You can create pods to access resources deployed in VPCs, including ECS instances, ApsaraDB RDS instances, OSS buckets, and SLB instances. You can also enable Internet access for pods. This topic describes how to configure the source and destination to allow a pod to access an external network.
Configure the source (on the pod side)
Configure DNS resolution
When a pod accesses an external network, the pod uses the domain name resolution feature provided by the cluster to resolve the destination address. Then, the pod accesses the destination over the pod network. If the domain name cannot be resolved, you need to troubleshoot the DNS resolution error.
Configure a network policy
Check whether a network policy is configured for the namespace to which the pod belongs, and check whether the network policy forbids the pod from accessing the destination IP address. If the preceding network policy exists, modify the policy. For more information, see Use network policies in ACS clusters.
Configure security groups
Check whether the security groups of the cluster and pod allow the pod to access the destination IP address. Make sure that the security group rules meet the following requirements:
Security group rules are created to allow the pod to access the destination IP address and port in the outbound direction.
No security group rules are created to forbid the pod from accessing the destination IP address and port in the outbound direction.
Configure the destination (on the destination side)
Pods can access resources deployed in VPCs and the Internet. The pod configuration varies based on the destination.
Access the Internet
Method | Use scenario | Public IP address used to access the Internet | Reference |
Use an Internet NAT gateway to access the Internet | Multiple pods | The IP address of the EIP associated with the Internet NAT gateway | |
Associate an EIP with the pod | A single pod | The IP address of the EIP associated with the pod |
Access other cloud resources deployed in the same VPC
The access control rules of the destination, such as security groups, network ACLs, and whitelists, may limit a pod from accessing other cloud resources, such as ECS instances, ApsaraDB RDS instances, and OSS buckets, in the VPC of the cluster. If the access control rules block the IP address of the pod, a connectivity issue occurs. In this case, you need to modify the access control rules to allow access from the IP address of the pod.
Access a LoadBalancer Service
Access from within a cluster to LoadBalancer Services exposed by the cluster is blocked, regardless of whether the addresses of the Services are public or private. To resolve this issue, you need to modify the external traffic policy of the Service to be accessed. For more information, see What Can I Do if the Cluster Cannot Access the IP Address of the SLB Instance Exposed by the LoadBalancer Service.