|
| 1 | +--- |
| 2 | +title: Configure Azure CNI for static allocation of CIDR blocks - (Preview) |
| 3 | +titleSuffix: Azure Kubernetes Service |
| 4 | +description: Learn how to configure Azure CNI Networking for static allocation of CIDR blocks in Azure Kubernetes Service (AKS) |
| 5 | +author: asudbring |
| 6 | +ms.author: allensu |
| 7 | +ms.service: azure-kubernetes-service |
| 8 | +ms.subservice: aks-networking |
| 9 | +ms.topic: article |
| 10 | +ms.date: 03/18/2024 |
| 11 | +ms.custom: references_regions, devx-track-azurecli |
| 12 | +--- |
| 13 | + |
| 14 | +# Configure Azure CNI Networking for static allocation of CIDR blocks and enhanced subnet support in Azure Kubernetes Service (AKS) - (Preview) |
| 15 | + |
| 16 | +A limitation of [Azure CNI Dynamic IP Allocation](configure-azure-cni-dynamic-ip-allocation.md) is the scalability of the pod subnet size beyond a /16 subnet. Even with a large subnet, large clusters may still be limited to 65k pods due to an Azure address mapping limit. |
| 17 | +The new static block allocation capability in Azure CNI solves this problem by assigning CIDR blocks to Nodes rather than individual IPs. |
| 18 | + |
| 19 | +It offers the following benefits: |
| 20 | + |
| 21 | +- **Better IP Scalability**: CIDR blocks are statically allocated to the cluster nodes and are present for the lifetime of the node, as opposed to the traditional dynamic allocation of individual IPs with traditional CNI. This enables routing based on CIDR blocks and helps scale the cluster limit up to 1 million pods from the traditional 65K pods per cluster. Your Azure Virtual Network must be large enough to accommodate the scale of your cluster. |
| 22 | +- **Flexibility**: Node and pod subnets can be scaled independently. A single pod subnet can be shared across multiple node pools of a cluster or across multiple AKS clusters deployed in the same VNet. You can also configure a separate pod subnet for a node pool. |
| 23 | +- **High performance**: Since pods are assigned virtual network IPs, they have direct connectivity to other cluster pods and resources in the VNet. |
| 24 | +- **Separate VNet policies for pods**: Since pods have a separate subnet, you can configure separate VNet policies for them that are different from node policies. This enables many useful scenarios such as allowing internet connectivity only for pods and not for nodes, fixing the source IP for pod in a node pool using an Azure NAT Gateway, and using NSGs to filter traffic between node pools. |
| 25 | +- **Kubernetes network policies**: Cilium, Azure NPM, and Calico work with this new solution. |
| 26 | + |
| 27 | +This article shows you how to use Azure CNI Networking for static allocation of CIDRs and enhanced subnet support in AKS. |
| 28 | + |
| 29 | +## Prerequisites |
| 30 | + |
| 31 | +> [!NOTE] |
| 32 | +> When using static block allocation of CIDRs, exposing an application as a Private Link Service using a Kubernetes Load Balancer Service isn't supported. |
| 33 | +
|
| 34 | +- Review the [prerequisites][azure-cni-prereq] for configuring basic Azure CNI networking in AKS, as the same prerequisites apply to this article. |
| 35 | +- Review the [deployment parameters][azure-cni-deployment-parameters] for configuring basic Azure CNI networking in AKS, as the same parameters apply. |
| 36 | +- AKS Engine and DIY clusters aren't supported. |
| 37 | +- Azure CLI version `2.37.0` or later with extension aks-preview of version '2.0.0b2' or later |
| 38 | +- If you have an existing cluster, you need to enable Container Insights for monitoring IP subnet usage. You can enable Container Insights using the [`az aks enable-addons`][az-aks-enable-addons] command, as shown in the following example: |
| 39 | +- Register the subscription-level feature flag for your subscription: 'Microsoft.ContainerService/AzureVnetScalePreview' |
| 40 | + |
