4. Network Connectivity
• How service access outside world
• How service is accessed by other services
• IPAM (IP address management)
• Environments
• Bare metal
• Virtualization
• VM/Contaner
• Orchestrator
• OpenStack/K8s
22. Across-Node Accessibility
• Have to perform SNAT and DNAT for each
f
low direction.
• Container Cluster(Kubernetes)
• How does K8s solve it?
• CNI (Container Network Interface)
• Tunneling protocol
• VXLAN, IPIP
23. Tunneling
• IP over IP
• Encapsulate original IP header with additional IP header
• Inner IPv4
• Container to Container
• Outer IPv4
• Node to Node
28. AWS VPC CNI
• AWS VPC CNI
• AWS VPC
• CNI (Container Network Interface)
• Kubernetes use it to setup the network connectivity
• What are Kubernetes and CNI ?
31. AWS VPC CNI
• Goals
• Support high throughput and availability, low latency
• Users must be able to express and enforce network policies and
isolation
• Compare to native EC2 networking and security groups.
32. AWS VPC CNI
• Goals
• Network operation must be simple and secure.
• Use VPC
f
low logs
• Apply VPC routing polices
• Pod networking should be setup in a matter of seconds
33. AWS VPC
10.2.0.0/16
Subnet A
10.2.0.0/24
EC2 Instance
10.2.0.5
EC2 Instance
10.2.0.6
EC2 Instance
10.2.0.80
Underlay
Network
Network Tra
ff
ic
Network Tra
ff
ic
Network Tra
ff
ic
34. AWS VPC and K8S
10.2.0.0/16
Subnet A 10.2.0.0/24
Underlay
Network
Pod
Pod
Pod
Pod
Pod
Pod
EC2 Instance
10.2.0.5
EC2 Instance
10.2.0.6
EC2 Instance
10.2.0.80
35. Other CNI (IP over IP)
10.2.0.0/16
Subnet A 10.2.0.0/24
Underlay
Network
Pod
Pod
Pod
Pod
Pod
Pod
EC2 Instance
10.2.0.5
EC2 Instance
10.2.0.6
EC2 Instance
10.2.0.80
10.56.2.5 10.56.2.15 10.56.5.5 10.56.5.48 10.56.9.5 10.56.9.25
10.56.9.0/24
10.56.5.0/24
10.56.2.0/24
36. Other CNI (IP over IP)
10.2.0.0/16
Subnet A 10.2.0.0/24
Underlay
Network
Pod
Pod
Pod
Pod
Pod
Pod
EC2 Instance
10.2.0.5
EC2 Instance
10.2.0.6
EC2 Instance
10.2.0.80
10.56.2.5 10.56.2.15 10.56.5.5 10.56.5.48 10.56.9.5 10.56.9.25
10.56.9.0/24
10.56.5.0/24
10.56.2.0/24
10.2.0.5 -> 10.2.0.80
37. Other CNI (IP over IP)
10.2.0.0/16
Subnet A 10.2.0.0/24
Underlay
Network
Pod
Pod
Pod
Pod
Pod
Pod
EC2 Instance
10.2.0.5
EC2 Instance
10.2.0.6
EC2 Instance
10.2.0.80
10.56.2.5 10.56.2.15 10.56.5.5 10.56.5.48 10.56.9.5 10.56.9.25
10.56.9.0/24
10.56.5.0/24
10.56.2.0/24
10.2.0.5 -> 10.2.0.80
Security Group ?
Visibility ?
38. AWS VPC CNI
10.2.0.0/16
Subnet A 10.2.0.0/24
Underlay
Network
Pod
Pod
Pod
Pod
Pod
Pod
EC2 Instance
10.2.0.5
EC2 Instance
10.2.0.6
EC2 Instance
10.2.0.80
10.2.0.26 10.2.0.16 10.2.0.53 10.2.0.54 10.2.0.82 10.2.0.182
10.2.0.20 -> 10.2.0.82
39. AWS VPC CNI
10.2.0.0/16
Subnet A 10.2.0.0/24
Underlay
Network
Pod
Pod
Pod
Pod
Pod
Pod
EC2 Instance
10.2.0.5
EC2 Instance
10.2.0.6
EC2 Instance
10.2.0.80
10.2.0.26 10.2.0.16 10.2.0.53 10.2.0.54 10.2.0.82 10.2.0.182
10.2.0.20 -> 10.2.0.82
Security Group
Visibility
41. Implementation
• Currently
• Each EC2 instance can have multiple elastic network interfaces (ENI)
• ENI can have multiple IPv4/IPv6 addresses.
• EC2-VPC Fabric will deliver the packet to the instance
• The primary ENI IP address is automatically assigned to the interface
• All secondary addresses remain unassigned
• Host owner to con
f
igure them
43. L-IPAMD
• Local IP address Manager (L-IPAM)
• Small and single binary on each host to maintain a warm-pool of
available secondary IP addresses.
44. L-IPAMD
• Maintaining the warm-pool of available secondary IP addresses
• Number of IP < threshold
• Create a new ENI and attach it to instance
• Allocate all available IP addresses on this new ENI
• Wait for the IP addresses to be ready and then add to warm-pool
• Number of IP > threshold
• Detach a ENI and free it and related IPs
45. CNI Plugin
• Get a secondary IP address assigned to the instance by L-IPAMD
• Set up the network device
• Host
• Pod(Sandbox)
• Set up the routing rules
• Host
• Pod
60. Limitation
• M: Number of ENI
• N: Number of IP address per ENI
• Ignore Primary address
• M*(N-1)
• T3.medium
• M=3, N=6
• 3*(6-1)=15
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
61. Limitation
• Final formula is
• M*(N-1) + 2
• Two Pods are deployed before CNI
• L-IPAMD
• kube-proxy
• Both two pods use the hostnetowk
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
62. Limitation
• Magic number 2
• Final formula is
• M*(N-1) + 2
• Two Pods are deployed before CNI
• L-IPAMD
• kube-proxy
• Both two pods use the hostnetowk
https://github.com/awslabs/amazon-eks-ami/blob/master/
f
iles/eni-max-pods.txt
64. Summary
• Have to deploy two binary (L-IPAMD, CNI Binary)
• L-IPAMD is deployed by K8S DaemonSet
• With the help of AWS VPC CNI
• Reduce the number of SNAT/DNAT
• Better performance compared to Tunneling protocol
• User is able to apply existing AWS VPC networking and security best
practices for k8s cluster.