If an Elastic Compute Service (ECS) instance or a Container Service for Kubernetes
(ACK) cluster does not have a public IP address, you can create an SNAT entry in the
virtual private cloud (VPC) where the ECS instance or ACK cluster is deployed to enable
Internet access. If Source Network Address Translation (SNAT) is disabled when you
create a cluster, you can enable SNAT in the ACK console after the cluster is created.
This topic describes how to enable SNAT for ACK clusters in the ACK console. SNAT
allows ACK clusters to access the Internet.
Background information
You cannot call API operations to enable SNAT for existing clusters. For more information
about SNAT, see What is NAT Gateway?.
Procedure
The following figure shows the steps to enable SNAT for an existing ACK cluster to
access the Internet.

- Create a NAT gateway.
- Log on to the NAT Gateway console.
- In the left-side navigation pane, click NAT Gateway.
- On the NAT Gateway page, click Create NAT Gateway.
For more information about the parameters, see
Create an Internet NAT gateway.
Note The NAT gateway must be created in the same region and VPC as the ACK cluster.
After you create a NAT gateway, a route entry is automatically added to the route
table of the VPC. The destination CIDR block of the route entry is 0.0.0.0/0 and the
next hop is the NAT gateway. This ensures that traffic is routed to the NAT gateway.
Notice By default, the route entry is automatically created for the first NAT gateway in
the VPC. You must manually configure route entries if multiple NAT gateways are created
in the VPC. For more information, see
Add and delete route entries.
- Create an elastic IP address (EIP).
In the left-side navigation pane, choose . On the
Elastic IP Addresses page, click
Create EIP.
If you already have an EIP, skip this step.
- Associate the EIP with the created NAT gateway.
- On the NAT Gateway page, find the newly created NAT gateway and choose in the Actions column.
- In the Associate EIP dialog box, select a resource group from the Resource Group drop-down list and select the EIP that you created from the Select Existing EIPs drop-down list.
- Click OK.
- Create an SNAT entry for the NAT gateway.
- On the NAT Gateway page, find the newly created NAT gateway and click Manage in the Actions column.
- On the SNAT Management tab, click Create SNAT Entry.
- On the Create SNAT Entry page, set the parameters as described in the following table and click Confirm.
For more information about the parameters, see
Create an SNAT entry.
Parameter |
Description |
SNAT Entry |
Select Specify vSwitch and select the vSwitches that are used by the cluster.
- If the cluster uses the Terway network plug-in, select both the node vSwitch and pod
vSwitch.
- If the cluster uses the Flannel network plug-in, select the node vSwitch.
To check the vSwitch to which the nodes in the Flannel network belong, perform the
following steps:
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, click Clusters.
- On the Clusters page, find the cluster that you want to manage and click the name or click Details in the Actions column.
- In the left-side navigation pane of the details page, choose .
- Find the node pool that you want to manage and click Details in the Actions column.
In the Node Configurations section, check the value of Node Vswitch. 
To check the vSwitch to which the pods in the Terway network belong, perform the following
steps:
- Log on to the ACK console.
- In the left-side navigation pane, click Clusters. On the Clusters page, find the cluster that you want to manage and click the name
of the cluster, or click Details in the Actions column.
- On the details page of the cluster, click the Cluster Resources tab and check the value of Pod vSwitch.

|
Select Public IP Address |
Select the public IP addresses that are used to access the Internet. |
After the SNAT entry is created and SNAT rules are configured, SNAT is enabled for
the cluster. You can log on to the
NAT Gateway console to view the details of the NAT gateway, such as the EIPs used by SNAT. The following
figure shows a NAT gateway that is created for an ACK cluster that uses the Terway
network plug-in. SNAT rules are configured to enable the cluster to access the Internet.

Click the name of the NAT gateway. On the
SNAT Management tab of the details page, you can check whether public IP addresses are associated
with the vSwitches used by the cluster. The following figure shows the SNAT entries
created for the cluster that uses the Terway network plug-in.

Result
Log on to a node of the cluster and access the Internet to verify that the node can
access the Internet and no packet loss occurs during data transmission.