| 41 | + ```azurecli-interactive |
| 42 | + az aks enable-addons --addons monitoring --name <cluster-name> --resource-group <resource-group-name> |
| 43 | + ``` |
| 44 | +
|
| 45 | +## Limitations |
| 46 | +
|
| 47 | +Below are some of the limitations of using Azure CNI Static Block allocation: |
| 48 | +- Minimum Kubernetes Version required is 1.28 |
| 49 | +- Maximum subnet size supported is x.x.x.x/12 ~ 1 million IPs |
| 50 | +- Not supported for Windows node pools (Windows support coming soon) |
| 51 | +- Not supported for Cilium Data Plane (support coming soon) |
| 52 | +- Only a single mode of operation can be used per subnet. If a subnet uses Static Block allocation mode, it cannot be use Dynamic IP allocation mode in a different cluster or node pool with the same subnet and vice versa. |
| 53 | +- Only supported in new clusters or when adding node pools with a different subnet to existing clusters. Migrating or updating existing clusters or node pools is not supported. |
| 54 | +- Across all the CIDR blocks assigned to a node in the node pool, one IP will be selected as the primary IP of the node. Thus, for network administrators selecting the `--max-pods` value try to use the calculation below to best serve your needs and have optimal usage of IPs in the subnet: |
| 55 | +`max_pods` = (N * 16) - 1` |
| 56 | +where N is any positive integer and N > 0 |
| 57 | +
|
| 58 | +### Region availability |
| 59 | +
|
| 60 | +This feature is **_not_** available in the following regions: |
| 61 | +
|
| 62 | +- US South |
| 63 | +- East US 2 |
| 64 | +- West US |
| 65 | +- West US 2 |
| 66 | +
|
| 67 | +## Plan IP addressing |
| 68 | +
|
| 69 | +Planning your IP addressing is more flexible and granular. Since the nodes and pods scale independently, their address spaces can also be planned separately. Since pod subnets can be configured to the granularity of a node pool, you can always add a new subnet when you add a node pool. The system pods in a cluster/node pool also receive IPs from the pod subnet, so this behavior needs to be accounted for. |
| 70 | +
|
| 71 | +In this scenario, CIDR blocks of /28 (16 IPs) are allocated to nodes based on your '--max-pod' configuration for your node pool which defines the maximum number of pods per node. 1 IP is reserved on each node from all the available IPs on that node for internal purposes. |
| 72 | +
|
| 73 | +Thus while determining and planning your IPs it is essential to define your '--max-pods' configuration and it can be calculated best as below: |
| 74 | +`max_pods_per_node = (16 * N) - 1` |
| 75 | +where N is any positive integer greater than 0 |
| 76 | +
|
| 77 | +Ideal values with no IP wastage would require the max pods value to conform to the above expression. |
| 78 | +
|
| 79 | +**Example 1:** max_pods = 30, CIDR Blocks allocated per node = 2, Total IPs available for pods = (16 * 2) - 1 = 32 - 1 = 31, IP wastage per node = 31 - 30 = 1 **[Low wastage - Acceptable Case]** |
| 80 | +**Example 2:** max_pods = 31, CIDR Blocks allocated per node = 2, Total IPs available for pods = (16 * 2) - 1 = 32 - 1 = 31, IP wastage per node = 31 - 31 = 0 **[Ideal Case]** |
| 81 | +**Example 3:** max_pods = 32, CIDR Blocks allocated per node = 3, Total IPs available for pods = (16 * 3) - 1 = 48 - 1 = 47, IP wastage per node = 47 - 32 = 15 **[High Wastage - Not Recommended Case]** |
| 82 | +
|
| 83 | +The planning of IPs for Kubernetes services remain unchanged. |
| 84 | +
|
| 85 | +> [!NOTE] |
| 86 | +> Ensure your VNet has a sufficiently large and contiguous address space to support your cluster's scale. |
| 87 | +
|
| 88 | +## Deployment parameters |
| 89 | +
|
| 90 | +The [deployment parameters][azure-cni-deployment-parameters]for configuring basic Azure CNI networking in AKS are all valid, with two exceptions: |
| 91 | +
|
| 92 | +- The **vnet subnet id** parameter now refers to the subnet related to the cluster's nodes. |
