Notes on the Public IP of a TKE Node
Last updated: 2020-01-02 16:06:31PDF
If you don't want to avoid exposing your company's IP while accessing the public network, you can use Tencent Cloud NAT Gateway. This document describes how to access the public network via an NAT gateway.
When a cluster is created, public IPs are assigned to the nodes in the cluster by default. With these public IPs, you can:
- Log in to the nodes in the cluster.
- Access services on the public network.
Public Network Bandwidth
When a service is created on the public network, the public network CLB uses the bandwidth and traffic of the nodes. If the public network service is required, the nodes need to have public network bandwidth. You can choose not to purchase public network bandwidth if it is not needed.
The CVM instance is not bound to an EIP, and all the traffic accessing the internet is forwarded via an NAT gateway. In this way, the traffic accessing the internet of the instance is forwarded to the NAT gateway over the private network. This means that the traffic is not subject to the upper limit of public network bandwidth specified when you purchase the instance, and the traffic generated from the NAT gateway does not occupy the public network bandwidth egress of the instance. To access the internet via an NAT gateway, follow the steps below:
Step 1. Create an NAT gateway
- Log in to the VPC Console and click NAT Gateway in the left sidebar.
- On the NAT gateway management page, click Create.
- In the Create an NAT Gateway window that pops up, enter the following parameters.
- Gateway Name: Custom.
- Network: Select the VPC of the NAT gateway service;
- Gateway Type: Select based on actual needs. The type of the gateway can be changed after it is created.
- Outbound Bandwidth Cap: Set based on actual needs.
- Elastic IP: Assign an EIP to the NAT gateway. You can choose an existing EIP or purchase a new one.
- Click Create to complete the creation of the NAT gateway.
The rental fee of 1 hour will be frozen during the creation of the NAT gateway.
Step 2. Configure the route table associated with the subnet
After the NAT gateway is created, you need to configure the routing rules on the route table page in the VPC Console to redirect the subnet traffic to the NAT gateway.
- Click Route Table in the left sidebar.
- In the route table list, click the route table ID/name associated with the subnet that needs to access the internet.
- In the "Routing Policy" section, click + New routing policies.
- In the Add routing page, enter the Destination, select NAT gateway for Next Hop Type, and select the ID of the created NAT gateway for Next Hop.
- Click OK.
Now, the traffic generated when the CVM instance in the subnet associated with the route table accesses the internet will be directed to the NAT gateway.
Solution 1. Use an EIP
The CVM instance is only bound with an EIP but does not use an NAT gateway. With this solution, all the traffic of the instance accessing the internet goes out through the EIP and is subject to the upper limit of public network bandwidth specified when you purchase the instance. The fees for accessing the internet are charged based on the billing method of the instance's network.
For more information, see Elastic Public IP.
Solution 2. Use both an NAT gateway and an EIP
If both an NAT gateway and an EIP are used, all the traffic of the CVM instance accessing the internet is forwarded to the NAT gateway over the private network, and the response packets are returned to the instance through the NAT gateway. This means that the traffic is not subject to the upper limit of public network bandwidth specified when you purchase the instance, and the traffic generated by the NAT gateway does not occupy the public network bandwidth egress of the instance. If the traffic from the internet proactively accesses the EIP of the instance, the response packets of the instance are all returned through the EIP. In this case, the resulting outbound public network traffic is subject to the upper limit of public network bandwidth specified when you purchase the instance. The fees for accessing the public network are charged based on the billing method of the instance's network.
If the bandwidth package (BWP) feature is activated in your account, fees of the outbound traffic generated by the NAT gateway will be deducted from the BWP (which means the network traffic will not be repeatedly billed at 0.12 USD/GB). It is recommended that you limit the outbound bandwidth of the NAT gateway so as to avoid high BWP fees due to excessive outbound bandwidth.