Choosing pod networking use cases

The Amazon VPC CNI plugin provides networking for pods. The following table helps you understand which networking use cases you can use together and the capabilities and Amazon VPC CNI plugin settings that you can use with different Amazon EKS node types. All information in the table applies to Linux IPv4 nodes only.

Amazon EKS node type	Amazon EC2			Fargate
Use case	Individual IP addresses assigned to network interface	IP address prefixes assigned to network interface	Tutorial: Security groups for pods
Tutorial: Custom networking – Assign IP addresses from a different subnet than the node's subnet	Yes	Yes	Yes	Yes (subnets controlled through Fargate profile)
SNAT for pods	Yes (default is `false`)	Yes (default is `false`)	Yes (`true` only)	Yes (`true` only)
Capabilities
Security group scope	Node	Node	Pod	Pod
Amazon VPC subnet types	Private and public	Private and public	Private only	Private only
Network policy (Calico)	Compatible	Compatible	Compatible Only with version `1.11.0` or later of the Amazon VPC add-on configured with `POD_SECURITY_GROUP_ENFORCING_MODE`=`standard`	Not supported
Pod density per node	Medium	High	Low	One
Pod launch time	Better	Best	Good	Moderate
Amazon VPC CNI plugin settings (for more information about each setting, see amazon-vpc-cni-k8s on GitHub)
`WARM_ENI_TARGET`	Yes	Not applicable	Not applicable	Not applicable
`WARM_IP_TARGET`	Yes	Yes	Not applicable	Not applicable
`MINIMUM_IP_TARGET`	Yes	Yes	Not applicable	Not applicable
`WARM_PREFIX_TARGET`	Not applicable	Yes	Not applicable	Not applicable

Note

You can't use IPv6 with custom networking.
IPv6 addresses are not translated, so SNAT doesn't apply.
You can use Calico network policy with IPv6.
Traffic flow to and from pods with associated security groups are not subjected to Calico network policy enforcement and are limited to Amazon VPC security group enforcement only.
IP prefixes and IP addresses are associated with standard Amazon EC2 elastic network interfaces. Pods requiring specific security groups are assigned the primary IP address of a branch network interface. You can mix pods getting IP addresses, or IP addresses from IP prefixes with pods getting branch network interfaces on the same node.

Windows nodes

Each Windows node only supports one network interface and secondary IPv4 addresses for pods. As a result, you can't use IP address prefixes or IPv6 with Windows nodes. The maximum number of pods for each node is equal to the number of IP addresses that you can assign to each Elastic network interface, minus one. Calico network policies are supported on Windows. For more information, see Open Source Calico for Windows Containers on Amazon EKS. You can't use security groups for pods on Windows.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Configure plugin for IAM account

IPv6