Changes to Container Registry VPE gateways from 11 November 2022

What you need to know about this change

On 11 November 2022, virtual private endpoints (VPEs) for IBM Cloud Container Registry are being updated and the existing VPE version is being deprecated on 15 December 2022. If you use Container Registry VPE gateways, you must create new VPE gateways and remove your VPE gateways that were created before 11 November 2022 at the earliest opportunity so that you pick up these changes. VPE gateways that were created before 11 November 2022 are deprecated and will not work after 15 December 2022.

If you create a new Container Registry VPE gateway after 11 November 2022 and also use Cloud Identity and Access Management (IAM) restricted IP address lists, you must ensure that your restricted IP address list contains the Cloud Service Endpoint (CSE) source IP addresses of the VPCs in which your Container Registry VPE gateways exist. This requirement is related to a previous change to how Container Registry works over the private network that the new VPE version also uses, see Container Registry private IP addresses changed on 5 July 2022.

How you benefit from this change

Container Registry VPEs are being updated so that they can access all Container Registry service regions by using a single VPE gateway. Previously, a Container Registry VPE gateway provided access to Container Registry only in the region in which the VPC and VPE gateway existed. If a user wanted to access another Container Registry region, the user had to use the private registry domain names (for example, private.us.icr.io) and required more VPC configuration for these domains.

With the new VPE version, VPC users can privately access all Container Registry regions by using a single Container Registry VPE gateway that uses a public domain name (for example, us.icr.io) regardless of the region in which the VPE gateway exists and without having to provide more configuration.

Additionally, the new version of the VPE is in line with previous changes to private networking within Container Registry where the real source IP addresses of requests to the Container Registry are now maintained.

Previously, when connections came in over private networks, including through VPE gateways, the source IP addresses that you saw in IBM Cloud Activity Tracker and that were configured for IAM restricted IP address lists, were documented Container Registry IP addresses, see Permit worker nodes to communicate with IBM Cloud Container Registry.

When you connect to Container Registry now, the real IP address of your VPC Cloud service endpoint source addresses is maintained in a request, which means that IAM restricted IP lists can be configured to specifically allow requests from your VPC, which improves security.

Understanding if you are impacted by this change

You are affected by this change if you are using a Container Registry VPE gateway that was created before 11 November 2022. VPE gateways created before this date can be identified by differences in their target CRN. You can find the target CRN of a VPE gateway by viewing the VPE gateway details in the IBM Cloud console (GUI) or CLI, see Viewing details of an endpoint gateway.

VPE gateways that were created before 11 November 2022 are in the format:

crn:v1:bluemix:public:container-registry:<cloud-region>:::endpoint:vpe.<cloud-region>.container-registry.cloud.ibm.com

VPE gateways that are created after 11 November 2022 are in the format:

crn:v1:bluemix:public:container-registry:<cloud-region>:::endpoint:<registry-region-domain>

For a list of updated Container Registry VPE CRNs, see Setting up a VPE for Container Registry.

If you are using a Container Registry VPE gateway that was created before 11 November 2022 and also maintain IAM restricted IP address lists, you must change your restricted IP address list to contain your VPC Cloud Service Endpoint source addresses.

What actions you must take

• If you use a Container Registry VPE gateway that was created before 11 November 2022, you must re-create your Container Registry VPE gateway before 15 December 2022. If you don't re-create your VPE gateway, the VPE gateway will not connect to Container Registry after that date.

  To replace the VPE gateway, complete the following steps:

  1. Create a VPE gateway for Container Registry in the required VPC, see Creating an endpoint gateway. If you’re using the CLI, you might want to refer to the Container Registry VPE CRNs. For more information, see Setting up a VPE for IBM Cloud Container Registry.

  2. Remove the VPE gateway that was created before 11 November 2022, see Deleting an endpoint gateway.

• If you use a Container Registry VPE gateway that was created before 11 November 2022 and you use IAM restricted IP address lists, you must re-create your Container Registry VPE gateway and update your IAM restricted IP address lists before 15 December 2022. If you don't re-create your VPE gateway and update your IP address lists, the VPE gateway will not connect to Container Registry after that date.

  To replace the VPE gateway and update your IAM restricted IP address lists, complete the following steps:

  1. Update your IAM restricted IP address lists to access the Cloud service endpoint source addresses of your VPC. You can find the CSEs by viewing the details of your VPC in either the IBM Cloud console or CLI.

  2. Create a VPE gateway for Container Registry in the required VPC, see Creating an endpoint gateway. If you’re using the CLI, you might want to refer to the Container Registry VPE CRNs. For more information, see Setting up a VPE for Container Registry.

  3. Remove the VPE gateway that was created before 11 November 2022, see Deleting an endpoint gateway.

Original announcement

The original announcement was published on 11 November 2022.