Setting up a cross-region replicated Container Registry in Alibaba Cloud
When you start your journey around deploying services in China, soon you realise that is not the same as in the rest of places. You even feel that your prior DevOps/Ops experience doesn’t help much on this matter. Suddenly, you feel you need help from companies who specialise in Chinese Clouds.
Why is this? For a big part, China’s view of the internet is as “Internet sovereignty”: the notion that the Internet inside the country is part of the country’s sovereignty and should be governed by the country. This means there are “border controls” regarding telecommunications. This, frequently called “The Great Firewall”, is what legally is actually called “Cyber Security Law of the People’s Republic of China”, or CSL for short. Think of Europe’s GDPR, CSL is China’s own set of regulations.
Why is the China Internet Security Law relevant here?
Think about an actual country border. Is not the same to travel by car between Spain and France, where you don’t need to stop to show your passport or visa, than to travel between USA and Mexico, where immigration officers will stop you to verify you comply with the regulations to enter. In the first example, you don’t need to reduce your speed and your car will keep driving at 120km/h. In the second example, you will need to come to a standstill for a moment.
When you send/receive cross-region data between China mainland and the outside, your traffic is routed in a way that helps the Ministry of Industry and Information Technology (MIIT) to check that everything looks alright. This, itself, slows down cross-region Internet traffic.
Now, take the Security Law in mind and add the fact that many parts of China are still developing. We are talking about a country with a very limited bandwidth available relative to its population of 1.4 billion. Of course the network is slow on the border.
What is the problem we try to fix?
Here we are, trying to deploy a container inside China by using a Docker Image built overseas. If you ever tried this, you probably failed and finally decided to build the Docker image inside China instead of pulling it over the open Internet. But thats a bad solution. Using the same image from a registry located in, let’s say, Germany for all your deployments but building your own inside China would look reasonable at first, specially if you are using the same Dockerfile. It will generate the same result right? Wrong. This is wrong, this could lead to inconsistencies when running the container and debugging issues would become hell on earth.
What are the solutions on this?
Here is where Alibaba Cloud can help enormously. They have a neat solution called ACR EE, short for “Alibaba Container Registry Enterprise Edition”. This is an enterprise-class secure service for managing Docker images. It is designed for enterprise customers that have high security requirements, deploy services in multiple regions, and use container clusters with a large number of nodes.
For our problem we specially care about the “deploy services in multiple regions” part. Here is where Alibaba gives us the “Global image synchronization” feature. You can set rules that, when you push your image to your German registry, it will get automatically pushed to another one inside China by using Alibaba’s own dedicated line or backbone. The replication happens within seconds and your image will be ready to be pulled from any Chinese region. Magic!
That sounds cool, let’s do it!
First, we will need to create our 2 separate ACR EEs. For this example, we are using Germany and Hangzhou.
Creating the ACR EE Instances
Go to the German ACR EE console and click “Create Instance“, you can see how that screen looks in the following screenshot:
In the dialog that opens, set the name of the instance and click “Confirm” as shown below:
Once the German instance is created and the status is “Running”, go into it, click on “Namespaces” and create one as indicated below:
Now, go to the Hangzhou ACR EE console and repeat the process. One important thing is you need to set the same name for the Namespace.
Activating the cross-region replication
Once both ACR EE instances are up and running, go back to your “Origin” region, in this case Germany, and get into your instance. In the side menu, you can see the option called “Distribution > Instance Replication”, go there and click “Create Rule”.
Set a rule name, select the target instance’s region (Hangzhou in our case) and the name of the ACR EE instance.
Click “Next” and confirm that the replication level is “Namespace”, this way everything inside that namespace will get mirrored across regions.
To confirm, the Rule List will get populated with the new rule you just created. This means everything is ready to push your image.
Et voilà! If you push an image to Germany, it will be available in Hangzhou within seconds.
This is one example of hundreds where Alibaba Cloud can help when deploying in China. Becoming an expert on this matter takes time and solving this kind of issues will get you there. Another solution would be to create a CEN connection to privately pull images, but in my opinion that is very overkill. If you struggle on dealing with this, I can help you when it comes to Chinese clouds. I co-founded Guztia Consulting, a company where I help businesses around the world deploying in the APAC region.
You want a video about it? There you go: