If an Elastic Compute Service (ECS) instance or a Container Service for Kubernetes (ACK) cluster does not have a public IP address, you can create an SNAT entry in the virtual private cloud (VPC) where the ECS instance or ACK cluster is deployed to enable Internet access. If SNAT is disabled when you create a cluster, you can enable SNAT in the ACK console after the cluster is created. This topic describes how to enable SNAT for ACK clusters in the ACK console. SNAT allows ACK clusters to access the Internet.
Background information
You cannot call API operations to enable SNAT for existing clusters. For more information about SNAT, see What is NAT Gateway?
Procedure
The following figure shows the steps to enable SNAT for an existing ACK cluster to access the Internet.
Create a NAT gateway.
Log on to the NAT Gateway console.
In the left-side navigation pane, choose NAT Gateway > Internet NAT Gateway.
On the Internet NAT Gateway page, click Create Internet NAT Gateway.
For more information about the NAT gateway parameters, see Create and manage Internet NAT gateways.
NoteThe NAT gateway must be created in the region and VPC where your cluster resides.
After you create the NAT gateway, a route is automatically added to the route table of the VPC where the NAT gateway is created. The destination CIDR block of the route is 0.0.0.0/0 and the next hop is the NAT gateway. This ensures that traffic is routed to the NAT gateway.
ImportantBy default, the route is automatically created for the first NAT gateway in a VPC. You must manually configure routes for other NAT gateways if multiple NAT gateways are created in the VPC. For more information, see Add and delete routes.
Create an elastic IP address (EIP).
In the left-side navigation pane, choose
. On the Elastic IP Addresses page, click Create EIP.If you already have an EIP, skip this step.
Associate the EIP with the NAT gateway.
In the left-side navigation pane, choose NAT Gateway > Internet NAT Gateway.
On the Internet NAT Gateway page, find the NAT gateway that you created and choose in the Actions column.
In the Associate EIP dialog box, select a resource group from the Resource Group drop-down list and select the EIP that you created from the Select Existing EIP drop-down list. Then, click OK.
Create an SNAT entry for the NAT gateway.
On the Internet NAT Gateway page, find your NAT gateway and click Manage in the Actions column.
On the SNAT Management tab, click Create SNAT Entry.
On the Create SNAT Entry page, configure the parameters and click Confirm.
For more information about the parameters, see Create an SNAT entry.
Parameter
Description
SNAT Entry
Select Specify vSwitch and select the vSwitches that are used by the cluster.
If the cluster uses the Terway network plug-in, select the node vSwitches and pod vSwitches.
If the cluster uses the Flannel network plug-in, select the node vSwitches.
If the cluster uses the Flannel or Terway network plug-in, perform the following steps to view the IDs of the node vSwitches.
Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage. Then, click the name of the cluster or click Details in the Actions column.
In the left-side navigation pane of the cluster details page, choose
.Find the node pool that you want to manage and click Details in the Actions column.
On the Overview tab, view the IDs of the node vSwitches in the Node Configurations section.
If the cluster uses the Terway network plug-in, perform the following steps to view the IDs of the pod vSwitches.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose
.On the top of the ConfigMap page, select kube-system for Namespace. Then, find and click the eni-config ConfigMap.
On the eni-config page, you can view the pod vSwitch IDs in the vswitches field.
Select Public IP Address
Select one or more EIPs that you want to use to access the Internet.
After the SNAT entry is created and SNAT rules are configured, SNAT is enabled for the cluster. You can log on to the NAT Gateway console to view the details of the NAT gateway, such as the EIPs used by SNAT. The following figure shows a NAT gateway that is created for an ACK cluster that uses the Terway network plug-in. SNAT rules are configured to enable the cluster to access the Internet.
Click the name of the NAT gateway. On the SNAT Management tab of the gateway details page, you can check whether public IP addresses are associated with the vSwitches used by the cluster. The following figure shows the SNAT entries that are created for the cluster that uses the Terway network plug-in.
Result
Log on to a node of the cluster and access the Internet to verify that the node can access the Internet and no packet loss occurs during data transmission.