Alibaba Cloud Container Service ACK Setup Guide
Alibaba Cloud Container Service for Kubernetes (ACK) is Alibaba Cloud’s managed Kubernetes platform. It is suitable for microservices, web applications, AI inference, batch workloads, and containerized multi-cloud systems. Compared with self-managed Kubernetes, ACK reduces the operational burden of control plane maintenance, cluster upgrades, scaling, monitoring, and integration with cloud-native services.
This guide walks through the complete process of deploying an ACK cluster on Alibaba Cloud International, from planning to publishing your first application.
1. Plan Before Deployment
1.1 Choose the Right Cluster Type
Common ACK deployment options include:
| Type | Best For | Notes | |------|----------|-------| | ACK Managed | Most production and test environments | Control plane managed by Alibaba Cloud | | ACK Serverless | Elastic jobs and low-ops teams | No node management; pay by Pod resources | | ACK Dedicated | Enterprises requiring stronger control plane isolation | More control, higher operational complexity |
For most teams, ACK Managed is the best starting point because it balances reliability, cost, and operational simplicity.
1.2 Network and Region Planning
Before creating a cluster, define:
- Region: Choose a region close to your users or backend systems, such as Singapore, Hong Kong, Japan, Germany, or the United States.
- VPC CIDR: Avoid overlap with office networks, IDC networks, or other cloud providers.
- Pod CIDR and Service CIDR: Reserve enough address space for future scaling.
- Availability zones: Production workloads should span at least two zones.
- Public access policy: Avoid exposing the Kubernetes API Server to the public internet unless strictly controlled.
1.3 Identity and Permissions
Use RAM users or RAM roles instead of the root account for daily operations:
- Create a RAM user or role.
- Grant only the permissions required for ACK, ECS, VPC, SLB, ACR, and Log Service.
- Enable MFA.
- Create separate least-privilege credentials for CI/CD systems.
2. Create an ACK Cluster
2.1 Create VPC and VSwitches
In the Alibaba Cloud VPC console:
- Create a VPC, for example
10.10.0.0/16. - Create VSwitches in two or three availability zones.
- Reserve separate subnets for container nodes, databases, caches, and internal services.
For production, keep container nodes and data services in different security groups or subnets where possible.
2.2 Create the Kubernetes Cluster
In the ACK console, click Create Cluster and configure:
- Cluster type: Managed Kubernetes
- Network plugin: Terway or Flannel
- Container runtime: containerd
- Kubernetes version: the latest stable version supported by ACK
- API Server access: internal access preferred; public access restricted by whitelist
- Log Service: recommended for troubleshooting and observability
If you need high-performance networking, Pod-level security groups, or advanced network policy capabilities, consider Terway.
2.3 Configure Node Pools
Node pools define the compute resources used by workloads:
| Node Type | Recommended Use | |-----------|-----------------| | General purpose ECS | Web services, APIs, lightweight microservices | | Compute optimized ECS | CPU-intensive workloads | | Memory optimized ECS | Java services, caching, data processing | | GPU instances | AI inference, video processing, model training |
A practical production setup usually includes at least two node pools:
- System node pool: Runs CoreDNS, Ingress, monitoring, and cluster add-ons.
- Application node pool: Runs business workloads and can scale independently.
Enable auto scaling for node pools so the cluster can grow during peak traffic and shrink during quiet periods.
3. Configure Alibaba Cloud Container Registry ACR
ACK works naturally with Alibaba Cloud Container Registry (ACR).
3.1 Create Namespace and Repositories
- Open the ACR console.
- Create a namespace, such as
duoyun-prod. - Create one repository per application.
- Enable image scanning and lifecycle rules.
3.2 Build and Push Images
Example commands:
docker build -t registry-intl.<region>.aliyuncs.com/duoyun-prod/api:1.0.0 .
docker login registry-intl.<region>.aliyuncs.com
docker push registry-intl.<region>.aliyuncs.com/duoyun-prod/api:1.0.0
Avoid using latest in production. Use Git commits, semantic versions, or build numbers as image tags.
4. Deploy Your First Application
4.1 Create a Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo-api
spec:
replicas: 2
selector:
matchLabels:
app: demo-api
template:
metadata:
labels:
app: demo-api
spec:
containers:
- name: demo-api
image: registry-intl.<region>.aliyuncs.com/duoyun-prod/api:1.0.0
ports:
- containerPort: 3000
resources:
requests:
cpu: "250m"
memory: "256Mi"
limits:
cpu: "500m"
memory: "512Mi"
4.2 Expose the Service
For a public web application, expose traffic through SLB or Ingress:
apiVersion: v1
kind: Service
metadata:
name: demo-api
spec:
type: ClusterIP
selector:
app: demo-api
ports:
- port: 80
targetPort: 3000
Then configure Ingress for domain routing, HTTPS certificates, and path-based routing.
4.3 Verify the Deployment
kubectl get pods
kubectl get svc
kubectl describe pod <pod-name>
kubectl logs <pod-name>
If a Pod fails to start, check the image URL, registry permissions, environment variables, resource limits, and security group rules first.
5. Security Best Practices
5.1 Control Plane Security
- Restrict public API Server access with IP whitelists.
- Enable MFA for administrator accounts.
- Never commit kubeconfig files to Git repositories.
- Use RAM roles and least-privilege policies.
5.2 Workload Security
- Use separate namespaces for different teams or applications.
- Apply NetworkPolicy to limit east-west traffic.
- Enable image vulnerability scanning.
- Avoid running containers as root.
- Set CPU and memory requests/limits for every workload.
5.3 Logging and Audit
Enable the following data sources:
- Cluster audit logs
- Container application logs
- Ingress access logs
- Node system logs
- Alerting rules and notification channels
These signals help teams diagnose release failures, traffic anomalies, and security events.
6. Cost Optimization
ACK cost usually comes from ECS nodes, SLB, public bandwidth, Log Service, and storage.
Ways to reduce spend:
- Right-size node instances based on real CPU and memory usage.
- Use auto scaling to reduce idle capacity during off-peak hours.
- Use reserved instances or savings plans for stable workloads.
- Use spot instances for batch jobs and interruptible workloads.
- Set log retention periods by log type and business value.
- Clean old container images to reduce registry storage waste.
7. ACK in a Multi-Cloud Architecture
Many companies do not rely on a single cloud provider. ACK can be combined with AWS EKS, GCP GKE, and Tencent Cloud TKE as part of a multi-cloud container strategy:
- Use one CI/CD pipeline to deploy to multiple clusters.
- Back up critical data across object storage services.
- Place services in different regions to reduce single-cloud risk.
- Choose the best cloud provider based on user location and network quality.
The goal of multi-cloud is not to use many clouds for its own sake. The goal is unified governance across cost, security, deployment, and reliability.
Conclusion
The core ACK workflow is: plan networking and permissions → create a managed cluster → configure node pools → connect ACR → deploy applications → improve security, monitoring, and cost governance. For businesses expanding across Asia-Pacific, the Middle East, Europe, or global markets, Alibaba Cloud International ACK is a mature managed Kubernetes option.
Duoyun Cloud represents Alibaba Cloud International, Tencent Cloud International, AWS, and GCP. We help teams with account setup, partner discounts, Kubernetes architecture, cost optimization, and 24/7 technical support. Visit duoyun.io to request a cloud architecture consultation.