All Products
Search
Document Center

Container Service for Kubernetes:Plan the network of an ACK cluster

Last Updated:Jun 03, 2024

When you create a Container Service for Kubernetes (ACK) cluster, you must specify a virtual private cloud (VPC), vSwitches, the pod CIDR block, and Service CIDR block. Therefore, we recommend that you plan the CIDR block of Elastic Compute Service (ECS) instances, pod CIDR block, and Service CIDR block before you create the cluster. This topic describes how to plan CIDR blocks for an ACK cluster deployed in a VPC and how each CIDR block is used.

Relationship between VPC CIDR blocks and cluster CIDR blocks

Before you create a VPC, you must plan the CIDR block of the VPC and CIDR blocks of vSwitches in the VPC. Before you create an ACK cluster, you must plan the pod CIDR block and Service CIDR block. ACK supports Terway and Flannel plug-ins. The following figures show the network architectures of ACK clusters that use Terway and Flannel.

Figure 1. Terwayterway

Figure 2. FlannelFlannel示意图

Usage notes

To install Terway or Flannel for your ACK cluster, you must specify the CIDR blocks for related parameters. The following table describes the usage notes to configure Terway or Flannel for your ACK cluster.

Parameter

Terway

Flannel

VPC

When you create a VPC, you must select a CIDR block for the VPC. Valid values: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

IPv6 CIDR blocks are assigned by the VPC after you enable IPv6 for the VPC. If you want to enable IPv6 for containers, select Terway for the Network Plug-in parameter.

vSwitch

The vSwitches associated with ECS instances allow nodes to communicate with each other. The CIDR blocks of vSwitches in the VPC must be subsets of the VPC CIDR block. This indicates that the CIDR blocks of vSwitches must be the same as or fall within the VPC CIDR block. When you specify the CIDR blocks of vSwitches, take note of the following items:

  • You must select vSwitches that belong to the VPC in which the cluster resides.

  • The system allocates IP addresses from the CIDR block of a vSwitch to the ECS instances that are associated with the vSwitch.

  • You can create multiple vSwitches in a VPC. However, the CIDR blocks of these vSwitches cannot overlap with each other.

  • The pod vSwitches and vSwitches must be deployed in the same zone. For more information about zones, see Regions and zones.

The vSwitches associated with ECS instances allow nodes to communicate with each other. The CIDR blocks of vSwitches in the VPC must be subsets of the VPC CIDR block. This indicates that the CIDR blocks of vSwitches must be the same as or fall within the VPC CIDR block. When you specify the CIDR blocks of vSwitches, take note of the following items:

  • You must select vSwitches that belong to the VPC in which the cluster resides.

  • The system allocates IP addresses from the CIDR block of a vSwitch to the ECS instances that are associated with the vSwitch.

  • You can create multiple vSwitches in a VPC. However, the CIDR blocks of these vSwitches cannot overlap with each other.

Pod vSwitch

The IP addresses of pods are assigned from the CIDR blocks of pod vSwitches. This allows pods to communicate with each other. Pod is an abstraction in ACK. Each pod has an IP address. The CIDR blocks that you specify when you create pod vSwitches in the VPC must be subsets of the VPC CIDR block. When you specify the CIDR blocks of pod vSwitches, take note of the following items:

  • You must select vSwitches that belong to the VPC in which the cluster resides.

  • In an ACK cluster that uses Terway, the IP addresses of pods are assigned by pod vSwitches.

  • The CIDR blocks of pod vSwitches cannot overlap with the Service CIDR block.

  • The pod vSwitches and vSwitches must be deployed in the same zone. For more information about zones, see Regions and zones.

You do not need to configure this parameter if your cluster uses Flannel.

Pod CIDR Block

You do not need to configure this parameter if your cluster uses Terway.

The IP addresses of pods are allocated from the pod CIDR block. This allows pods to communicate with each other. Pod is an abstraction in ACK. Each pod has an IP address. When you specify the pod CIDR block, take note of the following items:

  • Enter a CIDR block in the Pod CIDR Block field.

  • The pod CIDR block cannot overlap with the CIDR blocks of vSwitches.

  • The CIDR blocks of pod vSwitches cannot overlap with the Service CIDR block.

For example, if the VPC CIDR block is 172.16.0.0/12, the pod CIDR block cannot be 172.16.0.0/16 or 172.17.0.0/16 because these CIDR blocks are subsets of 172.16.0.0/12.

Service CIDR

The CIDR block of Services. Service is an abstraction in ACK. The IP addresses of ClusterIP Services are allocated from the CIDR block of Services. Each ClusterIP Service has an IP address. When you specify the CIDR blocks of vSwitches, take note of the following items:

  • The IP address of a Service is effective only within the ACK cluster.

  • The CIDR block of Services cannot overlap with the CIDR blocks of vSwitches.

  • The CIDR block of Services cannot overlap with the CIDR blocks of Pod vSwitches.

The CIDR block of Services. Service is an abstraction in ACK. The IP addresses of ClusterIP Services are allocated from the Service CIDR block. Each ClusterIP Service has an IP address. When you specify the Service CIDR block, take note of the following items:

  • The IP address of a Service is effective only within the ACK cluster.

  • The Service CIDR block cannot overlap with the CIDR blocks of vSwitches.

