Pods in an ACS cluster can reach resources in Virtual Private Clouds (VPCs)—including ECS instances, ApsaraDB RDS instances, OSS buckets, and SLB instances—as well as the Internet. Outbound connectivity depends on two sides: the pod (source) and the destination. Configure both sides to allow a pod to access an external network.
Configure the source (pod side)
When a pod sends traffic to an external address, the request goes through the cluster's DNS resolver, is subject to any network policies on the pod's namespace, and is checked against the security groups attached to the pod and cluster. Verify all three before investigating the destination.
DNS resolution
Pods use the cluster's built-in Domain Name System (DNS) resolver to translate a destination hostname into an IP address. If DNS resolution fails, troubleshoot the DNS resolution error.
Network policy
Check whether a network policy is applied to the namespace where the pod runs, and whether that policy blocks outbound traffic to the destination IP address. If a blocking policy exists, modify it to allow the required traffic. For more information, see Use network policies in ACS clusters.
Security groups
Check the security groups attached to both the cluster and the pod. For outbound traffic to succeed, the security group rules must meet both of the following conditions:
-
An outbound rule allows the pod to reach the destination IP address and port.
-
No outbound rule explicitly denies access to the destination IP address and port.
Configure the destination
The configuration required at the destination varies depending on what the pod is trying to reach.
Access the Internet
Two methods are available for pod Internet access.
| Method | When to use | Public IP address | Reference |
|---|---|---|---|
| Use an Internet NAT gateway | Multiple pods | The Elastic IP Address (EIP) associated with the Internet NAT gateway | Enable Internet access for an ACS cluster |
| Associate an EIP with the pod | A single pod | The EIP associated with the pod | Mount an independent EIP for pods |
Access cloud resources in the same VPC
Destination resources such as ECS instances, ApsaraDB RDS instances, and OSS buckets may have access control rules—security groups, network Access Control Lists (ACLs), or whitelists—that block traffic from pod IP addresses. If a pod cannot reach a resource in the cluster VPC, check the access control configuration on the destination resource and add a rule to allow inbound traffic from the pod's IP address.
Access a LoadBalancer Service
Traffic originating inside a cluster cannot reach the cluster's own LoadBalancer Services, regardless of whether the Service uses a public or private address. To resolve this, modify the external traffic policy of the target Service. For more information, see What can I do if the cluster cannot access the IP address of the SLB instance exposed by the LoadBalancer Service.