Pods in an ACK cluster can access the internet and resources in virtual private clouds (VPCs) — including Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, Object Storage Service (OSS) buckets, and ApsaraDB RDS databases. The required configuration depends on your network plugin (Terway or Flannel), IP stack type (IPv4 single-stack or dual-stack), and the destination you want to reach.
Before you begin
If a pod cannot reach its destination, check the following three areas before taking any other action.
DNS resolution
Pods use the cluster's DNS service to resolve destination hostnames before traffic flows through network policies. If a pod cannot resolve the destination hostname, troubleshoot DNS errors first.
Network policies
Check whether a NetworkPolicy applied to the pod's namespace blocks outbound traffic to the destination. If so, modify the policy to allow the required traffic. For more information, see Use network policies in ACK clusters.
Security groups
Security groups operate at the node level and apply to the ECS instances that host your pods. Check both the cluster security group and the ECS instance security group to confirm that:
-
An outbound rule allows traffic from the pod to the destination address and port.
-
No outbound rule blocks traffic to the destination address and port.
For more information, see Configure security groups for clusters.
Access the internet
IPv4 single-stack clusters
In an IPv4 single-stack cluster, pods use private IPv4 addresses and can access only public IPv4 addresses. Pods cannot access IPv6 addresses. To enable outbound internet access, associate an elastic IP address (EIP) with the pod or configure a NAT gateway.
The required configuration differs by network plugin:
| Internet access method | Terway | Flannel |
|---|---|---|
| NAT gateway | The SNAT rule must include an SNAT entry for the pod's IP address. The public IP address used to access the external network is the EIP associated with the NAT gateway. | The SNAT rule must include an SNAT entry for the node's IP address. The public IP address used to access the external network is the EIP associated with the NAT gateway. |
| EIP | Associate an EIP directly with the pod. The pod's public IP is the associated EIP. See Associate an exclusive EIP with a pod. | Associate an EIP with the ECS node that hosts the pod. The pod's public IP is the node's EIP. See Associate or disassociate an EIP. |
To configure a NAT gateway for either plugin, see Enable an existing ACK cluster to access the internet.
Dual-stack clusters
In a dual-stack cluster, pods have private IPv4 addresses and public IPv6 addresses. No public bandwidth is allocated to the IPv6 addresses by default. To enable IPv6 internet access, see Allocate IPv6 internet bandwidth to a pod.
Access resources in a VPC
When a pod accesses VPC resources such as ECS instances, SLB instances, OSS buckets, or ApsaraDB RDS databases, the source IP address seen by the destination depends on your network plugin:
-
Terway: The source IP is the pod's IP address.
-
Flannel: The source IP is the IP address of the ECS node hosting the pod.
If the destination has access control rules — such as security group rules, Access Control List (ACL) rules, or IP whitelists — that block the source IP, add the appropriate IP address to the allowlist:
-
For Terway clusters: add the pod's IP address.
-
For Flannel clusters: add the ECS node's IP address.
To automate allowlist configuration across Alibaba Cloud services, use ack-kubernetes-webhook-injector. For more information, see Dynamically configure a pod whitelist for an Alibaba Cloud service.
Access a LoadBalancer Service within the cluster
When a pod accesses an SLB instance that fronts a LoadBalancer Service in the same cluster, ACK routes traffic directly to the backend pod — the traffic does not leave the cluster. This avoids hairpinning through the SLB instance.
There is one exception: clusters using Terway 1.1.0 or earlier in IPVLAN + eBPF acceleration mode do not support this mechanism. In those clusters, traffic goes through the SLB instance's IP address. Starting from Terway 1.2.0, newly created clusters support intra-cluster load balancing; existing clusters upgraded to Terway 1.2.0 do not.
For more information, see How do I enable load balancing within a cluster in Terway IPVLAN mode?.