Enable an existing ACK cluster to access the Internet

0.0.201

If your applications in a Container Service for Kubernetes (ACK) cluster need to access external resources over the Internet, such as pulling images or updating dependency libraries over the Internet, you can configure SNAT rules on a NAT gateway in the virtual private cloud (VPC) where the cluster resides.

Note

If you want to allow external access to the API server of an ACK cluster over the Internet, such as using kubectl to connect to the cluster over the Internet, you can associate an elastic IP address with the API server. For more information, see Control public access to the API server of a cluster.

Billing description

When you configure SNAT rules, the following cloud services are used:

NAT Gateway: provides fully managed NAT gateways that allow instances to access the Internet by using the network address translation feature. This avoids address exposure and improves network security. For more information about the billing rules of NAT Gateway, see Billing of Internet NAT gateways.
EIP: provides public IP addresses that can be purchased and held as independent resources. After you associate an EIP with a cloud resource, the cloud resource can use the EIP to access the Internet. For more information about the billing rules of EIP, see Pay-as-you-go.

Procedure

You can configure SNAT rules when you create an ACK cluster or after an ACK cluster is created. SNAT rules allow the cluster to use the EIP associated with the Internet gateway to access the Internet.

Note

You cannot call API operations to enable SNAT for existing clusters.

Enable SNAT for existing clusters

Enable SNAT during cluster creation

The following figure shows the steps for enabling SNAT to allow an existing cluster to access the Internet.

Create a NAT gateway.
The NAT gateway must be created in the same region as the cluster.
1. Log on to the NAT Gateway console.
2. In the left-side navigation pane, choose NAT Gateway > Internet NAT Gateway.
3. On the Internet NAT Gateway page, click Create Internet NAT Gateway. Configure the parameters and click Buy Now. For more information about the NAT gateway parameters, see Create and manage an Internet NAT gateway.
  Important
  When you create the first Internet NAT gateway in a VPC, the system automatically adds a route whose destination CIDR block is 0.0.0.0/0 and whose next hop is the Internet NAT gateway to the system route table of the VPC. This route is used to route traffic to the Internet NAT gateway. If the VPC has a custom route table or multiple Internet NAT gateways exist in the VPC, manually add routes based on your business requirements. For more information, see Create and manage a route table.
(Optional) Create an EIP. If you already have an EIP, skip this step.
1. In the left-side navigation pane, choose Access to Internet > Elastic IP Addresses.
2. On the Elastic IP Addresses page, click Create EIP. On the Elastic IP page, select the region where the NAT gateway resides, configure other parameters, and then click Buy Now.
Associate the EIP with the NAT gateway.
1. In the left-side navigation pane, choose NAT Gateway > Internet NAT Gateway.
2. On the Internet NAT Gateway page, find the NAT gateway you created and choose > Associate EIP in the Actions column.
3. In the Associate EIP dialog box, select a resource group from the Resource Group drop-down list, select the EIP you created from the Select Existing EIP drop-down list, and then click OK.

Create a vSwitch-scoped SNAT entry on the NAT gateway

On the Internet NAT Gateway page, find the NAT gateway you created and click Manage in the Actions column.
On gateway details page, click the SNAT Management tab. On the SNAT Management tab, click Create SNAT Entry.

On the Create SNAT Entry page, set the parameters and click OK. For more information about SNAT entry parameters parameters, see Create an SNAT entry.

Parameter

Description

SNAT Entry

Select Specify vSwitch and select one or multiple vSwitches that are used by the cluster.

If the cluster uses the Terway network plug-in, select the node vSwitches and pod vSwitches.
If the cluster uses the Flannel network plug-in, select the node vSwitches.

Click to view how to obtain vSwitch IDs

Obtain node vSwitch IDs
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, find the cluster to manage and click its name. In the left-side navigation pane, choose Nodes > Node Pools.
3. On the Node Pools page, click the name of the node pool that you want to manage. On the node pool details page, click the Overview tab. In the Node Configurations section, you can view the IDs of the node vSwitches.
Obtain pod vSwitch IDs
1. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Configurations > ConfigMaps.
2. In the upper part of the ConfigMap page, select kube-system from the Namespace drop-down list. Then, find and click the eni-config ConfigMap.
  On the eni-config page, you can view the IDs of the pod vSwitches in the vswitches field.

Select EIP

Select one or more EIPs that you want to use to enable Internet access.

After the SNAT entry is created and SNAT rules are configured, SNAT is enabled for the cluster. You can log on to the NAT Gateway console to view the details of the NAT gateway, such as the EIPs used by SNAT. The following figure shows a NAT gateway that is created for an ACK cluster that uses the Terway network plug-in. SNAT rules are configured to enable the cluster to access the Internet. NAT

Log on to the ACK console. When you create an ACK cluster, select Configure SNAT for VPC in the Network Settings section. For more information about how to create an ACK cluster in the ACK console, see Create an ACK managed cluster.

Important

When you create the first Internet NAT gateway in a VPC, the system automatically adds a route whose destination CIDR block is 0.0.0.0/0 and whose next hop is the Internet NAT gateway to the system route table of the VPC. This route is used to route traffic to the Internet NAT gateway. If the VPC has a custom route table or multiple Internet NAT gateways exist in the VPC, manually add routes based on your business requirements. For more information, see Create and manage a route table.

Result

Log on to a node in the cluster and access the Internet to test whether the node can access the Internet and whether packet loss occurs during data transmission.

SNAT 2

FAQ

How do I view the public IP address of an ACK cluster

Log on to the NAT Gateway console.
In the left-side navigation pane, choose NAT Gateway > Internet NAT Gateway.
On the Internet NAT Gateway page, find the NAT gateway you created and click Manage in the Actions column.
Click the SNAT Management tab. In the SNAT Entry List section, you can view the EIPs used by the cluster.

References

For more information about the usage notes for configuring a pod to access an external network, such as the usage notes for configuring domain name resolution, network policies, and security groups, see Notes for configuring a pod to access an external network.
For more information about the recommended cluster security group rules, see Configure security groups for clusters.
Do not configure SNAT entries and IPv4 gateways for an ACK cluster at the same time. For more information about how to configure an IPv4 gateway for nodes in an ACK cluster, see Use IPv4 gateway to centralize control over Internet access.

Feedback

Previous: Configure DNAT to expose a podNext: Notes for configuring a pod to access an external network

On this page （1, M）

Billing description

Procedure

Result

FAQ

How do I view the public IP address of an ACK cluster

References

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

Billing description

Procedure

Result

FAQ

How do I view the public IP address of an ACK cluster

References

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Lingma

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)