Public Network Access

Overview

Workloads can be accessed from the public network. For this to work, you need to create a Service of the LoadBalancer type and create a public network load balancer in the same VPC as the workload.

Constraints

• The load balancer must be in the same VPC as the workload.
• You must familiarize yourself with the constraints on EIPs. For details, see EIP Notes and Constraints.
• Only dedicated load balancers are supported, and each load balancer must have an EIP bound.

Creating a Service for an Existing Workload

You can create a Service for a workload after it is created. Creating a Service has no impact on the workload. Once created, the Service can be used by the workload for network access immediately.

1. Log in to the CCI 2.0 console.
2. In the navigation pane, choose Services. On the right of the page, click Create from YAML.
3. Import or add a YAML file.

   The following is an example YAML file.

   • Resource description in the service.yaml file

     apiVersion: cci/v2
     kind: Service
     metadata:
       name: kubectl-test
       namespace: kubectl
       annotations:
         kubernetes.io/elb.class: elb
         kubernetes.io/elb.id: 1234567890 # Load balancer ID. Only dedicated load balancers are supported.
     spec:
       selector:
         app: kubectl-test # Label of the associated workload
       ports:
         - name: service-0
           targetPort: 80   # Container port
           port: 12222      # Access port (load balancer's port for accessing the workload)
           protocol: TCP     # Protocol used to access the workload
       type: LoadBalancer

   • Resource description in the service.json file

     {
     	"apiVersion": "cci/v2",
     	"kind": "Service",
     	"metadata": {
     		"name": "kubectl-test",
     		"namespace": "kubectl",
     		"annotations": {
                             "kubernetes.io/elb.class": "elb",
     			"kubernetes.io/elb.id": "1234567890"  # Load balancer ID. Only dedicated load balancers are supported.
     		}
     	},
     	"spec": {
     		"selector": {
     			"app": "kubectl-test" # Label of the associated workload
     		},
     		"ports": [
     			{
     				"name": "service-0",
     				"targetPort": 80,     # Container port
     				"port": 12222,        # Access port (load balancer's port for accessing the workload)
     				"protocol": "TCP",    # Protocol used to access the workload
     				"type": "LoadBalancer"
     			}
     		]
     	}
     }

4. Click OK. Access the workload through the load balancer's EIP and port in the format of <EIP-of-the-load-balancer>:<port>.

What If a Workload Cannot Be Accessed from the Public Network?

• A workload can only be accessed from the public network when it is in the running state. If your workload is abnormal or not ready, it cannot be accessed from the public network.
• It may take one to three minutes from the time when the workload was created to the time for it to be ready for access from the public network. During this time period, the network routes have not yet been configured. As a result, the workload cannot be accessed from the public network.
• If a workload is inaccessible 3 minutes after it is created, and there is no alarm event, a possible cause is that the container port is not being listened to. You need to use the image to check whether the container port is being listened to. If the container port is being listened to, the access failure may be caused by the load balancer. In this case, you need to check the load balancer.

Updating a Service

After you add a Service, you can update the access port of the Service.

1. Log in to the CCI 2.0 console.
2. In the navigation pane, choose Services. On the Services page, select the target namespace, locate the Service and click Edit YAML in the Operation column.
3. Only the access port can be modified.

   spec.ports[i].port: indicates the access port. The port number ranges from 1 to 65535.

4. Click OK. The Service will be updated for the workload.