Skip to main content
Calico Enterprise 3.19 (latest) documentation

Configure outgoing NAT

Big picture

Configure Calico Enterprise networking to perform outbound NAT for connections from pods to outside of the cluster. Calico Enterprise optionally source NATs the pod IP to the node IP.

Value

The Calico Enterprise NAT outbound connection option is flexible; it can be enabled, disabled, and applied to Calico Enterprise IP pools with public IPs, private IPs, or a specific range of IP addresses. This article describes some use cases for enabling and disabling outgoing NAT.

Concepts

Calico Enterprise IP pools and NAT

When a pod with an IP address in the pool initiates a network connection to an IP address to outside of Calico Enterprise’s IP pools, the outgoing packets will have their source IP address changed from the pod IP address to the node IP address using SNAT (Source Network Address Translation). Any return packets on the connection automatically get this change reversed before being passed back to the pod.

Enable NAT: for pods with IP addresses that are not routable beyond the cluster

A common use case for enabling NAT outgoing, is to allow pods in an overlay network to connect to IP addresses outside of the overlay, or pods with private IP addresses to connect to public IP addresses outside the cluster/the internet (subject to network policy allowing the connection, of course). When NAT is enabled, traffic is NATed from pods in that pool to any destination outside of all other Calico Enterprise IP pools.

Disable NAT: For on-premises deployments using physical infrastructure

If you choose to implement Calico Enterprise networking with BGP peered with your physical network infrastructure, you can use your own infrastructure to NAT traffic from pods to the internet. In this case, you should disable the Calico Enterprise natOutgoing option. For example, if you want your pods to have public internet IPs, you should:

  • Configure Calico Enterprise to peer with your physical network infrastructure
  • Create an IP pool with public IP addresses for those pods that are routed to your network with NAT disabled (nat-outgoing: false)
  • Verify that other network equipment does not NAT the pod traffic

Before you begin

Required

  • Calico CNI

How to

Create an IP pool with NAT outgoing enabled

In the following example, we create a Calico Enterprise IPPool with natOutgoing enabled. Outbound NAT is performed locally on the node where each workload in the pool is hosted.

apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
name: default-ipv4-ippool
spec:
cidr: 192.168.0.0/16
natOutgoing: true

Use additional IP pools to specify addresses that can be reached without NAT

Because Calico Enterprise performs outgoing NAT only when connecting to an IP address that is not in a Calico Enterprise IPPool, you can create additional IPPools that are not used for pod IP addresses, but prevent NAT to certain CIDR blocks. This is useful if you want nodes to NAT traffic to the internet, but not to IPs in certain internal ranges. For example, if you did not want to NAT traffic from pods to 10.0.0.0/8, you could create the following pool. You must ensure that the network between the cluster and 10.0.0.0/8 can route pod IPs.

apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
name: no-nat-10.0.0.0-8
spec:
cidr: 10.0.0.0/8
disabled: true