Using VPEs for VPC to privately connect to Container Registry

You can use IBM Cloud® virtual private endpoints (VPE) for Virtual Private Cloud (VPC) to connect to IBM Cloud® Container Registry from your VPC network by using the IP addresses of your choice, which are allocated from a subnetwork within your VPC.

Any Container Registry VPE gateways that were created before 11 November 2022 are deprecated and must be replaced by 15 December 2022. For more information, see Changes to Container Registry VPE gateways from 11 November 2022.

VPEs are virtual IP interfaces that are bound to an endpoint gateway created on a per service, or service instance, basis (depending on the service operation model). The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available, and spans all availability zonesA location within a region that IBM Cloud Kubernetes Service runs in. of your VPC. Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud service on the private backbone. VPE for VPC gives you the experience of controlling all the private addressing within your cloud. For more information, see About virtual private endpoint gateways.

If you have an IBM Cloud VPC instance and want to connect the VPC instance to IBM Cloud Container Registry for your Container Registry services, you can create a VPE gateway for your VPC to access IBM Cloud Container Registry within your VPC network. Any connections to IBM Cloud Container Registry that originate from within the VPC automatically go through the Container Registry VPE gateway, if one exists. For more information, see Getting started with Virtual Private Cloud.

When you connect to Container Registry from the IBM Cloud console, you must go through a browser in your VPC to ensure that the connection goes through the Container Registry VPE gateway.

For VPE gateways created before 11 November 2022, you must ensure that the canonical domain name for the registry region (for example, us.icr.io in us-south) resolves to the IP address of the VPE gateway. This action ensures that the image name, which starts with the hostname, is consistent. You can ensure consistency by creating container hostmap entries or configuring the kube Domain Name System (DNS).

For VPE gateways created after 11 November 2022, this additional configuration is not required because the domain name resolution is now handled automatically by the VPE gateway.

For more information about other IBM Cloud VPE services, see VPE supported services.

Before you begin

Before you target a VPE for Container Registry, you must complete the following tasks.

Ensure that a Virtual Private Cloud is created, see Getting started with Virtual Private Cloud.
Make a plan for your virtual private endpoints, see Planning for virtual private endpoint gateways.
Ensure that correct access controls are set for your VPE, see Configuring ACLs and security groups for use with endpoint gateways.
Understand the limitations of having a VPE, see Virtual private endpoint limitations.
Understand how to view details about a VPE, see Viewing details of an endpoint gateway.

Virtual private endpoints

The table lists IBM Cloud Container Registry private endpoints that are supported from the following VPC regions:

Dallas (us-south)
Frankfurt (eu-de)
London (eu-gb)
Madrid (eu-es)
Osaka (jp-osa)
Sao Paulo (br-sao)
Sydney (au-syd)
Tokyo (jp-tok)
Toronto (ca-tor)
Washington (us-east)

You can create a VPE gateway for your local Container Registry service only. For VPE gateways created after 11 November 2022, you can pull images from any other Container Registry region by using the public hostnames, such as uk.icr.io. For VPE gateways created before 11 November 2022, if you want to connect to IBM Cloud Container Registry in another region, you must enable classic access, see Creating a classic access VPC and use private hostnames, such as private.uk.icr.io.

Setting up a VPE for IBM Cloud Container Registry

When you create a VPE gateway by using the CLI or API, you must specify the cloud resource name (CRN)A globally unique identifier for a specific cloud resource. The value is segmented hierarchically by version, instance, type, location, and scope, separated by colons. of the region that you want to connect to Container Registry. Review the following table for the available regions and CRNs to use to create your VPE gateway.

You can create VPE gateways in the following locations: ap-north, ap-south, br-sao, ca-tor, eu-central, eu-es, jp-osa, uk-south, us-south, and us-east (global registry).

Table 1. Region availability and cloud resource names for connecting Container Registry over private IBM Cloud networks
Registry region	Cloud resource name (CRN)
`ap-north`	`crn:v1:bluemix:public:container-registry:jp-tok:::endpoint:jp.icr.io`
`ap-south`	`crn:v1:bluemix:public:container-registry:au-syd:::endpoint:au.icr.io`
`br-sao`	`crn:v1:bluemix:public:container-registry:br-sao:::endpoint:br.icr.io`
`ca-tor`	`crn:v1:bluemix:public:container-registry:ca-tor:::endpoint:ca.icr.io`
`eu-central`	`crn:v1:bluemix:public:container-registry:eu-de:::endpoint:de.icr.io`
`eu-es`	`crn:v1:bluemix:public:container-registry:eu-es:::endpoint:es.icr.io`
`jp-osa`	`crn:v1:bluemix:public:container-registry:jp-osa:::endpoint:jp2.icr.io`
`uk-south`	`crn:v1:bluemix:public:container-registry:eu-gb:::endpoint:uk.icr.io`
`us-south`	`crn:v1:bluemix:public:container-registry:us-south:::endpoint:us.icr.io`
Global `us-east`	`crn:v1:bluemix:public:container-registry:us-east:::endpoint:icr.io`

For VPE gateways that were created before 11 November 2022, if you want to connect to IBM Cloud Container Registry in another region, you must use hostnames, such as private.uk.icr.io. For more information about private Container Registry networks, see Securing your connection to Container Registry.

For VPE gateways that are created after 11 November 2022, you can pull images from any other Container Registry region by using the public hostnames, such as uk.icr.io.

Configuring an endpoint gateway

To configure a VPE gateway, complete the following steps:

List the available services, including IBM Cloud infrastructure services available (by default) for all VPC users. For more information, see VPE supported services.
Create an endpoint gateway for IBM Cloud Container Registry that you want to be privately available to the VPC. To create the VPE gateway by using the CLI, run the following command, where <CRN> is the CRN of the target region as shown in Table 1.
```
ibmcloud is endpoint-gateway-create --target <CRN> --vpc-id <VPC-ID> --name myname
```
Bind a reserved IP address to the endpoint gateway.
View the created VPE gateways associated with the IBM Cloud Container Registry. For more information, see Viewing details of an endpoint gateway.

Now your virtual server instances in the VPC can access your IBM Cloud Container Registry instance privately through it.