DNAT

Constraints

• DNAT rules do not support enterprise project authorization.

• Containers in the cluster cannot access the DNAT Service whose externalTrafficPolicy is Local.
• Multiple rules for one NAT gateway can use the same EIP, but the rules for different NAT gateways must use different EIPs.
• Each VPC can have only one NAT gateway.
• Users cannot manually add the default route in a VPC.
• Only one SNAT rule can be added to a subnet in a VPC.
• SNAT and DNAT rules are designed for different functions. If SNAT and DNAT rules use the same EIP, resource preemption will occur. An SNAT rule cannot share an EIP with a DNAT rule with Port Type set to All ports.
• DNAT rules do not support binding an EIP to a virtual IP address.
• When both the EIP and NAT Gateway services are configured for a server, data will be forwarded through the EIP.
• The custom CIDR block must be a subset of the VPC subnet CIDR blocks.
• The custom CIDR block must be a CIDR block of Direct Connect and cannot conflicts with VPC's existing subnet CIDR blocks.
• When you perform operations on underlying resources of an ECS, for example, changing its specifications, the configured NAT gateway rules become invalid. Delete the rules and reconfigure them.
• After a Service is created, if the affinity setting is switched from the cluster level to the node level, the connection tracing table will not be cleared. Do not modify the Service affinity setting after the Service is created. To modify it, create a Service again.
• If the node subnet is associated with a custom route table, add the NAT route to the custom route table when using the DNAT Service.

Preparations: Creating a NAT Gateway and an EIP

1. Log in to the NAT Gateway console and click Buy Public NAT Gateway in the upper right corner.

   After purchasing a NAT gateway, you do not need to add SNAT or DNAT rules.

   Note

   When purchasing a NAT gateway, ensure that the NAT gateway belongs to the same VPC and subnet as the CCE cluster where the workload is running.

2. Log in to the EIP console and click Buy EIP in the upper right corner.

Using the CCE Console

1. Log in to the CCE console and click the cluster name to access the cluster console.
2. In the navigation pane, choose Services & Ingresses. In the upper right corner, click Create Service.
3. Configure DNAT gateway parameters.

   Parameter	Description
   Service Name	Enter a name, which can be the same as the workload name.
   Service Type	Select DNAT.
   Namespace	Select the namespace that the workload belongs to.
   Service Affinity	Whether to route external traffic to a local node or a cluster-wide endpoint. For details, see Service Affinity (externalTrafficPolicy). Cluster-level: The IP addresses and ports of all nodes in a cluster can access the workload associated with the Service. However, accessing the Service may result in a performance decrease due to route redirection, and the client's source IP address may not be obtainable. Node-level: Only the IP address and port of the node where the workload is located can access the workload associated with the Service. Accessing the Service will not result in a performance decrease due to route redirection, and the client's source IP address can be obtained.
   Selector	The Service will be associated with the workload pods based on the label and direct traffic to the pods with this label. You can add a key and value for the pod label and click Confirm. You can also click Reference Workload Label to use the label of an existing workload. In the dialog box displayed, select a workload and click OK.
   DNAT	Select the DNAT gateway and EIP purchased in Preparations: Creating a NAT Gateway and an EIP.
   Port	Protocol: the protocol supported by the Service. Container Port: the listening port of the service containers. The port ranges from 1 to 65535. You need to determine the port based on the container image. For example, the default port of Nginx is 80, and the default port of MySQL is 3306. Service Port: the port used to access the DNAT Service. You can customize the port as required. The port ranges from 1 to 65535.

4. Click OK.

Using kubectl

1. Use kubectl to access the cluster. For details, see Accessing a Cluster Using kubectl.
2. Create and edit the nginx-deployment.yaml file to configure the sample workload. For details, see Creating a Deployment. nginx-deployment.yaml is an example file name. You can rename it as needed.

   vi nginx-deployment.yaml
   
   

   File content:

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: nginx
   spec:
     replicas: 1
     selector:
       matchLabels:
         app: nginx
     template:
       metadata:
         labels:
           app: nginx
       spec:
         containers:
         - image: nginx:latest
           name: nginx
         imagePullSecrets:
         - name: default-secret
   
   

3. Create and edit the nginx-nat-svc.yaml file to configure Service parameters. nginx-nat-svc.yaml is an example file name. You can rename it as needed.

   vi nginx-nodeport-svc.yaml
   
   

   File content:

   apiVersion: v1 
   kind: Service 
   metadata: 
     name: nginx-nat 
     annotations:
       kubernetes.io/elb.class: dnat
       kubernetes.io/natgateway.id: e4a1cfcf-29df-4ab8-a4ea-c05dc860f554
   spec: 
     loadBalancerIP: 10.78.42.242
     ports: 
     - name: service0 
       port: 80 
       protocol: TCP 
       targetPort: 80 
     selector: 
       app: nginx 
     type: LoadBalancer
   
   

   Table 1 Key parameters

   Parameter	Mandatory	Type	Description
   kubernetes.io/elb.class	Yes	String	This parameter is set to dnat, which is used to access the NAT Gateway service and add DNAT rules. This parameter cannot be modified after the resource is created.
   kubernetes.io/natgateway.id	Yes	String	ID of a NAT gateway. This parameter cannot be modified after the resource is created. How to obtain: On the management console, click Service List and choose Networking > NAT Gateway. Click the name of the target NAT gateway to access its details page. On the Basic Information tab, find and copy the ID.
   loadBalancerIP	Yes	String	Enter the EIP associated with the NAT gateway.
   port	Yes	Integer	The port used to access the DNAT Service. You can customize the port as required. The port ranges from 1 to 65535.
   targetPort	Yes	String	The listening port of the service containers. The port ranges from 1 to 65535. You need to determine the port based on the container image. For example, the default port of Nginx is 80, and the default port of MySQL is 3306.
   type	Yes	String	NAT gateway service type must be set to LoadBalancer.

4. Create a workload.

   kubectl create -f nginx-deployment.yaml
   
   

   If information similar to the following is displayed, the workload has been created:

   deployment/nginx created
   
   

   Check the created workload.

   kubectl get pod
   
   

   If information similar to the following is displayed, the workload is running:

   NAME                     READY     STATUS             RESTARTS   AGE
   nginx-2601814895-znhbr   1/1       Running            0          15s
   
   

5. Create the Service.

   kubectl create -f nginx-nat-svc.yaml
   
   

   If information similar to the following is displayed, the Service is being created:

   service/nginx-nat created
   
   

   Check the created Service.

   kubectl get svc
   
   

   If information similar to the following is displayed, the Service has been created:

   NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE 
   kubernetes   ClusterIP   10.247.0.1       <none>        443/TCP        3d 
   nginx-nat    LoadBalancer 10.247.226.2  **.**.**.**   80:30589/TCP  5s
   
   

6. Enter the URL, which is in the format of <EIP>:<port>, in the address bar of a browser.