Tencent Cloud DNS resolution DNSPod provides the VPC resolution feature, which supports resolution within a specified VPC. This feature is now available for trial use in the Beijing, Shanghai, Guangzhou, and Silicon Valley regions.
You can submit a ticket to apply for trial use of this feature and provide the list of VPCs for which you want to enable this feature. After this service is activated, you can configure automatic resolution in the associated VPC of an instance after creating a private-network access link. In addition, you can select the default domain name or private domain name to use, as shown in the figure below:
This solution is applicable to CVMs or nodes in self-built Kubernetes clusters in VPCs that need to access an Enterprise Edition instance temporarily.
Here, a Linux CVM is used as an example. Log in to the CVM and run the following command:
echo '172.21.17.69 demo.tencentcloudcr.com' >> /etc/hosts
demo.tencentcloudcr.com with your actual private-network resolution IP address and TCR instance domain name.