Choosing pod networking use cases - Amazon EKS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Choosing pod networking use cases

The Amazon VPC CNI plugin provides networking for pods. The following table helps you understand which networking use cases you can use together and the capabilities and Amazon VPC CNI plugin settings that you can use with different Amazon EKS node types. All information in the table applies to Linux IPv4 nodes only.

Amazon EKS node type Amazon EC2 Fargate
Use case Individual IP addresses assigned to network interface IP address prefixes assigned to network interface Tutorial: Security groups for pods
Tutorial: Custom networking – Assign IP addresses from a different subnet than the node's subnet Yes Yes Yes Yes (subnets controlled through Fargate profile)
SNAT for pods Yes (default is false) Yes (default is false) Yes (true only) Yes (true only)
Capabilities
Security group scope Node Node Pod Pod
Amazon VPC subnet types Private and public Private and public Private only Private only
Network policy (Calico) Compatible Compatible

Compatible

Only with version 1.11.0 or later of the Amazon VPC add-on configured with POD_SECURITY_GROUP_ENFORCING_MODE=standard

 Not supported
Pod density per node Medium High Low One
Pod launch time Better Best Good Moderate
Amazon VPC CNI plugin settings (for more information about each setting, see amazon-vpc-cni-k8s on GitHub)
WARM_ENI_TARGET Yes Not applicable Not applicable Not applicable
WARM_IP_TARGET Yes Yes Not applicable Not applicable
MINIMUM_IP_TARGET Yes Yes Not applicable Not applicable
WARM_PREFIX_TARGET Not applicable Yes Not applicable Not applicable
Note

  • You can't use IPv6 with custom networking.

  • IPv6 addresses are not translated, so SNAT doesn't apply.

  • You can use Calico network policy with IPv6.

  • Traffic flow to and from pods with associated security groups are not subjected to Calico network policy enforcement and are limited to Amazon VPC security group enforcement only.

  • IP prefixes and IP addresses are associated with standard Amazon EC2 elastic network interfaces. Pods requiring specific security groups are assigned the primary IP address of a branch network interface. You can mix pods getting IP addresses, or IP addresses from IP prefixes with pods getting branch network interfaces on the same node.

Windows nodes

Each Windows node only supports one network interface and secondary IPv4 addresses for pods. As a result, you can't use IP address prefixes or IPv6 with Windows nodes. The maximum number of pods for each node is equal to the number of IP addresses that you can assign to each Elastic network interface, minus one. Calico network policies are supported on Windows. For more information, see Open Source Calico for Windows Containers on Amazon EKS. You can't use security groups for pods on Windows.