Monday, 4 August 2025

VPC CNI and Istio Overview

VPC CNI and Istio Overview

✅ VPC CNI Plugin (aws-node DaemonSet)

  • Purpose: Pod networking — assigns ENIs and IP addresses from your VPC subnets to pods.
  • Scope: Controls how pods communicate at the network layer (Layer 3/4).
  • Key Features:
    • Each pod gets a VPC IP — visible inside the VPC.
    • Native integration with AWS networking/security groups.
    • Enables Kubernetes services, DNS, etc.

✅ Istio (Service Mesh)

  • Purpose: Handles application-level traffic control (Layer 7).
  • Scope: Service-to-service communication inside your cluster.
  • Key Features:
    • mTLS encryption between services.
    • Traffic routing, retries, circuit breaking.
    • Observability: metrics, tracing, logging.
    • Policy enforcement.

🧠 Analogy

LayerRoleToolAnalogy
L3/L4IP, PortsVPC CNIRoad + Traffic lanes
L7HTTP, gRPC logicIstioTraffic lights + Checkpoints

🧠 What is the VPC CNI Plugin?

The Amazon VPC CNI plugin (aws-node DaemonSet) allows EKS pods to receive native VPC IPs, letting them directly communicate within the VPC.

🔍 Key Features of the VPC CNI Plugin

FeatureDescription
Pod IPs from VPCAssigned from ENI’s secondary IP pool in the VPC subnet.
Native VPC RoutingNo overlay network. Uses native AWS networking.
Security Groups for PodsDifferent SGs per pod (via SG for Pods).
PrivateLink CompatiblePods communicate over VPC PrivateLink.
CloudWatch MetricsExport CNI metrics.

🧩 How It Works

  1. ENI Allocation: EC2 nodes get multiple ENIs with multiple IPs.
  2. aws-node DaemonSet: Allocates IPs by managing ENIs and assigning IPs to pods.
  3. Pods Get VPC IPs: No NAT, direct VPC communication.

📏 Default IP Allocation Strategy

Each EC2 type has ENI and IP limits. For m5.large:

  • 3 ENIs (1 primary + 2 secondary)
  • 10 IPv4 addresses per ENI
  • Max pods: (3 * 10) - 1 = 29

Use:

curl https://raw.githubusercontent.com/awslabs/amazon-eks-ami/master/files/eni-max-pods.txt

⚙️ Custom Networking Mode (Secondary CIDR)

  • Assign pod IPs from different subnets.
  • Helps with IP exhaustion or network segmentation.
  • Needs branch ENIs in custom subnets.

📉 Observability & Metrics

Enable metrics with Helm:

helm install aws-vpc-cni \
  --namespace kube-system \
  --set enableNetworkPolicy=true \
  --set env.ENABLE_PROMETHEUS=true \
  aws/aws-vpc-cni

Metrics exposed:

  • vpc_cni_ip_assigned
  • vpc_cni_ip_in_use
  • vpc_cni_eni_allocations_failed_total

⚠️ Common Issues

ProblemCauseFix
Pods stuck in PendingNo IPs on ENIsScale node group or increase ENIs/IPs
ENI allocation failsMissing IAM permissionsCheck policy for ec2:AssignPrivateIpAddresses
Pod IPs not releasedCNI bug/misconfigUpdate CNI
IP ExhaustionNo free IPs in subnetUse secondary CIDRs or split traffic

📘 Configuration Parameters

VariableDescriptionExample
WARM_IP_TARGETFree IPs to keep per node3
MAX_ENIMax ENIs to allocate4
ENABLE_POD_ENIEnable SGs for podstrue
AWS_VPC_K8S_CNI_LOGLEVELDebug log levelDEBUG

Check with:

kubectl -n kube-system describe daemonset aws-node

🔐 Security Groups for Pods (Advanced)

  • Needs prefix delegation or custom networking
  • Assign SGs per pod
  • Compatible with Calico network policies

✅ When to Use VPC CNI

Use CaseUse VPC CNI?
Need VPC-native networking✅ Yes
Pods need access to RDS, S3, ELB✅ Yes
Using service mesh (e.g., Istio)✅ Use alongside
Large clusters with IP pressure⚠️ Use custom networking
High-density, internal clusters❌ Use Calico/Cilium

📐 EC2 ENI/IP Limits and Pod IP Assignment

  1. Step 1: Check ENI & IP limits per instance type (e.g., m5.large)
  2. Step 2: Max Pods = (ENIs * IPs per ENI) - 1 = 29
  3. Step 3: Pod IPs are assigned from subnet CIDR (e.g. 10.0.0.0/24)
  4. Step 4: Example allocation:
    ENI NameIP Addresses
    eth0 (primary)10.0.1.10 to 10.0.1.19
    eni110.0.1.20 to 10.0.1.29
    eni210.0.1.30 to 10.0.1.39
  5. Step 5: aws-node assigns IPs as secondary IPs on ENIs, directly usable by pods

📌 Important Notes

  • Pods per node limited by ENI/IP limits
  • Need more? Use larger instances or custom networking mode
  • Ensure VPC subnet has enough free IPs

Summary Table (m5.large)

ResourceCount
ENIs per node3
IPs per ENI10
Total IPs30
Pods allowed29
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)