Help Center/ Cloud Container Engine_Autopilot/ User Guide/ Services and Ingresses/ Accessing Public Networks from a Container
Updated on 2024-12-18 GMT+08:00

Accessing Public Networks from a Container

You can use NAT Gateway to enable the pods in a VPC to access public networks. NAT Gateway provides source network address translation (SNAT), which translates private IP addresses to an EIP bound to the gateway, providing secure and efficient access to the Internet. Figure 1 shows the SNAT architecture. SNAT allows the pods in a VPC to access the Internet without having an EIP bound. SNAT supports a large number of concurrent connections, which makes it suitable for applications that need to handle a large number of requests.

Figure 1 SNAT

Procedure

To enable a container pod to access the Internet, perform the following steps:

  1. Assign an EIP.

    1. Log in to the management console.
    2. Click in the upper left corner of the management console and select a region and a project.
    3. Click at the upper left corner and choose Networking > Elastic IP in the expanded list.
    4. On the EIPs page, click Buy EIP.
    5. Configure the parameters as required.

      Set Region to the region where container pods are located.

    Figure 2 Buying an elastic IP address

  2. Create a NAT gateway. For details, see Buying a Public NAT Gateway.

    1. Log in to the management console.
    2. Click in the upper left corner of the management console and select a region and a project.
    3. Click at the upper left corner and choose Networking > NAT Gateway in the expanded list.
    4. On the displayed page, click Buy Public NAT Gateway in the upper right corner.
    5. Configure the parameters as required.

      Select the same VPC.

      Figure 3 Buying a NAT gateway

  3. Configure an SNAT rule and bind the EIP to the subnet. For details, see Adding an SNAT Rule.

    1. Log in to the management console.
    2. Click in the upper left corner of the management console and select a region and a project.
    3. Click at the upper left corner and choose Networking > NAT Gateway in the expanded list.
    4. On the page displayed, click the name of the NAT gateway for which you want to add the SNAT rule.
    5. On the SNAT Rules tab, click Add SNAT Rule.
    6. Configure the parameters as required.

    SNAT rules take effect by network segment. Set Subnet to the subnet where the pods are located.

    If there are multiple network segments, you can create multiple SNAT rules or select a user-defined network segment as long as the network segment contains the subnet where the pods are located.

    Figure 4 Adding an SNAT rule

    After the SNAT rule is configured, workloads can access public networks from the container. Public networks can be pinged from the container.