Networking

AWS container services take advantage of the native networking features of Amazon Virtual Private Cloud (Amazon VPC). This allows the hosts running your containers to be in different subnets, across Availability Zones, providing high availability.

Additionally, you can take advantage of VPC features like Network Access Control Lists (NACL) and Security Groups to ensure that only network traffic you want to allow to come in or leave your container. For Amazon ECS, the main networking modes are ones that operate at a task level using the awsvpc network mode or the traditional bridge network mode which runs a built-in virtual network inside each Amazon EC2 instance, awsvpc is the only network available for AWS Fargate.

Amazon EKS uses Amazon VPC Container Network Interface (CNI) plugin for Kubernetes for the default native VPC networking to attach network interfaces to Amazon EC2 worker nodes. The VPC CNI plugin prioritizes pods in the VPC. The pods in an Amazon EKS cluster receive IP addresses from the private IP ranges of your VPC. When the number of pods running on the node exceeds the number of addresses that can be assigned to a single network interface, the VPC CNI plugin starts allocating a new network interface, if the maximum number of network interfaces for the instance aren't already attached. Using CNI custom networking, you can assign IP addresses from a different CIDR block than the subnet that the primary network interface is connected to. Amazon EKS also supports IPv6 networking. The VPC CNI plugin allows use of VPC flow logs for troubleshooting and compliance auditing and security groups for isolation and regulatory requirements.

VPC CNI also natively supports Kubernetes network policies, although you can also use third-party libraries such as Calico for this. This allows you to control network communication inside your Kubernetes cluster at a very granular level. In addition, VPC CNI allows pre-warming elastic network interfaces (ENIs) and increased IP addressing performance by modifying configurable parameters. For AWS Nitro based Amazon EC2 instances, it offers a prefix-delegation mode to increase pod density on a worker node. This is supported for both Linux and Windows nodes. Prefix delegation increases the number of IP addresses on the Elastic Network Interface (ENI) by assigning prefixes instead of individual secondary IP addresses.

Amazon EKS and Amazon ECS both support accessibility over private links. Using AWS PrivateLink ensures that calls to the Amazon ECS or Amazon EKS service stay within the Amazon network backbone and do not traverse the internet.

AWS container services like Amazon EKS and Amazon ECS now support IPv6 either through dual-stack or IPv6 only mode. Amazon EKS and AWS App Mesh support IPv6 in both dual-stack and IPv6-only mode where services like Amazon ECS and Fargate support IPv6 through dual-stack mode for now. IPv6 is growing adoption and customers using AWS container services can take advantage of this feature when running their workloads.

When you have your microservices deployed as containers, you want to establish service-to-service communication for exchanging information and implementing business flows. One way to achieve service-to-service communication is direct communication using service discovery. In this approach, you can use the AWS Cloud Map service discovery integration with Amazon ECS. Using service discovery, Amazon ECS synchronizes the list of launched tasks to AWS Cloud Map, which maintains a DNS hostname that resolves to the internal IP addresses of one or more tasks from that service. In Amazon EKS, this is internally handled by Core-DNS component of the cluster. App Mesh is a service mesh that can help manage many services and have better control of how traffic gets routed among services. App Mesh functions as an intermediary between basic service discovery and load balancing. For serving ingress traffic into your Amazon EKS clusters, you can use AWS Load Balancer Controller to act as ingress controller and for setting up Application Load Balancers and Network Load Balancers.

Amazon ECS Service Connect is a feature in Amazon ECS that brings App Mesh-like capabilities in an integrated approach. Amazon ECS Service Connect provides service discovery, traffic resilience and observability out of the box for Amazon ECS-based containerized applications.

Amazon VPC Lattice is a recently launched application networking service and is ideal for connecting micro-services that are distributed across a mix of Amazon EKS and Kubernetes, native Amazon EC2/ASG, and serverless environments (Lambda and Fargate). VPC Lattice is best suited to customers who prefer the automation of service discovery, traffic-management, authentication, authorization, and observability across VPCs and accounts without having to deploy and operate sidecar-based service-meshes and prefer not requiring any prior VPC networking experience in deploying their modern application architectures.