All Products
Document Center

Container Service for Kubernetes:Configure DNAT to expose a pod

Last Updated:Aug 28, 2023

In gaming and P2P scenarios, you may need to directly expose application pods to clients instead of assigning elastic IP addresses (EIPs) to the pods. However, the number of EIPs that you can assign to pods is limited and security management is required. This topic describes how to configure DNAT rules for an Internet NAT gateway and use the Internet NAT gateway to expose a pod. This method requires you only to associate an EIP with the Internet NAT gateway.

Table of contents


  • A Container Service for Kubernetes (ACK) managed cluster or ACK Pro cluster is created and Terway is installed as the network plug-in. For more information, see Create an ACK managed cluster or Create an ACK dedicated cluster.

  • An Internet NAT gateway is created in the virtual private cloud (VPC) where the cluster is deployed. Enable the natgw controller after you create the Internet NAT gateway. For more information about how to create an Internet NAT gateway, see Create and manage Internet NAT gateways.

  • A DNAT rule specifies the mapping between a public IP address and a private IP address, and the mapping between public ports and private ports. For more information about DNAT, see Configure DNAT on an Internet NAT gateway for an ECS instance.

    • Set the public IP address to the EIP that is associated with the Internet NAT gateway.

    • The natgw controller automatically allocates public ports from the port range that is specified by the portRangeStart and portRangeEnd parameters in the configuration file of natgw. The allocated ports are recorded in the field of a PodDNAT object that is named after the pod.

    • Set the private ports to the ports on which the pod listens.

    • Set the private IP address to the IP address of the pod.


  • You cannot configure DNAT to expose pods in ACK Serverless clusters, ACK edge clusters, or ASI clusters.

  • The number of DNAT entries supported by an Internet NAT gateway varies based on gateway specifications. For more information, see FAQ about DNAT.

Pod configurations

The following table describes the pod configurations.

Pod annotation


Configure DNAT rules for the pod.

The ports on which the pod listens. Separate multiple ports with commas (,). Example: '80,443'.

The protocol that you want to use. Valid values: tcp and udp. Default value: tcp.

After this annotation is added, the DNAT configurations remain unchanged for the pod if the pod is created for a stateful application.


You must configure security group rules for the pod to allow inbound traffic to the ports that are exposed on the pod.

Enable DNAT for ack-extend-network-controller

ack-extend-network-controller needs to access OpenAPI Explorer to create resources. You need to grant Resource Access Management (RAM) permissions to ack-extend-network-controller, install ack-extend-network-controller from the marketplace in the ACK console, and create DNAT entries and associate them with specific pods by adding annotations.

Step 1: Grant RAM permissions on DNAT

  • ACK clusters:

    1. Log on to the ACK console and click Clusters in the left-side navigation pane.

    2. On the Clusters page, click the name of the cluster that you want to manage and click Cluster Information in the left-side navigation pane.

    3. On the Cluster Information page, click the Cluster Resources tab, and then click the hyperlink next to Worker RAM Role.

    4. On the Permissions tab of the Roles page, click the name of the policy that you want to manage in the Policy column.

    5. On the Policy Document tab of the Policies page, click Modify Policy Document. On the JSON tab, add the following content.

            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Condition": {}
    6. After you add the content, click Next to edit policy information and click OK.

  • ACK Serverless clusters:

    Generate an AccessKey pair for the RAM user. Fore more information, see Create a RAM user and Create a custom policy.

Step 2: Enable the natgw controller for ack-extend-network-controller

Install ack-extend-network-controller and enable the natgw controller. You can install ack-extend-network-controller from the marketplace in the ACK console. For more information, see App Marketplace.

Configure the following parameters for the natgw controller:

clusterID: "c11ba338192xxxxxxx"          # Replace with the actual value. 
regionID: "cn-hangzhou"                  # Replace with the actual value. 
vpcID: "vpc-bp1rkq0zxxxxxx"              # Replace with the actual value. 
  - natgw                                  # Enable DNAT. 

    - natgwId: "< nat gateway id. >"                   # The ID of the Internet NAT gateway. 
      zoneId: "< nat gateway zone id. cn-hangzhou-j >" # The zone ID of the Internet NAT gateway. 
      portRangeStart: 512                              # The first port. 
      portRangeEnd: 1024                               # The last port. 
        - "<auto config all nat gateway eips if not config. >"  # Specify an EIP that is associated with the Internet NAT gateway. If you leave this parameter empty, all EIPs associated with the Internet NAT gateway are used. 

credential:                               # Specify an AccessKey pair. For ACK clusters, we recommend that you use the RamRole mode. 
  accessKey: ""
  accessSecret: ""

Use a custom resource object to track the DNAT configurations of the pod

After you create a pod, the natgw controller automatically creates a PodDNAT object that is named after the pod. Use the following YAML template to create a Deployment. In this example, DNAT configurations are added to expose port 80 of the pod to the Internet.

apiVersion: apps/v1
kind: Deployment
  name: example
    app: example
  replicas: 1
      app: example
        app: example
      annotations: "" "80"
      - name: example
        image: nginx

Run the following command to access to obtain the public IP address and public port of the pod:

kubectl get poddnats -oyaml example-6cd498d7b-9****

Expected output:

kind: PodDNAT
  creationTimestamp: "2022-09-20T03:26:44Z"
  - natgw-controller
  generation: 2
  name: example-6cd498d7b-9****
  namespace: default
  - apiVersion: v1
    blockOwnerDeletion: true
    kind: Pod
    name: example-6cd498d7b-9****
    uid: 7af54e1c-eeb7-4fd0-b070-ff99ddbd****
  resourceVersion: "357150"
  uid: 2fad9bb7-cc84-46b4-b6eb-5d15f06c****
  eni: eni-xxx
  externalIP: 114.55.**.**
  internalIP: 172.16.**.**
  - externalPort: "512"
    internalPort: "80"
  protocol: tcp
  tableId: ngw-xxx
  vswitch: vsw-xxx
  zoneID: cn-hangzhou-k
  - externalIP: 114.55.**.**
    externalPort: "512"
    forwardEntryId: fwd-xxx
    internalIP: 172.16.**.**
    internalPort: "80"
    ipProtocol: tcp

The following information is displayed:

  • externalPort: the public port that is mapped to the private port of the pod. The port is allocated by the natgw controller from the specified port range.

  • externalIP: the EIP that is associated with the Internet NAT gateway. The EIP is used to enable external access to the pod.