| 93 | +- The parameter **pod subnet id** is used to specify the subnet whose IP addresses will be statically or dynamically allocated to pods in the node pool. |
| 94 | +- The **pod ip allocation mode** parameter specifies whether to use dynamic individual or static block allocation. |
| 95 | +
|
| 96 | +## Before you begin |
| 97 | +
|
| 98 | +- If using the Azure CLI, you need the `aks-preview` extension. See [Install the `aks-preview` Azure CLI extension](#install-the-aks-preview-azure-cli-extension). |
| 99 | +- If using ARM or the REST API, the AKS API version must be _2024-01-02-preview or later_. |
| 100 | +
|
| 101 | +### Install the `aks-preview` Azure CLI extension |
| 102 | +
|
| 103 | +1. Install the `aks-preview` extension using the [`az extension add`][az-extension-add] command. |
| 104 | +
|
| 105 | + ```azurecli-interactive |
| 106 | + az extension add --name aks-preview |
| 107 | + ``` |
| 108 | +
|
| 109 | +2. Update to the latest version of the extension using the [`az extension update`][az-extension-update] command. The extension should have a version of '2.0..0b2' or later |
| 110 | +
|
| 111 | + ```azurecli-interactive |
| 112 | + az extension update --name aks-preview |
| 113 | + ``` |
| 114 | +
|
| 115 | +### Register the `AzureVnetScalePreview` feature flag |
| 116 | +
|
| 117 | +1. Register the `AzureVnetScalePreview` feature flag using the [`az feature register`][az-feature-register] command. |
| 118 | +
|
| 119 | + ```azurecli-interactive |
| 120 | + az feature register --namespace "Microsoft.ContainerService" --name "AzureVnetScalePreview" |
| 121 | + ``` |
| 122 | +
|
| 123 | + It takes a few minutes for the status to show _Registered_. |
| 124 | +
|
| 125 | +2. Verify the registration status using the [`az feature show`][az-feature-show] command. |
| 126 | +
|
| 127 | + ```azurecli-interactive |
| 128 | + az feature show --namespace "Microsoft.ContainerService" --name "AzureVnetScalePreview" |
| 129 | + ``` |
| 130 | +
|
| 131 | +3. When the status reflects *Registered*, refresh the registration of the _Microsoft.ContainerService_ resource provider using the [`az provider register`][az-provider-register] command. |
| 132 | +
|
| 133 | + ```azurecli-interactive |
| 134 | + az provider register --namespace Microsoft.ContainerService |
| 135 | + ``` |
| 136 | +
|
| 137 | +## Configure networking with static allocation of CIDR blocks and enhanced subnet support - Azure CLI |
| 138 | +
|
| 139 | +Using static allocation of CIDR blocks in your cluster is similar to the default method for configuring a cluster Azure CNI for dynamic IP allocation. The following example walks through creating a new virtual network with a subnet for nodes and a subnet for pods and creating a cluster that uses Azure CNI with static allocation of CIDR blocks. Be sure to replace variables such as `$subscription` with your values. |
| 140 | +
|
| 141 | +Create the virtual network with two subnets. |
| 142 | +
|
| 143 | +```azurecli-interactive |
| 144 | +resourceGroup="myResourceGroup" |
| 145 | +vnet="myVirtualNetwork" |
| 146 | +location="myRegion" |
| 147 | +
|
| 148 | +# Create the resource group |
| 149 | +az group create --name $resourceGroup --location $location |
| 150 | +
|
| 151 | +# Create our two subnet network |
| 152 | +az network vnet create -resource-group $resourceGroup --location $location --name $vnet --address-prefixes 10.0.0.0/8 -o none |
| 153 | +az network vnet subnet create --resource-group $resourceGroup --vnet-name $vnet --name nodesubnet --address-prefixes 10.240.0.0/16 -o none |
| 154 | +az network vnet subnet create --resource-group $resourceGroup --vnet-name $vnet --name podsubnet --address-prefixes 10.40.0.0/13 -o none |
| 155 | +``` |
| 156 | + |
| 157 | +Create the cluster, referencing the node subnet using `--vnet-subnet-id`, the pod subnet using `--pod-subnet-id`, the `--pod-ip-allocation-mode` to define the ip allocation mode, and enable the monitoring add-on. |
