Choosing Pod networking use cases
The Amazon VPC CNI plugin for Kubernetes provides networking for Pods. The following table
helps you understand which networking use cases you can use together and the capabilities
and Amazon VPC CNI plugin for Kubernetes settings that you can use with different Amazon EKS node types. All
information in the table applies to Linux
IPv4
nodes only.
Amazon EKS node type | Amazon EC2 | Fargate | ||
---|---|---|---|---|
Use case | Individual IP addresses assigned to network interface | IP prefixes assigned to network interface | Security groups for Pods | |
Custom networking for pods – Assign IP addresses from a different subnet than the node's subnet | Yes | Yes | Yes | Yes (subnets controlled through Fargate profile) |
SNAT for Pods | Yes (default is false ) |
Yes (default is false ) |
Yes (true only) |
Yes (true only) |
Capabilities | ||||
Security group scope | Node | Node |
Pod (If you've set |
Pod |
Amazon VPC subnet types | Private and public | Private and public | Private only | Private only |
Network policy (VPC CNI) | Compatible | Compatible | Compatible Only with version
|
Not supported |
Pod density per node | Medium | High | Low | One |
Pod launch time | Better | Best | Good | Moderate |
Amazon VPC CNI plugin
settings (for more information about each setting, see amazon-vpc-cni-k8s |
||||
WARM_ENI_TARGET |
Yes | Not applicable | Not applicable | Not applicable |
WARM_IP_TARGET |
Yes | Yes | Not applicable | Not applicable |
MINIMUM_IP_TARGET |
Yes | Yes | Not applicable | Not applicable |
WARM_PREFIX_TARGET |
Not applicable | Yes | Not applicable | Not applicable |
Note
-
You can't use
IPv6
with custom networking. -
IPv6
addresses are not translated, so SNAT doesn't apply. -
You can use Calico network policy with
IPv6
. -
Traffic flow to and from Pods with associated security groups are not subjected to Calico network policy enforcement and are limited to Amazon VPC security group enforcement only.
-
IP prefixes and IP addresses are associated with standard Amazon EC2 elastic network interfaces. Pods requiring specific security groups are assigned the primary IP address of a branch network interface. You can mix Pods getting IP addresses, or IP addresses from IP prefixes with Pods getting branch network interfaces on the same node.
Windows nodes
Each node only supports one network interface. You can use secondary IPv4
addresses and IPv4
prefixes. By default, the number of available
IPv4
addresses on the node is equal to the number of secondary
IPv4
addresses that you can assign to each elastic network interface,
minus one. However, you can increase the available IPv4
addresses and
Pod density on the node by enabling IP prefixes. For more
information, see Increase the amount of available IP addresses for your
Amazon EC2 nodes.
Calico network policies are supported on Windows. For more
information, see Open Source
Calico for Windows Containers on Amazon EKS