Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

DNAT

Updated on 2024-01-04 GMT+08:00

Scenario

A destination network address translation (DNAT) gateway is situated between cluster nodes and public networks and assigned an EIP. After receiving inbound requests from public networks, the NAT gateway translates the EIP (destination address in the inbound requests) into a cluster-internal address. It appears to workload users as if all nodes running the workload share the same EIP.

DNAT provides higher reliability than EIP-based NodePort in which the EIP is bound to a single node and once the node is down, all inbound requests to the workload will not be distributed. The access address is in the format of <EIP>:<access port>, for example, 10.117.117.117:80.

Figure 1 DNAT

Constraints

Observe the following constraints when using the NAT Gateway service:

  • DNAT rules do not support enterprise project authorization.
  • Containers in the cluster cannot access the DNAT Service whose externalTrafficPolicy is Local.
  • Multiple rules for one NAT gateway can use the same EIP, but the rules for different NAT gateways must use different EIPs.
  • Each VPC can have only one NAT gateway.
  • Users cannot manually add the default route in a VPC.
  • Only one SNAT rule can be added to a subnet in a VPC.
  • SNAT and DNAT rules are designed for different functions. If SNAT and DNAT rules use the same EIP, resource preemption will occur. An SNAT rule cannot share an EIP with a DNAT rule with Port Type set to All ports.
  • DNAT rules do not support binding an EIP to a virtual IP address.
  • When both the EIP and NAT Gateway services are configured for a server, data will be forwarded through the EIP.
  • The custom CIDR block must be a subset of the VPC subnet CIDR blocks.
  • The custom CIDR block must be a CIDR block of Direct Connect and cannot conflicts with VPC's existing subnet CIDR blocks.
  • When you perform operations on underlying resources of an ECS, for example, changing its specifications, the configured NAT gateway rules become invalid. Delete the rules and reconfigure them.
  • After a Service is created, if the affinity setting is switched from the cluster level to the node level, the connection tracing table will not be cleared. You are advised not to modify the Service affinity setting after the Service is created. To modify it, create a Service again.
  • If the node subnet is associated with a custom route table, add the NAT route to the custom route table when using the DNAT Service.

Creating a NAT Gateway and an Elastic IP Address

You have created a NAT gateway and an elastic IP address. The specific procedure is as follows:

  1. Log in to the management console, choose Networking > NAT Gateway from the service list, and click Buy Public NAT Gateway in the upper right corner.

    NOTE:

    When buying a NAT gateway, ensure that the NAT gateway belongs to the same VPC and subnet as the CCE cluster where the workload is running.

  2. Log in to the management console, choose Networking > Elastic IP from the service list, and click Buy EIP in the upper right corner.

Creating a DNAT Gateway Service

  1. Log in to the CCE console and click the cluster name to access the cluster console.
  2. In the navigation pane, choose Services & Ingresses. In the upper right corner, click Create Service.
  3. Set related parameters.

    • Service Name: Specify a Service name, which can be the same as the workload name.
    • Service Type: Select DNAT.
    • Namespace: Namespace to which the workload belongs.
    • Service Affinity: For details, see externalTrafficPolicy (Service Affinity).
      • Cluster level: The IP addresses and access ports of all nodes in a cluster can access the workload associated with the Service. Service access will cause performance loss due to route redirection, and the source IP address of the client cannot be obtained.
      • Node level: Only the IP address and access port of the node where the workload is located can access the workload associated with the Service. Service access will not cause performance loss due to route redirection, and the source IP address of the client can be obtained.
    • Selector: Add a label and click Confirm. A Service selects a pod based on the added label. You can also click Reference Workload Label to reference the label of an existing workload. In the dialog box that is displayed, select a workload and click OK.
    • DNAT: Select the DNAT gateway and EIP created in Creating a NAT Gateway and an Elastic IP Address.
    • Port
      • Protocol: protocol used by the Service.
      • Container Port: port on which the workload listens. The Nginx workload listens on port 80.
      • Service Port: a port mapped to the container port at the cluster-internal IP address. The workload can be accessed at <cluster-internal IP address>:<access port>. The port number range is 1–65535.

  4. Click OK.

Setting the Access Type Using kubectl

You can set the Service when creating a workload using kubectl. This section uses an Nginx workload as an example to describe how to implement intra-cluster access using kubectl.

  1. Use kubectl to connect to the cluster. For details, see Connecting to a Cluster Using kubectl.
  2. Create and edit the nginx-deployment.yaml and nginx-nat-svc.yaml files.

    The file names are user-defined. nginx-deployment.yaml and nginx-nat-svc.yaml are merely example file names.

    vi nginx-deployment.yaml

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: nginx
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: nginx
      template:
        metadata:
          labels:
            app: nginx
        spec:
          containers:
          - image: nginx:latest
            name: nginx
          imagePullSecrets:
          - name: default-secret

    For descriptions of the preceding fields, see Table 1.

    vi nginx-nat-svc.yaml

    apiVersion: v1 
    kind: Service 
    metadata: 
      name: nginx 
      annotations:
        kubernetes.io/elb.class: dnat
        kubernetes.io/natgateway.id: e4a1cfcf-29df-4ab8-a4ea-c05dc860f554
    spec: 
      loadBalancerIP: 10.78.42.242
      ports: 
      - name: service0 
        port: 80 
        protocol: TCP 
        targetPort: 80 
      selector: 
        app: nginx 
      type: LoadBalancer
    Table 1 Key parameters

    Parameter

    Mandatory

    Type

    Description

    kubernetes.io/elb.class

    Yes

    String

    This parameter is set to dnat so CCE can work with a NAT gateway and DNAT rules can be added.

    kubernetes.io/natgateway.id

    Yes

    String

    ID of a NAT gateway.

    loadBalancerIP

    Yes

    String

    EIP ID.

    port

    Yes

    Integer

    Access port set on the console. The value ranges from 1 to 65535.

    targetPort

    Yes

    String

    Container port set on the console. The value ranges from 1 to 65535.

    type

    Yes

    String

    NAT gateway service type must be set to LoadBalancer.

  3. Create a workload.

    kubectl create -f nginx-deployment.yaml

    If information similar to the following is displayed, the workload is being created.

    deployment "nginx" created

    kubectl get po

    If information similar to the following is displayed, the workload is running.

    NAME                     READY     STATUS             RESTARTS   AGE
    nginx-2601814895-sf71t   1/1       Running            0          8s

  4. Create a Service.

    kubectl create -f nginx-nat-svc.yaml

    If information similar to the following is displayed, the Service has been created.

    service "nginx-eip" created

    kubectl get svc

    If the following information is displayed, the Service has been set successfully, and the workload is accessible.

    NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE 
    kubernetes   ClusterIP   10.247.0.1       <none>        443/TCP        3d 
    nginx-nat    LoadBalancer 10.247.226.2  10.154.74.98   80:30589/TCP  5s

  5. In the address bar of your browser, enter 10.154.74.98:80 and press Enter.

    In this example, 10.154.74.98 is the elastic IP address and 80 is the port number obtained in the previous step.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback