When you create a Container Service for Kubernetes (ACK) cluster, you must specify a virtual private cloud (VPC), vSwitches, the pod CIDR block, and Service CIDR block. Therefore, we recommend that you plan the CIDR block of Elastic Compute Service (ECS) instances, pod CIDR block, and Service CIDR block before you create the cluster. This topic describes how to plan CIDR blocks for an ACK cluster deployed in a VPC and how each CIDR block is used.
Relationship between VPC CIDR blocks and cluster CIDR blocks
Before you create a VPC, you must plan the CIDR block of the VPC and CIDR blocks of vSwitches in the VPC. Before you create an ACK cluster, you must plan the pod CIDR block and Service CIDR block. ACK supports Terway and Flannel plug-ins. The following figures show the network architectures of ACK clusters that use Terway and Flannel.
Usage notes
To install Terway or Flannel for your ACK cluster, you must specify the CIDR blocks for related parameters. The following table describes the usage notes to configure Terway or Flannel for your ACK cluster.
Parameter | Terway | Flannel |
VPC | When you create a VPC, you must select a CIDR block for the VPC. Valid values: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. IPv6 CIDR blocks are assigned by the VPC after you enable IPv6 for the VPC. If you want to enable IPv6 for containers, select Terway for the Network Plug-in parameter. | |
vSwitch | The vSwitches associated with ECS instances allow nodes to communicate with each other. The CIDR blocks of vSwitches in the VPC must be subsets of the VPC CIDR block. This indicates that the CIDR blocks of vSwitches must be the same as or fall within the VPC CIDR block. When you specify the CIDR blocks of vSwitches, take note of the following items:
| The vSwitches associated with ECS instances allow nodes to communicate with each other. The CIDR blocks of vSwitches in the VPC must be subsets of the VPC CIDR block. This indicates that the CIDR blocks of vSwitches must be the same as or fall within the VPC CIDR block. When you specify the CIDR blocks of vSwitches, take note of the following items:
|
Pod vSwitch | The IP addresses of pods are assigned from the CIDR blocks of pod vSwitches. This allows pods to communicate with each other. Pod is an abstraction in ACK. Each pod has an IP address. The CIDR blocks that you specify when you create pod vSwitches in the VPC must be subsets of the VPC CIDR block. When you specify the CIDR blocks of pod vSwitches, take note of the following items:
| You do not need to configure this parameter if your cluster uses Flannel. |
Pod CIDR Block | You do not need to configure this parameter if your cluster uses Terway. | The IP addresses of pods are allocated from the pod CIDR block. This allows pods to communicate with each other. Pod is an abstraction in ACK. Each pod has an IP address. When you specify the pod CIDR block, take note of the following items:
For example, if the VPC CIDR block is 172.16.0.0/12, the pod CIDR block cannot be 172.16.0.0/16 or 172.17.0.0/16 because these CIDR blocks are subsets of 172.16.0.0/12. |
Service CIDR | The CIDR block of Services. Service is an abstraction in ACK. The IP addresses of ClusterIP Services are allocated from the CIDR block of Services. Each ClusterIP Service has an IP address.
| The CIDR block of Services. Service is an abstraction in ACK. The IP addresses of ClusterIP Services are allocated from the Service CIDR block. Each ClusterIP Service has an IP address.
|
IPv6 Service CIDR | If you enable IPv6 dual-stack, you must specify an IPv6 CIDR block for Services. When you specify the IPv6 CIDR block, take note of the following items:
| You do not need to configure this parameter if your cluster uses Flannel. |
Network planning
To use an ACK cluster that is deployed on Alibaba Cloud, you must first set up network for the cluster based on the cluster size and business scenarios. You can use the following tables to set up networks for ACK clusters. Change specifications based on your business requirements in specific scenarios.
Plan the network of a VPC
Number of nodes | Scenario | VPC | Zone |
< 100 | Regular business | Single VPC | 1 |
Unlimited | Cross-zone deployment | Single VPC | ≥ 2 |
Unlimited | High reliability and cross-region deployment | Multiple VPCs | ≥ 2 |
Plan CIDR blocks for clusters
The following tables describe how to plan CIDR blocks for clusters that use Flannel or Terway.
Clusters that use Flannel
VPC CIDR Block
vSwitch CIDR block
Pod CIDR block
Service CIDR block
Maximum number of pod IP addresses
192.168.0.0/16
192.168.0.0/24
172.20.0.0/16
172.21.0.0/20
65536
Clusters that use Terway
Exclusive elastic network interface (ENI) mode, Data Path V2 mode, or IPVLAN mode
VPC CIDR Block
vSwitch CIDR block
Pod vSwitch CIDR block
Service CIDR block
Maximum number of pod IP addresses
192.168.0.0/16
192.168.0.0/19
192.168.32.0/19
172.21.0.0/20
8192
Multi-zone deployment
VPC CIDR Block
vSwitch CIDR block
Pod vSwitch CIDR block
Service CIDR block
Maximum number of pod IP addresses
192.168.0.0/16
Zone I 192.168.0.0/19
192.168.32.0/19
172.21.0.0/20
8192
Zone J 192.168.64.0/19
192.168.96.0/19
8192
CIDR block planning
One VPC and one ACK cluster
The CIDR block of a VPC is specified when you create the VPC. When you create an ACK cluster in the VPC, make sure that the pod CIDR block and Service CIDR block do not overlap with the VPC CIDR block. This ensures the network communication within the cluster and prevents conflicts with external VPCs.
One VPC and multiple ACK clusters
In this scenario, multiple ACK clusters are created in a VPC.
The CIDR block of the VPC is specified when you create the VPC. When you create clusters in the VPC, make sure that the VPC CIDR block, Service CIDR block, and pod CIDR block of each cluster do not overlap with one another.
The Service CIDR blocks of the clusters can overlap with each other. However, the pod CIDR blocks cannot overlap with each other.
If your clusters use Flannel, the packets of pods must be forwarded by the VPC router. ACK automatically generates a route table for each destination pod CIDR block on the VPC router.
NoteIn this case, a pod in one cluster can communicate with the pods and ECS instances in another cluster. However, the pod cannot communicate with the Services in another cluster.
VPC peering
If two VPCs are connected, you can use the route table of one VPC to specify the packets that you want to send to the other VPC. In the following figure, the CIDR block of VPC 1 is 192.168.0.0/16 and that of VPC 2 is 172.16.0.0/12. You can use the route table of VPC 1 to forward all packets that are destined for 172.16.0.0/12 to VPC 2.
Table 3. VPC peering
VPC
CIDR block
Destination CIDR block
Destination VPC
VPC 1
192.168.0.0/16
172.16.0.0/12
VPC 2
VPC 2
172.16.0.0/12
192.168.0.0/16
VPC 1
In this scenario, make sure that the following conditions are met when you create a cluster in VPC 1 or VPC 2:
The CIDR blocks of the cluster do not overlap with the CIDR block of VPC 1.
The CIDR blocks of the cluster do not overlap with the CIDR block of VPC 2.
The CIDR blocks of the cluster do not overlap with those of other clusters in VPC 1 and VPC 2.
The CIDR blocks of the cluster do not overlap with those of pods in VPC 1 and VPC 2.
The CIDR blocks of the cluster do not overlap with those of Services in VPC 1 and VPC 2.
In this example, you can set the pod CIDR block of the cluster to a subset of 10.0.0.0/8.
NoteAll IP addresses in the destination CIDR block of VPC 2 can be considered in use. Therefore, the CIDR blocks of the cluster cannot overlap with the destination CIDR block.
To access pods in VPC 1 from VPC 2, you must configure a route in VPC 2. The route must point to the pod CIDR block of a cluster in VPC 1.
VPC-to-data center connection
If a VPC is connected to a data center, packets of specific CIDR blocks are routed to the data center. In this case, the pod CIDR block of a cluster in the VPC cannot overlap with these CIDR blocks. To access pods in the VPC from the data center, you must configure a route in the data center to enable VBR-to-VPC peering connection.