Choosing Pod networking use cases - Amazon EKS

Choosing Pod networking use cases

The Amazon VPC CNI plugin for Kubernetes provides networking for Pods. The following table helps you understand which networking use cases you can use together and the capabilities and Amazon VPC CNI plugin for Kubernetes settings that you can use with different Amazon EKS node types. All information in the table applies to Linux IPv4 nodes only.

Amazon EKS node type Amazon EC2 Fargate
Use case Individual IP addresses assigned to network interface IP prefixes assigned to network interface Security groups for Pods
Custom networking for pods – Assign IP addresses from a different subnet than the node's subnet Yes Yes Yes Yes (subnets controlled through Fargate profile)
SNAT for Pods Yes (default is false) Yes (default is false) Yes (true only) Yes (true only)
Capabilities
Security group scope Node

Node

Pod (If you've set POD_SECURITY_GROUP_ENFORCING_MODE=standard and AWS_VPC_K8S_CNI_EXTERNALSNAT=false, traffic destined for endpoints outside the VPC use the node's security groups, not the Pod's security groups)

Pod
Amazon VPC subnet types Private and public Private and public Private only Private only
Network policy (VPC CNI) Compatible Compatible

Compatible

Only with version 1.14.0 or later of the Amazon VPC CNI plugin

Not supported
Pod density per node Medium High Low One
Pod launch time Better Best Good Moderate
Amazon VPC CNI plugin settings (for more information about each setting, see amazon-vpc-cni-k8s on GitHub)
WARM_ENI_TARGET Yes Not applicable Not applicable Not applicable
WARM_IP_TARGET Yes Yes Not applicable Not applicable
MINIMUM_IP_TARGET Yes Yes Not applicable Not applicable
WARM_PREFIX_TARGET Not applicable Yes Not applicable Not applicable
Note
  • You can't use IPv6 with custom networking.

  • IPv6 addresses are not translated, so SNAT doesn't apply.

  • Traffic flow to and from Pods with associated security groups are not subjected to Calico network policy enforcement and are limited to Amazon VPC security group enforcement only.

  • If you use Calico network policy enforcement, we recommend that you set the environment variable ANNOTATE_POD_IP to true to avoid a known issue with Kubernetes. To use this feature, you must add patch permission for pods to the aws-node ClusterRole. Note that adding patch permissions to the aws-node DaemonSet increases the security scope for the plugin. For more information, see ANNOTATE_POD_IP in the VPC CNI repo on GitHub.

  • IP prefixes and IP addresses are associated with standard Amazon EC2 elastic network interfaces. Pods requiring specific security groups are assigned the primary IP address of a branch network interface. You can mix Pods getting IP addresses, or IP addresses from IP prefixes with Pods getting branch network interfaces on the same node.

Windows nodes

Each node only supports one network interface. You can use secondary IPv4 addresses and IPv4 prefixes. By default, the number of available IPv4 addresses on the node is equal to the number of secondary IPv4 addresses that you can assign to each elastic network interface, minus one. However, you can increase the available IPv4 addresses and Pod density on the node by enabling IP prefixes. For more information, see Increase the amount of available IP addresses for your Amazon EC2 nodes.

Calico network policies are supported on Windows. You can't use security groups for Pods or custom networking on Windows.