Configure outgoing NAT

    The Calico NAT outbound connection option is flexible; it can be enabled, disabled, and applied to Calico IP pools with public IPs, private IPs, or a specific range of IP addresses. This article describes some use cases for enabling and disabling outgoing NAT.

    • IPPool resource with field

    When a pod with an IP address in the pool initiates a network connection to an IP address to outside of Calico’s IP pools, the outgoing packets will have their source IP address changed from the pod IP address to the node IP address using SNAT (Source Network Address Translation). Any return packets on the connection automatically get this change reversed before being passed back to the pod.

    If you choose to implement Calico networking with , you can use your own infrastructure to NAT traffic from pods to the internet. In this case, you should disable the Calico natOutgoing option. For example, if you want your pods to have public internet IPs, you should:

    • Configure Calico to peer with your physical network infrastructure
    • Create an IP pool with public IP addresses for those pods that are routed to your network with NAT disabled (natOutgoing: false)
    • Verify that other network equipment does not NAT the pod traffic

    Because Calico performs outgoing NAT only when connecting to an IP address that is not in a Calico IPPool, you can create additional IPPools that are not used for pod IP addresses, but prevent NAT to certain CIDR blocks. This is useful if you want nodes to NAT traffic to the internet, but not to IPs in certain internal ranges. For example, if you did not want to NAT traffic from pods to 10.0.0.0/8, you could create the following pool. You must ensure that the network between the cluster and 10.0.0.0/8 can route pod IPs.

    2. kind: IPPool
    3. metadata:
    5. spec:
    6.   cidr: 10.0.0.0/8