External source network address translation (SNAT) - Amazon EKS

External source network address translation (SNAT)

Communication within a VPC (such as pod to pod) is direct between private IP addresses and requires no source network address translation (SNAT). When traffic is destined for an address outside of the VPC, the Amazon VPC CNI plugin for Kubernetes translates the private IP address of each pod to the primary private IP address assigned to the primary network interface (network interface) of the Amazon EC2 node that the pod is running on, by default. SNAT:

  • Enables pods to communicate bi-directionally with the internet. The node must be in a public subnet and have a public or elastic IP address assigned to the primary private IP address of its primary network interface. The traffic is translated to and from the public or Elastic IP address and routed to and from the internet by an internet gateway, as shown in the following picture.

    SNAT is necessary because the internet gateway can only translate between the primary private and public or Elastic IP address assigned to the primary network interface of the Amazon EC2 instance node that pods are running on.

  • Prevents a device in other private IP address spaces (for example, VPC peering, Transit VPC, or Direct Connect) from communicating directly to a pod that is not assigned the primary private IP address of the primary network interface of the Amazon EC2 instance node.

If the internet or devices in other private IP address spaces need to communicate with a pod that isn't assigned the primary private IP address assigned to the primary network interface of the Amazon EC2 instance node that the pod is running on, then:

  • The node must be deployed in a private subnet that has a route to a NAT device in a public subnet.

  • You need to enable external SNAT in the CNI plugin aws-node DaemonSet with the following command:

    kubectl set env daemonset -n kube-system aws-node AWS_VPC_K8S_CNI_EXTERNALSNAT=true

After external SNAT is enabled, the CNI plugin doesn't translate a pod's private IP address to the primary private IP address assigned to the primary network interface of the Amazon EC2 instance node that the pod is running on when traffic is destined for an address outside of the VPC. Traffic from the pod to the internet is externally translated to and from the public IP address of the NAT device and routed to and from the internet by an internet gateway, as shown in the following picture.