DocsICP FilingConsole
官方文档
首页

Enable internet access for a cluster

更新时间:
复制 MD 格式
产品详情
我的收藏

Source Network Address Translation (SNAT) provides a proxy service that lets resources in a Virtual Private Cloud (VPC) without public IP addresses access the internet. If you did not configure SNAT when you created your ACS cluster, you must configure SNAT manually to enable internet access for the pods.

Background

An Internet NAT Gateway is a network address translation service that provides both SNAT and Destination Network Address Translation (DNAT) capabilities. For more information, see Internet NAT Gateway and NAT Gateway billing.

If pods in your cluster need internet access, such as to pull images from a public registry, create an Internet NAT Gateway in the cluster's VPC and configure an SNAT entry. This allows all pods in the cluster to access the internet.

Note

If only a specific pod needs internet access, you can bind an elastic IP address (EIP) directly to that pod. For instructions, see Bind an EIP to a pod by using annotations.

Procedure

Follow these steps to configure SNAT for an existing cluster and enable internet access.

Note

When you create an ACS cluster, under Configure SNAT, you can select Configure SNAT for VPC. The system then automatically configures SNAT for the cluster.

  1. Log on to the NAT Gateway console.

  2. Create an Internet NAT Gateway.

    1. Click Create Internet NAT Gateway.

    2. Configure the NAT gateway parameters, click Buy Now, and complete the purchase.

      The following table describes the key parameters. For more information, see Internet NAT Gateway.

      Parameter

      Description

      Region , VPC

      Select the region and VPC that match your cluster.

      Access Mode

      Choose a mode based on your network architecture and security requirements. This topic uses Configure Later as an example.

      Note

      Select Configure Later if you do not want all resources in the VPC to access the internet. For example, this is recommended if your VPC contains vSwitches that are not used by the cluster.

      • SNAT-enabled Mode : If you select this mode, you must specify an EIP to bind to the NAT gateway. The system automatically creates a VPC-level SNAT entry.

      • Configure Later : If you select this mode, you must manually bind an EIP and create an SNAT entry.

  3. Bind an EIP to the NAT gateway.

    If you selected SNAT-enabled Mode when you created the NAT gateway, an EIP is already bound. You can skip this step.

    1. On the Internet NAT Gateway page, locate the desired NAT gateway. Then, in the Actions column, click the icon and select Associate with EIP.

    2. In the dialog box, configure the EIP and click OK.

  4. Create an SNAT entry.

    If you selected SNAT-enabled Mode when you created the NAT gateway, a VPC-level SNAT entry already exists. You can skip this step.

    1. On the Internet NAT Gateway page, click the ID of the target NAT gateway.

    2. Click the SNAT tab, and then click Create SNAT Entry.

    3. Configure the SNAT entry and click OK.

      The following table describes the key parameters. For more information, see Create and manage SNAT entries.

      Parameter

      Description

      SNAT Entry

      Select a granularity based on your network architecture and security requirements. We recommend that you select Specify vSwitch.

      Select vSwitch

      If you set SNAT Entry to Specify vSwitch, select the vSwitch that your cluster uses.

      You can find the vSwitch ID on the Cluster Information page of your ACS cluster, under the Cluster Resources tab.

      Select EIP

      Select the EIP that is bound to the NAT gateway.

  5. Confirm the NAT gateway configuration.

    1. Verify that the NAT gateway and the cluster are in the same VPC, and that an EIP is bound to the NAT gateway.

    2. Check the SNAT entry to confirm that it is bound to the vSwitch used by the cluster.

      In the SNAT entry list, the Available status in the Status column indicates that the vSwitch is successfully bound.

Verification

  • Method 1: Create a pod that uses an image from a public registry. Confirm that the image is pulled and the pod is created successfully.

    On the Events tab for the test-pod pod, a Normal event with a message such as Successfully pulled image "centos:7" in 16.902s indicates that the image was pulled successfully from the public registry.

  • Method 2: From a pod within the cluster, run the ping command to access a public internet address. Confirm that the address is reachable and there is no packet loss.

    Example:

    :~$ kubectl get pod
NAME        READY   STATUS    RESTARTS   AGE
test-pod    1/1     Running   0          24m
:~$ kubectl exec -it test-pod -- bash
[root@test-pod /]# ping aliyun.com -c 2
PING aliyun.com (140.205.60.46) 56(84) bytes of data.
64 bytes from 140.205.60.46 (140.205.60.46): icmp_seq=1 ttl=95 time=4.99 ms
64 bytes from 140.205.60.46 (140.205.60.46): icmp_seq=2 ttl=95 time=4.81 ms
--- aliyun.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 4.813/4.905/4.997/0.092 ms
Previous:Access external networks from a podNext:Specify vSwitches and security groups for pods