Skip to main content

Configure outgoing NAT

Big picture​

Configure Calico Cloud networking to perform outbound NAT for connections from pods to outside of the cluster. Calico Cloud optionally source NATs the pod IP to the node IP.

Value​

The Calico Cloud NAT outbound connection option is flexible; it can be enabled, disabled, and applied to Calico Cloud IP pools with public IPs, private IPs, or a specific range of IP addresses. This article describes some use cases for enabling and disabling outgoing NAT.

Concepts​

Calico Cloud IP pools and NAT​

When a pod with an IP address in the pool initiates a network connection to an IP address to outside of Calico Cloud’s IP pools, the outgoing packets will have their source IP address changed from the pod IP address to the node IP address using SNAT (Source Network Address Translation). Any return packets on the connection automatically get this change reversed before being passed back to the pod.

Enable NAT: for pods with IP addresses that are not routable beyond the cluster​

A common use case for enabling NAT outgoing, is to allow pods in an overlay network to connect to IP addresses outside of the overlay, or pods with private IP addresses to connect to public IP addresses outside the cluster/the internet (subject to network policy allowing the connection, of course). When NAT is enabled, traffic is NATed from pods in that pool to any destination outside of all other Calico Cloud IP pools.

Disable NAT: For on-premises deployments using physical infrastructure​

If you choose to implement Calico Cloud networking with BGP peered with your physical network infrastructure, you can use your own infrastructure to NAT traffic from pods to the internet. In this case, you should disable the Calico Cloud natOutgoing option. For example, if you want your pods to have public internet IPs, you should:

  • Configure Calico Cloud to peer with your physical network infrastructure
  • Create an IP pool with public IP addresses for those pods that are routed to your network with NAT disabled (natOutgoing: false)
  • Verify that other network equipment does not NAT the pod traffic

Before you begin​

Required

  • Calico CNI

How to​

Create an IP pool with NAT outgoing enabled​

In the following example, we create a Calico Cloud IPPool with natOutgoing enabled. Outbound NAT is performed locally on the node where each workload in the pool is hosted.

apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
  name: default-ipv4-ippool
spec:
  cidr: 192.168.0.0/16
  natOutgoing: true

Use additional IP pools to specify addresses that can be reached without NAT​

Because Calico Cloud performs outgoing NAT only when connecting to an IP address that is not in a Calico Cloud IPPool, you can create additional IPPools that are not used for pod IP addresses, but prevent NAT to certain CIDR blocks. This is useful if you want nodes to NAT traffic to the internet, but not to IPs in certain internal ranges. For example, if you did not want to NAT traffic from pods to 10.0.0.0/8, you could create the following pool. You must ensure that the network between the cluster and 10.0.0.0/8 can route pod IPs.

apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
  name: no-nat-10.0.0.0-8
spec:
  cidr: 10.0.0.0/8
  disabled: true