Configure workload access outside the cluster
With all Calico networking options, you can enable and disable internet access for your workloads.
You control which Calico IP pools are subject to outbound NAT to enable public and private network connections and allow single IP address communication.
This how-to guide uses the following Calico features:
- IPPool resource with natOutgoing field
Outgoing NAT on each node
For all networking options, you can allow your workloads to access the internet (subject to network policy, of course!) by enabling outbound NAT on the IP pool. When enabled, traffic from pods in that pool going to a destination outside all Calico pools will be NATed. The source address is masqueraded to an IP of the node on which each workload is hosted, allowing the network to understand the traffic. By default, the NAT outgoing option is automatically enabled for the pool that is created when you install Calico.
BGP peering with out-of-cluster NAT
When Calico is BGP peered with your physical network infrastructure, you can use the infrastructure to NAT traffic from pods to the internet. In this case, you should disable the Calico NAT outgoing option.
Expose pods directly on the internet
If you want your pods to have public internet IPs:
- Configure Calico to peer with your physical network infrastructure
- Create an IP pool for those pods that contain public IP addresses that are routed to your network with
- Verify that other network equipment does not NAT the pod traffic
- Allow workloads access to internet, private IP addresses
- NAT traffic only to specific IP address ranges
Allow workloads access to internet, private IP addresses
To allow workloads with a private IP address access to the internet, you can use your existing NAT capabilities, or you can enable natOutgoing on the Calico IPPool.
In the following example, we create a Calico IPPool with natOutgoing enabled. Outbound NAT is performed locally on the node where each workload in the pool is hosted.
apiVersion: projectcalico.org/v3 kind: IPPool metadata: name: default-ipv4-ippool spec: cidr: 192.168.0.0/16 natOutgoing: true
NAT traffic only to specific IP address ranges
You can create additional IPPools that are not used for IP address management that prevent NAT to certain CIDR blocks. This is useful if you want nodes to NAT traffic to the internet, but not to IPs in certain internal ranges. For example, if you did not want to NAT traffic from pods to 10.0.0.0/8, you could create the following pool. You must ensure that the network between the cluster and 10.0.0.0/8 can route pod IPs.
apiVersion: projectcalico.org/v3 kind: IPPool metadata: name: no-nat-10.0.0.0-8 spec: cidr: 10.0.0.0/8 disabled: true