Enable Internet access for an ACS cluster - - Alibaba Cloud Documentation Center

Source Network Address Translation (SNAT) can translate IP addresses for cloud resources that want to access the Internet but do not have public IP addresses in a virtual private cloud (VPC). If SNAT is disabled when you create an Alibaba Cloud Container Compute Service (ACS) cluster, you can manually configure SNAT to enable Internet access for the cluster. This way, the pods in the cluster can access the Internet.

Background information

An Internet NAT gateway is a network address translation service that provides the SNAT and DNAT features. For more information, see What is an Internet NAT gateway? and Billing of Internet NAT gateways.

By default, ACS clusters cannot access the Internet. If pods in an ACS cluster need to access the Internet to pull images, you can create an Internet NAT gateway in the VPC of the cluster and configure an SNAT entry. This way, all pods in the cluster can access the Internet.

Note

If only one pod needs to access the Internet, you can associate an elastic IP address (EIP) with the pod. For more information, see Mount an independent EIP for pods.

Procedure

The following figure shows the steps for configuring SNAT to enable Internet access for an existing cluster.

Note

If you select Configure SNAT for VPC in the VPC section when configuring an ACS cluster, the system automatically configures SNAT for the cluster.

Log on to the NAT Gateway console.

Creates a NAT gateway.

Click Create NAT Gateway.

On the page that appears, configure the NAT gateway parameters and click Buy Now.

The following table describes the parameters. For more information, see Create and manage an Internet NAT gateway.

Parameter

Description

Region and VPC

The region and the VPC must be the same as the region and the VPC in which the ACS cluster resides.

Access Mode

Select an access mode based factors such as the network conditions and security requirement. In this example, Configure Later is selected.

Note

If you do not want to enable Internet access for all resources in the VPC, we recommend that you select Configure Later. For example, you can select this option if the VPC contains vSwitches other than the one used by your ACS cluster.

SNAT for All VPC Resources: If you select this mode, you must associate an EIP with the NAT gateway. The system automatically creates an SNAT entry for the VPC.
Configure Later: If you select this mode, you must manually associate an EIP with the NAT gateway and create an SNAT entry for the VPC.

Associate an EIP with the NAT gateway.
If you selected SNAT for All VPC Resources when you create the NAT gateway, skip this step. The system has already associated an EIP with the NAT gateway.
1. On the Internet NAT Gateway page, find the NAT gateway that you created and click Associate Now in the EIP column.
2. In the dialog box that appears, configure the EIP and click OK.

Create an SNAT entry.

If you selected SNAT for All VPC Resources when you create the NAT gateway, skip this step. The system has already created an SNAT entry for the VPC.

On the Internet NAT Gateway page, click the ID of the NAT gateway that you want to manage.
On the SNAT Management tab, click Create SNAT Entry.

Configure the parameters and click OK.

The following table describes the parameters. For more information, see Create and manage SNAT entries.

Parameter	Description
SNAT Entry	Select an access mode based on factors such as the network conditions and security requirement. We recommend that you select Specify vSwitch.
Select vSwitch	If you select Specify vSwitch for the SNAT Entry parameter, you must specify the vSwitch that is used by the cluster. On the Cluster Information page of the ACS cluster, you can view the ID of the vSwitch on the Cluster Resources tab.
Select EIP	Select the EIP that is associated with the NAT gateway.

Confirm the configuration of the NAT gateway.
1. Make sure that the NAT gateway and ACS cluster reside in the same VPC and an EIP is associated with the NAT gateway.
2. Make sure that the SNAT entry is associated with the vSwitch used by the cluster.

Verify the result

Method 1: Create a pod by using an image pulled over the Internet. Check whether the image can be pulled and the pod can be created.
Example:
Method 2: Run the ping command to access the Internet from a pod in the cluster. Check whether the pod can access the Internet and whether packet loss occurs.
Example: