ACS cluster Internet access - Container Compute Service - Alibaba Cloud Documentation Center

Source Network Address Translation (SNAT) can translate IP addresses for cloud resources that want to access the Internet but do not have public IP addresses in a virtual private cloud (VPC). If SNAT is disabled when you create an Alibaba Cloud Container Compute Service (ACS) cluster, you can manually configure SNAT to enable Internet access for the cluster. This way, the pods in the cluster can access the Internet.

Background information

An Internet NAT gateway is a network address translation service that provides the SNAT and DNAT features. For more information, see What is an Internet NAT gateway? and Billing of Internet NAT gateways.

By default, ACS clusters cannot access the Internet. If pods in an ACS cluster need to access the Internet to pull images, you can create an Internet NAT gateway in the VPC of the cluster and configure an SNAT entry. This way, all pods in the cluster can access the Internet.

Note

If only one pod needs to access the Internet, you can associate an elastic IP address (EIP) with the pod. For more information, see Mount an independent EIP for pods.

Procedure

The following figure shows the steps for configuring SNAT to enable Internet access for an existing cluster.

Note

If you select Configure SNAT for VPC in the Network Settings section when configuring an ACS cluster, the system automatically configures SNAT for the cluster.

Log on to the NAT Gateway console.
Creates a NAT gateway.
1. Click Create Internet NAT Gateway.
2. On the page that appears, configure the NAT gateway parameters and click Buy Now.
  For more information, see Create and manage an Internet NAT gateway.
Associate an EIP with the NAT gateway.
If you selected Select EIP or Purchase EIP when you create the NAT gateway, skip this step. The system has already associated an EIP with the NAT gateway.
1. On the Internet NAT Gateway page, find the NAT gateway that you created and click Associate Now in the EIP column.
2. In the dialog box that appears, configure the EIP and click OK.

Create an SNAT entry.

On the Internet NAT Gateway page, click the ID of the NAT gateway that you want to manage.
On the SNAT tab, click Create SNAT Entry.

Configure the parameters and click OK.

The following table describes the parameters. For more information, see Create and manage SNAT entries.

Parameter	Description
SNAT Entry	Select an access mode based on factors such as the network conditions and security requirement. We recommend that you select Specify vSwitch.
Select vSwitch	If you select Specify vSwitch for the SNAT Entry parameter, you must specify the vSwitch used by the cluster. On the Cluster Information page of the ACS cluster, you can view the ID of the vSwitch on the Basic Information tab.
Select EIP	Select the EIP that is associated with the NAT gateway.

Confirm the configuration of the NAT gateway.
1. Make sure that the NAT gateway and ACS cluster reside in the same VPC and an EIP is associated with the NAT gateway.
2. Make sure that the SNAT entry is associated with the vSwitch used by the cluster.

Verify the result

Method 1: Create a pod using an image pulled over the Internet. Check whether the image can be pulled and the pod can be created.
Example:
Method 2: Log on to a pod in the cluster and run the ping command to access a public domain name. Verify that the domain name is accessible and no packets are lost.
Example: