TCR Enterprise Edition supports network access control. It allows users to access a specified VPC and allows the Docker clients within the VPC to access image data over the private network. With the popularization and practice of the concept of multi-cloud/distributed cloud, users' container cluster is no longer located in a single VPC in the designated region of Tencent Cloud, but may be distributed in complex networks of multiple cloud vendors and IDCs, and these complex networks may be interoperable through the CCN and Peering Connection network products. In this context, users need to access a single TCR Enterprise Edition instance from multiple regions and VPCs simultaneously for normal private network push and image pull.
This document mainly introduces how an enterprise customer uses a custom domain name together with the CCN, Peering Connection, and Private DNS products to enable multiple VPCs to access a TCR instance simultaneously and distribute container images over the private network.
Activate services such as CCN and Peering Connection, and access multiple VPCs.
Overall Structure
The customer deployed containerized business in both Guangzhou and Shanghai and used the TCR Enterprise Edition instance in Guangzhou to host and distribute container images.
Configuration Details
Creating a TCR Enterprise Edition instance and binding a custom domain name
1. Purchase a TCR Enterprise Edition instance in the region where the container business is deployed. For more information, see Purchasing TCR Enterprise Edition Instance. For this best practice, select Guangzhou (ap-guangzhou, gz).
2. Initialize the instance and upload the first image. For more information, see TCR Enterprise Edition Getting Started. For this best practice, this step is to access the specified VPC vpc-gz-01 and push images over the private network.
1. Go to the VPC console, create a CCN instance, and associate it with the Guangzhou and Shanghai VPCs.
2. You can choose to use the peering connection feature to associate the VPCs mentioned above.
Configuring Private DNS for the custom domain name
1. Go to the Private DNS console, use the bound custom domain name to create a private zone, and associate it with the VPCs mentioned above.
2. Configure the parsing record: Select A record, use @ to directly parse the main domain name, and configure the record to the private IP corresponding to the accessed VPC.
Scenario Verification
Verifying the VPC connected to the instance
1. In the connected VPC in Guangzhou, create a CVM and install the Docker client.
2. Log in to the CVM and try to pull the image. The following is a reference command, where you need to replace demo-tcr.cn with the actual bound custom domain name and replace demo/nginx:latest with the actual image address (demo is the namespace).
# Pull the image in the container cluster in Guangzhou
docker pull demo-tcr.cn/demo/nginx:latest
If the image pull is successful, the VPC connection, custom domain name, and Private DNS are configured properly, and the container cluster of the Guangzhou VPC can use the custom domain name to pull images over the private network.
Verifying the other VPC connected to CCN
1. In the VPC connected to CCN in Shanghai, create a CVM and install the Docker client.
2. Log in to the CVM and try to pull the image. You can use the same path to directly pull the Enterprise Edition instance in Guangzhou.
# Pull the image in the container cluster in Shanghai
docker pull demo-tcr.cn/demo/nginx:latest
If the image pull is successful, the CCN configuration is normal, and the container cluster of the Shanghai VPC can use the custom domain name to pull the image across regions over the private network.
Yes
No
Was this page helpful?