Accessing the Public Network from a Container

You can use NAT Gateway to enable the pods in a VPC to access public networks. NAT Gateway provides source network address translation (SNAT), which translates private IP addresses to an EIP bound to the gateway, providing secure and efficient access to the Internet. Figure 1 shows the SNAT architecture. SNAT allows the pods in a VPC to access the Internet without having an EIP bound. SNAT supports a large number of concurrent connections, which makes it suitable for applications that need to handle a large number of requests.

Figure 1 SNAT
Click to enlarge

Procedure

To enable a container pod to access the Internet, perform the following steps:

Assign an EIP.
1. Log in to the EIP console.
2. On the EIPs page, click Buy EIP.
3. Configure the parameters as prompted.
  
  Set Region to the region where container pods are located.
Figure 2 Buying an elastic IP address
Create a NAT gateway. For details, see Buying a Public NAT Gateway.
1. Log in to the NAT Gateway console.
2. On the displayed page, click Buy Public NAT Gateway in the upper right corner.
3. Configure the parameters as prompted.
  
  Select the same VPC.
  
  Figure 3 Buying a NAT gateway
Configure an SNAT rule and bind the EIP to the subnet. For details, see Adding an SNAT Rule.
1. Log in to the NAT Gateway console.
2. On the displayed page, click the name of the NAT gateway for which you want to add the SNAT rule.
3. On the SNAT Rules tab, click Add SNAT Rule.
4. Configure the parameters as prompted.
SNAT rules take effect by network segment. Set Subnet to the subnet where the pods are located.

If there are multiple network segments, you can create multiple SNAT rules or select a user-defined network segment as long as the network segment contains the subnet where the pods are located.

Figure 4 Adding an SNAT rule

After the SNAT rule is configured, workloads can access public networks from the container. Public networks can be pinged from the container.