Pods in a cluster can access the Internet or resources deployed in virtual private clouds (VPCs), including existing resources such as Elastic Compute Service (ECS) instances and Server Load Balancer (SLB) instances, cloud services such as ApsaraDB RDS and Object Storage Service (OSS), and LoadBalancer Services that are exposed by the cluster. This topic describes how to configure the source and destination to allow a pod to access an external network.
Configure the source
Configure domain name resolution
When a pod accesses an external network, the pod uses the domain name resolution feature provided by the cluster to resolve the destination address. Then, the pod accesses the destination over the pod network. If the domain name cannot be resolved, you need to troubleshoot the DNS resolution error. For more information, see DNS troubleshooting.
Configure network policies
Check whether a network policy is configured for the namespace to which the pod belongs, and check whether the network policy forbids the pod from accessing the destination. If the preceding network policy exists, modify the policy. For more information, see Use network policies in ACK clusters.
Configure security groups
Check whether the security group of the cluster and the security group of the ECS instance that hosts the pod forbid the pod from accessing the destination. Make sure that the security groups meet the following requirements:
Security group rules are created to allow the pod to access the destination address and port in the outbound direction.
No security group rules are created to forbid the pod from accessing the destination address and port in the outbound direction.
Configure the destination
Pods in a cluster can access the Internet or resources deployed in virtual private clouds (VPCs), including existing resources such as ECS instances and SLB instances, cloud services such as ApsaraDB RDS and OSS, and LoadBalancer Services that are exposed by the cluster. The pod configuration varies based on the destination.
Access the Internet
In an IPv4 cluster, the pods use only IPv4 addresses. Therefore, the pods can access only public IPv4 addresses. They cannot access IPv6 addresses. In a dual-stack cluster, the pods use both IPv4 and IPv6 addresses. IPv4 addresses used by the pods are private IP addresses but the IPv6 addresses are unique public IP addresses that can be used for global routing. The pod configuration varies based on the IP address that the pod needs to access.
Configure the pod to access a public IPv4 address
When a pod uses a private IP address, the pod can access public IPv4 addresses. The pod needs to use an elastic IP address (EIP) or a NAT gateway. The following table describes the methods that you can use to configure to the pod to access public IPv4 addresses.
Method
Gateway and EIP configuration
Public IP address used to access the external network
Use a NAT gateway
Associate an EIP with the cluster. Create a SNAT entry based on the network plug-in used by the cluster:
If the cluster uses Terway, select the pod vSwitch when you create the SNAT entry.
If the cluster uses Flannel, select the node vSwitch when you create the SNAT entry.
For more information, see Enable an existing ACK cluster to access the Internet.
The EIP associated with the NAT gateway.
Use the EIP that is associated with the node of the pod (only when Flannel is used)
Associate an EIP with the node (ECS instance) that hosts the pod. For more information, see Elastic IP addresses.
The EIP that is associated with the node.
Use the EIP that is associated with the pod (only when Terway is used)
Associate an EIP with the pod. For more information, see Associate an EIP with a pod.
The EIP that is associated with the pod.
Configure the pod to access a public IPv6 address
In a dual-stack cluster, the pods use public IPv6 addresses. However, no public bandwidth is allocated to the IPv6 addresses by default. If a pod needs to access a public IPv6 address, you need to allocate public bandwidth to the pod. For more information, see Allocate IPv6 Internet bandwidth to a pod.
Access existing resources such as ECS and SLB instances
When a pod accesses an ECS or SLB instance, access to the ECS or SLB instance may be blocked by the security group rules or Access Control List (ACL) rules of the instance. If the source IP address used by the pod is blocked, you need to unblock the source IP address. The source IP address that is used to access ECS or SLB instance varies based on the network mode.
In Terway mode, the pod IP address is used. You need to modify the security group rules or ACL rules to accept access from the CIDR block of the pod vSwitch.
In Flannel mode, the IP address of the host on which the pod is deployed is used. You need to modify the security group rules or ACL rules to accept access from the CIDR block of the host vSwitch.
Access cloud services such as ApsaraDB RDS and OSS
To access certain cloud services, you need to add the source IP address to the whitelists of the cloud services.
In Terway mode, add the CIDR block of the pod vSwitch to the whitelist of the cloud service to be accessed.
In Flannel mode, the source IP address is the IP address of the host on which the pod is deployed. You need to add the CIDR block of the host vSwitch to the whitelist of the cloud service to be accessed.
You can also use ack-kubernetes-webhook-injector to automatically configure the whitelist. For more information, see Dynamically configure a pod whitelist for an Alibaba Cloud service.
Access LoadBalancer Service exposed by the cluster
Access from within a cluster to LoadBalancer Services exposed by the cluster is blocked, regardless of whether the addresses of the Service are public or private. To resolve this issue, you need to modify the external traffic policy of the Service to be accessed. For more information, see What Can I Do if the Cluster Cannot Access the IP Address of the SLB Instance Exposed by the LoadBalancer Service.