Using VPEs for VPC to privately connect to Container Registry

You can use IBM Cloud® virtual private endpoints (VPE) for Virtual Private Cloud (VPC) to connect to IBM Cloud® Container Registry from your VPC network by using the IP addresses of your choice, which are allocated from a subnetwork within your VPC.

VPEs are virtual IP interfaces that are bound to an endpoint gateway created on a per service, or service instance, basis (depending on the service operation model). The endpoint gateway is a virtualized function that scales horizontally, is redundant and highly available, and spans all availability zonesA location within a region that IBM Cloud Kubernetes Service runs in. of your VPC. Endpoint gateways enable communications from virtual server instances within your VPC and IBM Cloud service on the private backbone. VPE for VPC gives you the experience of controlling all the private addresses within your cloud. For more information, see About virtual private endpoint gateways.

If you have an IBM Cloud VPC instance and you want to connect the VPC instance to IBM Cloud Container Registry for your Container Registry services, you can create a VPE gateway for your VPC to access IBM Cloud Container Registry within your VPC network. Any connections to IBM Cloud Container Registry that originate from within the VPC automatically go through the Container Registry VPE gateway, if one exists. For more information, see Getting started with Virtual Private Cloud.

When you connect to Container Registry from the IBM Cloud console, you must go through a browser in your VPC to ensure that the connection goes through the Container Registry VPE gateway.

For more information about other IBM Cloud VPE services, see VPE supported services.

Before you begin

Before you target a VPE for Container Registry, you must complete the following tasks.

Ensure that a Virtual Private Cloud is created, see Getting started with Virtual Private Cloud.
Make a plan for your virtual private endpoints, see Planning for virtual private endpoint gateways.
Ensure that correct access controls are set for your VPE, see Configuring ACLs and security groups for use with endpoint gateways.
Understand the limitations of having a VPE, see Virtual private endpoint limitations.
Understand how to view details about a VPE, see Viewing details of an endpoint gateway.

Virtual private endpoints

The table lists IBM Cloud Container Registry private endpoints that are supported from the following VPC regions:

Dallas (us-south)
Frankfurt (eu-de)
London (eu-gb)
Madrid (eu-es)
Osaka (jp-osa)
Sao Paulo (br-sao)
Sydney (au-syd)
Tokyo (jp-tok)
Toronto (ca-tor)
Washington (us-east)

You can create a VPE gateway for your local Container Registry service only. You can pull images from any other Container Registry region by using the public domains, such as uk.icr.io.

Setting up a VPE for IBM Cloud Container Registry

When you create a VPE gateway by using the CLI or API, you must specify the cloud resource name (CRN)A globally unique identifier for a specific cloud resource. The value is segmented hierarchically by version, instance, type, location, and scope, separated by colons. of the region that you want to connect to Container Registry. Review the following table for the available regions and CRNs to use to create your VPE gateway.

You can create VPE gateways in these locations: ap-north, ap-south, br-sao, ca-tor, eu-central, eu-es, jp-osa, uk-south, us-south, and us-east (global registry).

Region availability and cloud resource names (CRNs) for connecting Container Registry over private IBM Cloud networks
Registry region	Cloud resource name (CRN)
`ap-north`	`crn:v1:bluemix:public:container-registry:jp-tok:::endpoint:jp.icr.io`
`ap-south`	`crn:v1:bluemix:public:container-registry:au-syd:::endpoint:au.icr.io`
`br-sao`	`crn:v1:bluemix:public:container-registry:br-sao:::endpoint:br.icr.io`
`ca-tor`	`crn:v1:bluemix:public:container-registry:ca-tor:::endpoint:ca.icr.io`
`eu-central`	`crn:v1:bluemix:public:container-registry:eu-de:::endpoint:de.icr.io`
`eu-es`	`crn:v1:bluemix:public:container-registry:eu-es:::endpoint:es.icr.io`
`jp-osa`	`crn:v1:bluemix:public:container-registry:jp-osa:::endpoint:jp2.icr.io`
`uk-south`	`crn:v1:bluemix:public:container-registry:eu-gb:::endpoint:uk.icr.io`
`us-south`	`crn:v1:bluemix:public:container-registry:us-south:::endpoint:us.icr.io`
Global `us-east`	`crn:v1:bluemix:public:container-registry:us-east:::endpoint:icr.io`

You can pull images from any other Container Registry region by using the public domains, such as uk.icr.io.

Configuring an endpoint gateway

To configure a VPE gateway, complete the following steps:

List the available services, including IBM Cloud infrastructure services available (by default) for all VPC users. For more information, see VPE supported services.
Create an endpoint gateway for IBM Cloud Container Registry that you want to be privately available to the VPC. To create the VPE gateway by using the CLI, run the following command, where <CRN> is the CRN of the target region as shown in Table 1.
```
ibmcloud is endpoint-gateway-create --target <CRN> --vpc-id <VPC-ID> --name myname
```
Bind a reserved IP address to the endpoint gateway.
View the created VPE gateways associated with the IBM Cloud Container Registry. For more information, see Viewing details of an endpoint gateway.

Now your virtual server instances in the VPC can access your IBM Cloud Container Registry instance privately through it.