CCE Practice of Accessing Public Network
Overview
In some scenarios, the users should enable the nodes and Pods in the CCE cluster to access the public network. To access the external source address to download and install software and containers through the yum install, and other commands, some services, etc. in the public network should be accessed. We provide the following two plans to enable the cluster to access the public network. The users can select by themselves according to specific requirements.
Related Concepts
EIP: EIP is the elastic IP service provided by Baidu AI Cloud and can be mounted to CCE node, BLB, NAT gateway, and other services to provide the address which can access the public network.
NAT gateway: The NAT gateway of Baidu AI Cloud supports the connection of BCC, DCC and other instances in the user VPC subnet to the public network, and realizes the conversion of the intranet IP into the public network IP address by the NAT gateway.
Node subnet: The users can select the VPC subnet where the node is located when creating the CCE work node. The subnet type is general-purpose subnet. Nodes in the general-purpose subnet can mount EIP directly to access the public network, and can also access the public network through NAT gateway.
(Note: Baidu AI Cloud private network VPC no longer supports the creation of NAT exclusive subnet. If you use scheme 2 to access the public network, please select the general subnet as the node subnet. The previously created NAT exclusive subnet will not be affected and can be used normally.)
Plan 1: Universal Subnet + Elastic IP
Select the universal subnet for nodes when creating and adding CCE nodes:
If failing to confirm the universal subnets in the subnet list, you can view the device type of the subnet in the VPC console:
If the VPC contains no suitable universal subnet, you can create a universal subnet and select the universal type of the device.
If the nodes are in the UN subnet, you can directly bind EIP to the nodes, link and purchase EIP when creating and adding nodes, or bind EIP after the nodes are added to the cluster.
After EIP is bound to the nodes, the nodes can directly access the public network.
Plan 2: NAT Exclusive Subnet + NAT Gateway
(Note: Baidu AI Cloud private network VPC no longer supports the creation of NAT exclusive subnet. If you use scheme 2 to access the public network, please select the general subnet as the node subnet. The previously created NAT exclusive subnet will not be affected and can be used normally.)
If you don't want the node to expose its public network IP when accessing the public network, you can provide the public network access services for the private network by the NAT gateway. Refer to Best Practices of NAT Gateway.
First, create a subnet in the VPC, and select the NAT universal type of the device.
Enter the VPC console, and select VPC Instance -- > NAT Gateway-- > Create NAT Gateway, as shown in the figure below:
After the NAT gateway is created, configure the routing table in the VPC. The source network segment of the route is the subnet where the node is located. The target network sections are all zeros, and the route type is the NAT gateway. The next hop of instance is the created NAT gateway. It is as shown in the figure below:
After the configuration, select the NAT exclusive subnet when creating a cluster. All the created cluster nodes can access the public network.
Note: The EIP cannot be bound to the nodes in the NAT exclusive subnet. The nodes can access the public network only after the NAT gateway is created and the routing table rules are established.
Analyze Advantages and Disadvantages
| Plan | Advantages | Disadvantages |
|---|---|---|
| Universal subnet + EIP | Easy operation no need to pay for NAT gateway |
The EIP requiring the exposure of nodes has security risks. |
| NAT exclusive subnet + NAT gateway | No EIP for nodes, high security |
The EIP cannot be bound to the nodes, and the nodes cannot be accessed by the public network. |