Help Center> Cloud Container Engine> Best Practices> Networking> Accessing Public Networks from a Container
View PDF

Accessing Public Networks from a Container

Containers can access public networks in either of the following ways:

  • Bind a public IP address to the node where the container is located if the network model is VPC network or tunnel network.
  • Bind a public IP address to the pod IP address if the network model is Cloud Native Network 2.0.
  • Configure SNAT rules through NAT Gateway.

You can use NAT Gateway to enable container pods in a VPC to access public networks. NAT Gateway provides source network address translation (SNAT), which translates private IP addresses to a public IP address by binding an elastic IP address (EIP) to the gateway, providing secure and efficient access to the Internet. Figure 1 shows the SNAT architecture. The SNAT function allows the container pods in a VPC to access the Internet without being bound to an EIP. SNAT supports a large number of concurrent connections, which makes it suitable for applications involving a large number of requests and connections.

Figure 1 SNAT

To enable a container pod to access the Internet, perform the following steps:

  1. Buy an EIP.

    1. Log in to the management console.
    2. Click in the upper left corner of the management console and select a region and a project.
    3. Click at the upper left corner and choose Network > Elastic IP in the expanded list.
    4. On the EIPs page, click Buy EIP.
    5. Set parameters as required.

      Set Region to the region where container pods are located.

    Figure 2 Buying an elastic IP address

  2. Buy a NAT gateway. For details, see Buying a NAT Gateway.

    1. Log in to the management console.
    2. Click in the upper left corner of the management console and select a region and a project.
    3. Click at the upper left corner and choose Network > NAT Gateway in the expanded list.
    4. On the displayed page, click Buy NAT Gateway.
    5. Set parameters as required.

      Select the same VPC.

      Figure 3 Buying a NAT gateway

  3. Configure an SNAT rule and bind the EIP to the subnet. For details, see Adding an SNAT Rule.

    1. Log in to the management console.
    2. Click in the upper left corner of the management console and select a region and a project.
    3. Click at the upper left corner and choose Network > NAT Gateway in the expanded list.
    4. On the page displayed, click the name of the NAT gateway for which you want to add the SNAT rule.
    5. On the SNAT Rules tab page, click Add SNAT Rule.
    6. Set parameters as required.

    SNAT rules take effect by CIDR block. As different container network models use different communication modes, the subnet needs to be selected according to the following rules:

    • Tunnel network and VPC network: Select the subnet where the node is located, that is, the subnet selected during node creation.
    • Cloud Native Network 2.0: Select the subnet where the container is located, that is, the container subnet selected during cluster creation.

    If there are multiple CIDR blocks, you can create multiple SNAT rules or customize a CIDR block as long as the CIDR block contains the container subnet (Cloud Native Network 2.0) or the node subnet (tunnel network and VPC network).

    Figure 4 Adding an SNAT rule

    After the SNAT rule is configured, workloads can access public networks from the container. Public networks can be pinged from the container.

Parent topic: Networking