Help Center/ Cloud Container Instance (CCI)/ FAQs/ Network Management
Updated on 2025-04-08 GMT+08:00
View PDF
Share

Network Management

How Do I View the VPC CIDR Block?

On the home page of the VPC console, view Name and IPv4 CIDR Block of VPCs. You can modify the CIDR block of a VPC or create a new one.

Figure 1 Viewing the VPC CIDR blocks

Does CCI Support Load Balancing?

CCI supports load balancing. When creating a workload on the CCI console, you can choose to use ELB for both access over the private network or public network. For details, see Workload Access Through a Private Network Load Balancer.

CCI works with ELB for load balancing. Generally, load balancers are used to route the traffic from the public network to pods.

After creating a workload on CCI, you can create a Service and configure a load balancer for private or public network access.

  1. Public network load balancer: For details, see Public Network Access.
  2. Private network load balancer: For details, see Private Network Access.

How Do I Access a Container from a Public Network?

Load balancers can be used to route traffic to pods. If a load balancer has an EIP bound, the pods can be accessed from the public network. For details, see Public Network Access.

How Do I Access the Public Network from a Container?

To access the public network from a container, you need to bind an EIP to the workload. The following is an example YAML file: 
apiVersion: cci/v2
kind: Pod
metadata:
  labels:
    app: nginx
  name: 'nginx'
  annotations:
    yangtse.io/pod-with-eip: 'true'
spec:
  containers:
    - image: xxxxxx
      name: container-0
      resources:
        requests:
          cpu: 500m
          memory: 1Gi

After the workload runs normally, you can access the public network from the container.

What Do I Do If Access to a Workload from a Public Network Fails?

  1. A workload must be in the running state before it can be accessed from a public network. If the workload is abnormal or not ready, it cannot be accessed from a public network.
  2. It may take one to three minutes from the time when the workload is created to the time when it is ready for access from the public network. During this time period, network routes have not yet been configured. As a result, the workload cannot be accessed from the public network.
  3. If a workload is inaccessible three minutes after it is created, a possible cause is that the container port is not being listened to. You need to use the image to check whether the container port is being listened to. If the container port is being listened to, the access failure may be caused by the load balancer. In this case, you need to check the load balancer.

What Do I Do If 504 Is Returned When I Access a Workload?

This is because security group rules do not allow traffic to the pods running in CCI over the listener's port of the load balancer. Check the security group associated with the pods and ensure that security group rules allow traffic to the pods running in CCI over the listener's port of the load balancer.

  1. Query the security group associated with the pods by calling the API for querying a network. spec.securityGroups in the response is the security group ID. 
    {
    "apiVersion": "yangtse/v2",
    "kind": "Network",
    "metadata": {
        "annotations": {
            "yangtse.io/domain-id": "51ed88507a244b6eb36270c0250fcc96",
            "yangtse.io/project-id": "a81f079abca74e83b47af9a586048b24",
            "yangtse.io/warm-pool-recycle-interval": "24",
            "yangtse.io/warm-pool-size": "10"
        },
        "creationTimestamp": "2024-12-10T09:12:06Z",
        "finalizers": [
            "yangtse.io/network-cleanup"
        ],
        "name": "test-namespace-default-network",
        "namespace": "a81f079abca74e83b47af9a586048b24_test-namespace",
        "resourceVersion": "25163956",
        "uid": "13000c31-2f1d-4f49-9476-569d96b75a48"
    },
    "spec": {
        "networkType": "underlay_neutron",
        "securityGroups": [
            "00c1fd2c-1b3d-4d9d-85e3-7545ef553294",
            "0161da2b-81d6-4dc3-a94d-35ec1b6c486a"
        ],
        "subnets": [
            {
                "subnetID": "14722cef-0ebd-4906-ba3f-46a91840ac2d"
            }
        ]
    }
}
  2. Log in to the Network Console and search for the security group using the obtained security group ID.

  3. Click the security group name and add the inbound rules shown in the following figure.

    If UDP is used to access the workload from the public network, a rule must be added to allow the ICMP traffic, which is generated by health checks.

What Do I Do If the Connection Timed Out?

Symptom

Pods can be created, but the message "[Errno 110] Connection timed out" is displayed when the Python Django SMTP service is used to send emails.

Possible cause

  • Only a load balancer was purchased, and no EIPs were purchased. Therefore, containers can only be accessed from the external network. Containers can access the external network after you purchase an EIP for the workload.
  • Port 25 is prohibited from sending messages to secure the network environment.

Solutions

  • Method 1: Configure an EIP for the workload. The following is an example YAML file: 
    apiVersion: cci/v2
kind: Pod
metadata:
  labels:
    app: nginx
  name: 'nginx'
  annotations:
    yangtse.io/pod-with-eip: 'true'
spec:
  containers:
    - image: xxxxxx
      name: container-0
      resources:
        requests:
          cpu: 500m
          memory: 1Gi
  • Solution 2: Contact technical support to allow port 25 for the new EIP.