  • The Service CIDR block cannot overlap with the pod CIDR block.

IPv6 Service CIDR

If you enable IPv6 dual-stack, you must specify an IPv6 CIDR block for Services. When you specify the IPv6 CIDR block, take note of the following items:

  • You must specify a unique local address (ULA) space within the address range fc00::/7. The prefix must be 112 bits to 120 bits in length.

  • We recommend that you specify an IPv6 CIDR block that has the same number of IP addresses as the Service CIDR block.

You do not need to configure this parameter if your cluster uses Flannel.

Network planning

To use an ACK cluster that is deployed on Alibaba Cloud, you must first set up network for the cluster based on the cluster size and business scenarios. You can use the following tables to set up networks for ACK clusters. Change specifications based on your business requirements in specific scenarios.

Plan the network of a VPC

Number of nodes

Scenario

VPC

Zone

< 100

Regular business

Single VPC

1

Unlimited

Cross-zone deployment

Single VPC

≥ 2

Unlimited

High reliability and cross-region deployment

Multiple VPCs

≥ 2

Plan CIDR blocks for clusters

The following tables describe how to plan CIDR blocks for clusters that use Flannel or Terway.

  • Clusters that use Flannel

    VPC CIDR Block

    vSwitch CIDR block

    Pod CIDR block

    Service CIDR block

    Maximum number of pod IP addresses

    192.168.0.0/16

    192.168.0.0/24

    172.20.0.0/16

    172.21.0.0/20

    65536

  • Clusters that use Terway

    • Exclusive elastic network interface (ENI) mode, Data Path V2 mode, or IPVLAN mode

      VPC CIDR Block

      vSwitch CIDR block

      Pod vSwitch CIDR block

      Service CIDR block

      Maximum number of pod IP addresses

      192.168.0.0/16

      192.168.0.0/19

      192.168.32.0/19

      172.21.0.0/20

      8192

    • Multi-zone deployment

      VPC CIDR Block

      vSwitch CIDR block

      Pod vSwitch CIDR block

      Service CIDR block

      Maximum number of pod IP addresses

      192.168.0.0/16

      Zone I 192.168.0.0/19

      192.168.32.0/19

      172.21.0.0/20

      8192

      Zone J 192.168.64.0/19

      192.168.96.0/19

      8192

CIDR block planning

  • One VPC and one ACK cluster

    The CIDR block of a VPC is specified when you create the VPC. When you create an ACK cluster in the VPC, make sure that the pod CIDR block and Service CIDR block do not overlap with the VPC CIDR block. This ensures the network communication within the cluster and prevents conflicts with external VPCs.

  • One VPC and multiple ACK clusters

    In this scenario, multiple ACK clusters are created in a VPC.

    • The CIDR block of the VPC is specified when you create the VPC. When you create clusters in the VPC, make sure that the VPC CIDR block, Service CIDR block, and pod CIDR block of each cluster do not overlap with one another.

    • The Service CIDR blocks of the clusters can overlap with each other. However, the pod CIDR blocks cannot overlap with each other.

    • If your clusters use Flannel, the packets of pods must be forwarded by the VPC router. ACK automatically generates a route table for each destination pod CIDR block on the VPC router.

    Note

    In this case, a pod in one cluster can communicate with the pods and ECS instances in another cluster. However, the pod cannot communicate with the Services in another cluster.

  • VPC peering

    If two VPCs are connected, you can use the route table of one VPC to specify the packets that you want to send to the other VPC. In the following figure, the CIDR block of VPC 1 is 192.168.0.0/16 and that of VPC 2 is 172.16.0.0/12. You can use the route table of VPC 1 to forward all packets that are destined for 172.16.0.0/12 to VPC 2.

    路由表

    Table 3. VPC peering

    VPC

    CIDR block

    Destination CIDR block

    Destination VPC

    VPC 1

    192.168.0.0/16

    172.16.0.0/12

    VPC 2

    VPC 2

    172.16.0.0/12

    192.168.0.0/16

    VPC 1

    In this scenario, make sure that the following conditions are met when you create a cluster in VPC 1 or VPC 2:

    • The CIDR blocks of the cluster do not overlap with the CIDR block of VPC 1.

    • The CIDR blocks of the cluster do not overlap with the CIDR block of VPC 2.

    • The CIDR blocks of the cluster do not overlap with those of other clusters in VPC 1 and VPC 2.

    • The CIDR blocks of the cluster do not overlap with those of pods in VPC 1 and VPC 2.

    • The CIDR blocks of the cluster do not overlap with those of Services in VPC 1 and VPC 2.

    In this example, you can set the pod CIDR block of the cluster to a subset of 10.0.0.0/8.

    Note

    All IP addresses in the destination CIDR block of VPC 2 can be considered in use. Therefore, the CIDR blocks of the cluster cannot overlap with the destination CIDR block.

    To access pods in VPC 1 from VPC 2, you must configure a route in VPC 2. The route must point to the pod CIDR block of a cluster in VPC 1.

  • VPC-to-data center connection

    If a VPC is connected to a data center, packets of specific CIDR blocks are routed to the data center. In this case, the pod CIDR block of a cluster in the VPC cannot overlap with these CIDR blocks. To access pods in the VPC from the data center, you must configure a route in the data center to enable VBR-to-VPC peering connection.