Help Center/ Cloud Container Engine/ User Guide/ Network/ Accessing the Internet from a Container
Updated on 2024-08-16 GMT+08:00

Accessing the Internet from a Container

Containers can access the Internet in either of the following ways:

  • Bind an EIP to the node where the container is located if the network model is VPC or tunnel.
  • Bind an EIP to the pod. (This function applies only to Cloud Native 2.0 clusters. To do so, manually bind an EIP to the ENI or sub-ENI of the pod on the VPC console. This method is not recommended because the IP address of a pod changes after the pod is rescheduled. As a result, the new pod cannot access the Internet.)
  • Configure SNAT rules through NAT Gateway.

You can use NAT Gateway to enable container pods in a VPC to access the Internet. NAT Gateway provides source network address translation (SNAT), which translates private IP addresses to a public IP address by binding an elastic IP address (EIP) to the gateway, providing secure and efficient access to the Internet. Figure 1 shows the SNAT architecture. The SNAT function allows the container pods in a VPC to access the Internet without being bound to an EIP. SNAT supports a large number of concurrent connections, which makes it suitable for applications involving a large number of requests and connections.

Figure 1 SNAT

To enable a container to access the Internet, perform the following steps:

  1. Obtain an EIP. For details, see Assigning an EIP.

    1. Log in to the management console.
    2. Click in the upper left corner of the management console and select a region and a project.
    3. Click in the upper left corner and choose Networking > Elastic IP in the expanded list.
    4. On the EIPs page, click Buy EIP.
    5. Configure parameters as required.

      Set Region to the region where container pods are located.

      Figure 2 Buying an EIP

  2. Create a NAT gateway. For details, see Buying a Public NAT Gateway.

    1. Click in the upper left corner and choose Networking > NAT Gateway in the expanded list.
    2. On the Public Network Gateways page, click Buy Public NAT Gateway in the upper right corner.
    3. Configure parameters as required.

      Select the same VPC.

      Figure 3 Buying a NAT gateway

  3. Configure an SNAT rule and bind the EIP to the subnet. For details, see Add an SNAT Rule.

    1. On the page displayed, click the name of the NAT gateway for which you want to add the SNAT rule.
    2. On the SNAT Rules tab page, click Add SNAT Rule.
    3. Set parameters as required.

    SNAT rules take effect by CIDR block. As different container network models use different communication modes, the subnet needs to be selected according to the following rules:

    • Tunnel network and VPC network: Select the subnet where the node is located, that is, the subnet selected during node creation.

    If there are multiple CIDR blocks, you can create multiple SNAT rules or customize a CIDR block as long as the CIDR block contains the node subnet.

    Figure 4 Adding an SNAT rule

    After the SNAT rule is configured, workloads can access the Internet from the container. The Internet can be pinged from the container.