Pods in a cluster can access the Internet or resources deployed in virtual private clouds (VPCs), including existing resources such as Elastic Compute Service (ECS) instances and Server Load Balancer (SLB) instances, cloud services such as ApsaraDB RDS and Object Storage Service (OSS), and LoadBalancer Services that are exposed by the cluster. This topic describes how to configure the source and destination to allow a pod to access an external network.
Configure the source
Configure domain name resolution
When a pod accesses an external network, the pod uses the domain name resolution feature provided by the cluster to resolve the destination address. Then, the pod accesses the destination over the pod network. If the domain name cannot be resolved, you need to troubleshoot the DNS resolution error.
Configure network policies
Check whether a network policy is configured for the namespace to which the pod belongs, and check whether the network policy forbids the pod from accessing the destination. If the preceding network policy exists, modify the policy. For more information, see Use network policies in ACS clusters.
Configure security groups
Check whether the security group of the cluster and the security group of the ECS instance that hosts the pod forbid the pod from accessing the destination. Make sure that the security groups meet the following requirements:
Security group rules are created to allow the pod to access the destination address and port in the outbound direction.
No security group rules are created to forbid the pod from accessing the destination address and port in the outbound direction.
Configure the destination
Pods in a cluster can access the Internet or resources deployed in VPCs, including existing resources such as ECS instances and SLB instances, cloud services such as ApsaraDB RDS and OSS, and LoadBalancer Services that are exposed by the cluster. The pod configuration varies based on the destination.
Access the Internet
When a pod uses a private IP address, the pod can access public IPv4 addresses. The pod needs to use an elastic IP address (EIP) or a NAT gateway. The following table describes the methods that you can use to configure the pod to access public IPv4 addresses.
Method | Gateway and EIP configuration | Public IP address used to access the external network |
Use a NAT gateway | Associate an EIP with the cluster. For more information, see Enable an existing ACS cluster to access the Internet. | The EIP associated with the NAT gateway. |
Use the EIP that is associated with the pod (only when Terway is used) | Associate an EIP with the pod. For more information, see Associate an exclusive EIP with a pod. | The EIP that is associated with the pod. |
Access existing resources such as ECS and SLB instances
When a pod accesses an ECS or SLB instance, access to the ECS or SLB instance may be blocked by the security group rules or Access Control List (ACL) rules of the instance. If the source IP address used by the pod is blocked, you need to unblock the source IP address. In Terway mode, the pod IP address is used. You need to modify the security group rules or ACL rules to accept access from the CIDR block of the pod vSwitch.
Access cloud services such as ApsaraDB RDS and OSS
To access certain cloud services, you need to add the source IP address to the whitelists of the cloud services. In Terway mode, add the CIDR block of the pod vSwitch to the whitelist of the cloud service to be accessed.
You can also use ack-kubernetes-webhook-injector to automatically configure the whitelist. For more information, see Dynamically configure a pod whitelist for an Alibaba Cloud service.
Access LoadBalancer Service exposed by the cluster
Access from within a cluster to LoadBalancer Services exposed by the cluster is blocked, regardless of whether the addresses of the Service are public or private. To resolve this issue, you need to modify the external traffic policy of the Service to be accessed. For more information, see What Can I Do if the Cluster Cannot Access the IP Address of the SLB Instance Exposed by the LoadBalancer Service.