| 158 | + |
| 159 | +```azurecli-interactive |
| 160 | +clusterName="myAKSCluster" |
| 161 | +subscription="aaaaaaa-aaaaa-aaaaaa-aaaa" |
| 162 | +
|
| 163 | +az aks create --name $clusterName --resource-group $resourceGroup --location $location \ |
| 164 | + --max-pods 250 \ |
| 165 | + --node-count 2 \ |
| 166 | + --network-plugin azure \ |
| 167 | + --pod-ip-allocation-mode StaticBlock \ |
| 168 | + --vnet-subnet-id /subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.Network/virtualNetworks/$vnet/subnets/nodesubnet \ |
| 169 | + --pod-subnet-id /subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.Network/virtualNetworks/$vnet/subnets/podsubnet \ |
| 170 | + --enable-addons monitoring \ |
| 171 | + --kubernetes-version 1.28 |
| 172 | +``` |
| 173 | + |
| 174 | +### Adding node pool |
| 175 | + |
| 176 | +When adding node pool, reference the node subnet using `--vnet-subnet-id`, the pod subnet using `--pod-subnet-id` and allocation mode using '--pod-ip-allocation-mode'. The following example creates two new subnets that are then referenced in the creation of a new node pool: |
| 177 | + |
| 178 | +```azurecli-interactive |
| 179 | +az network vnet subnet create -g $resourceGroup --vnet-name $vnet --name node2subnet --address-prefixes 10.242.0.0/16 -o none |
| 180 | +az network vnet subnet create -g $resourceGroup --vnet-name $vnet --name pod2subnet --address-prefixes 10.243.0.0/16 -o none |
| 181 | +
|
| 182 | +az aks nodepool add --cluster-name $clusterName -g $resourceGroup -n newnodepool \ |
| 183 | + --max-pods 250 \ |
| 184 | + --node-count 2 \ |
| 185 | + --vnet-subnet-id /subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.Network/virtualNetworks/$vnet/subnets/node2subnet \ |
| 186 | + --pod-subnet-id /subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.Network/virtualNetworks/$vnet/subnets/pod2subnet \ |
| 187 | + --pod-ip-allocation-mode StaticBlock \ |
| 188 | + --no-wait |
| 189 | +``` |
| 190 | + |
| 191 | +## Static allocation of CIDR blocks and enhanced subnet support FAQs |
| 192 | + |
| 193 | +- **Can I assign multiple pod subnets to a cluster?** |
| 194 | + |
| 195 | + Multiple subnets can be assigned to a cluster but only one subnet can be assigned to each node pool. Different node pools across the same/different cluster can share the same subnet. |
| 196 | + |
| 197 | +- **Can I assign Pod subnets from a different VNet altogether?** |
| 198 | + |
| 199 | + No, the pod subnet should be from the same VNet as the cluster. |
| 200 | + |
| 201 | +- **Can some node pools in a cluster use Dynamic IP allocation while others use the new Static Block allocation?** |
| 202 | + |
| 203 | +Yes, different node pools can use different allocation modes. However, once a subnet is used in one allocation mode it can only be used in the same allocation mode across all the node pools it is associated. |
| 204 | + |
| 205 | +## Next steps |
| 206 | + |
| 207 | +Learn more about networking in AKS in the following articles: |
| 208 | + |
| 209 | +- [Use a static IP address with the Azure Kubernetes Service (AKS) load balancer](static-ip.md) |
| 210 | +- [Use an internal load balancer with Azure Kubernetes Service (AKS)](internal-lb.md) |
| 211 | +- [Use the application routing addon in Azure Kubernetes Service (AKS)](app-routing.md) |
| 212 | + |
| 213 | +<!-- LINKS - External --> |
| 214 | +[github]: https://raw.githubusercontent.com/microsoft/Docker-Provider/ci_prod/kubernetes/container-azm-ms-agentconfig.yaml |
| 215 | + |
| 216 | +<!-- LINKS - Internal --> |
| 217 | +[azure-cni-prereq]: ./configure-azure-cni.md#prerequisites |
| 218 | +[azure-cni-deployment-parameters]: ./azure-cni-overview.md#deployment-parameters |
| 219 | +[az-aks-enable-addons]: /cli/azure/aks#az_aks_enable_addons |
0 commit comments