Configure outgoing NAT
Configure Calico Enterprise networking to perform outbound NAT for connections from pods to outside of the cluster. Calico Enterprise optionally source NATs the pod IP to the node IP.
The Calico Enterprise NAT outbound connection option is flexible; it can be enabled, disabled, and applied to Calico Enterprise IP pools with public IPs, private IPs, or a specific range of IP addresses. This article describes some use cases for enabling and disabling outgoing NAT.
This how-to guide uses the following Calico Enterprise features:
- IPPool resource with
Calico Enterprise IP pools and NAT
When a pod with an IP address in the pool initiates a network connection to an IP address to outside of Calico Enterprise’s IP pools, the outgoing packets will have their source IP address changed from the pod IP address to the node IP address using SNAT (Source Network Address Translation). Any return packets on the connection automatically get this change reversed before being passed back to the pod.
Enable NAT: for pods with IP addresses that are not routable beyond the cluster
A common use case for enabling NAT outgoing, is to allow pods in an overlay network to connect to IP addresses outside of the overlay, or pods with private IP addresses to connect to public IP addresses outside the cluster/the internet (subject to network policy allowing the connection, of course). When NAT is enabled, traffic is NATed from pods in that pool to any destination outside of all other Calico Enterprise IP pools.
Disable NAT: For on-premises deployments using physical infrastructure
If you choose to implement Calico Enterprise networking with BGP peered with your physical network infrastructure, you can use your own infrastructure to NAT traffic from pods to the internet. In this case, you should disable the Calico Enterprise
natOutgoing option. For example, if you want your pods to have public internet IPs, you should:
- Configure Calico Enterprise to peer with your physical network infrastructure
- Create an IP pool with public IP addresses for those pods that are routed to your network with NAT disabled (
- Verify that other network equipment does not NAT the pod traffic
Before you begin
- Calico CNI
- Create an IP pool with NAT outgoing enabled
- Use additional IP pools to specify addresses that can be reached without NAT
Create an IP pool with NAT outgoing enabled
In the following example, we create a Calico Enterprise IPPool with natOutgoing enabled. Outbound NAT is performed locally on the node where each workload in the pool is hosted.
Use additional IP pools to specify addresses that can be reached without NAT
Because Calico Enterprise performs outgoing NAT only when connecting to an IP address that is not in a Calico Enterprise IPPool, you can create additional IPPools that are not used for pod IP addresses, but prevent NAT to certain CIDR blocks. This is useful if you want nodes to NAT traffic to the internet, but not to IPs in certain internal ranges. For example, if you did not want to NAT traffic from pods to 10.0.0.0/8, you could create the following pool. You must ensure that the network between the cluster and 10.0.0.0/8 can route pod IPs.