|
| 1 | +--- |
| 2 | +title: Azure CNI networking in Azure Kubernetes Service (AKS) overview |
| 3 | +description: Learn about the requirements and limitations of Azure CNI networking in Azure Kubernetes Service (AKS). |
| 4 | +author: asudbring |
| 5 | +ms.author: allensu |
| 6 | +ms.service: azure-kubernetes-service |
| 7 | +ms.subservice: aks-networking |
| 8 | +ms.topic: concept-article |
| 9 | +ms.date: 9/13/2023 |
| 10 | + |
| 11 | +#CustomerIntent: As a network administrator, I want learn about Azure CNI networking so that I can deploy Azure CNI networking in an AKS cluster. |
| 12 | +--- |
| 13 | + |
| 14 | +# Azure CNI networking in Azure Kubernetes Service (AKS) overview |
| 15 | + |
| 16 | +By default, AKS clusters use [kubenet][kubenet] and create a virtual network and subnet. With *kubenet*, nodes get an IP address from a virtual network subnet. Network address translation (NAT) is then configured on the nodes, and pods receive an IP address "hidden" behind the node IP. This approach reduces the number of IP addresses that you need to reserve in your network space for pods to use. |
| 17 | + |
| 18 | +With [Azure Container Networking Interface (CNI)][cni-networking], every pod gets an IP address from the subnet and can be accessed directly. Systems in the same virtual network as the AKS cluster see the pod IP as the source address for any traffic from the pod. Systems outside the AKS cluster virtual network see the node IP as the source address for any traffic from the pod. These IP addresses must be unique across your network space and must be planned in advance. Each node has a configuration parameter for the maximum number of pods that it supports. The equivalent number of IP addresses per node are then reserved up front for that node. This approach requires more planning, and often leads to IP address exhaustion or the need to rebuild clusters in a larger subnet as your application demands grow. |
| 19 | + |
| 20 | +## Prerequisites |
| 21 | + |
| 22 | +* The virtual network for the AKS cluster must allow outbound internet connectivity. |
| 23 | + |
| 24 | +* AKS clusters may not use `169.254.0.0/16`, `172.30.0.0/16`, `172.31.0.0/16`, or `192.0.2.0/24` for the Kubernetes service address range, pod address range, or cluster virtual network address range. |
| 25 | + |
| 26 | +* The cluster identity used by the AKS cluster must have at least [Network Contributor](../role-based-access-control/built-in-roles.md#network-contributor) permissions on the subnet within your virtual network. If you wish to define a [custom role](../role-based-access-control/custom-roles.md) instead of using the built-in Network Contributor role, the following permissions are required: |
| 27 | + |
| 28 | + * `Microsoft.Network/virtualNetworks/subnets/join/action` |
| 29 | + |
| 30 | + * `Microsoft.Network/virtualNetworks/subnets/read` |
| 31 | + |
| 32 | + * `Microsoft.Authorization/roleAssignments/write` |
| 33 | + |
| 34 | +* The subnet assigned to the AKS node pool can't be a [delegated subnet](../virtual-network/subnet-delegation-overview.md). |
| 35 | + |
| 36 | +* AKS doesn't apply Network Security Groups (NSGs) to its subnet and doesn't modify any of the NSGs associated with that subnet. If you provide your own subnet and add NSGs associated with that subnet, you must ensure the security rules in the NSGs allow traffic within the node CIDR range. For more information, see [Network security groups][aks-network-nsg]. |
| 37 | + |
| 38 | + |
| 39 | +## Plan IP addressing for your cluster |
| 40 | + |
| 41 | +Clusters configured with Azure CNI networking require extra planning. The size of your virtual network and its subnet must accommodate the number of pods you plan to run and the number of nodes for the cluster. |
| 42 | + |
| 43 | +IP addresses for the pods and the cluster's nodes are assigned from the specified subnet within the virtual network. Each node is configured with a primary IP address. Azure CNI preconfigures 30 extra IP addresses by default. These IP addresses are assigned to pods scheduled on the node. When you scale out your cluster, each node is similarly configured with IP addresses from the subnet. You can also view the [maximum pods per node](#maximum-pods-per-node). |
| 44 | + |
| 45 | +> [!IMPORTANT] |
| 46 | +> The number of IP addresses required should include considerations for upgrade and scaling operations. If you set the IP address range to only support a fixed number of nodes, you can't upgrade or scale your cluster. |
| 47 | +> |
| 48 | +> * When you **upgrade** your AKS cluster, a new node is deployed into the cluster. Services and workloads begin to run on the new node, and an older node is removed from the cluster. This rolling upgrade process requires a minimum of one additional block of IP addresses to be available. Your node count is then `n + 1`. |
| 49 | +> * This consideration is particularly important when you use Windows Server node pools. Windows Server nodes in AKS do not automatically apply Windows Updates, instead you perform an upgrade on the node pool. This upgrade deploys new nodes with the latest Window Server 2019 base node image and security patches. For more information on upgrading a Windows Server node pool, see [Upgrade a node pool in AKS][nodepool-upgrade]. |
| 50 | +> |
| 51 | +> * When you **scale** an AKS cluster, a new node is deployed into the cluster. Services and workloads begin to run on the new node. Your IP address range needs to take into considerations how you may want to scale up the number of nodes and pods your cluster can support. One additional node for upgrade operations should also be included. Your node count is then `n + number-of-additional-scaled-nodes-you-anticipate + 1`. |
| 52 | +
|
| 53 | +If you expect your nodes to run the maximum number of pods, and regularly destroy and deploy pods, you should also factor in some extra IP addresses per node. A few seconds may be required to delete a service and release its IP address for a new service to be deployed and acquire the address. These extra IP addresses consider this possibility. |
| 54 | + |
| 55 | +The IP address plan for an AKS cluster consists of a virtual network, at least one subnet for nodes and pods, and a Kubernetes service address range. |
| 56 | + |
| 57 | +| Address range / Azure resource | Limits and sizing | |
| 58 | +| --------- | ------------- | |
| 59 | +| Virtual network | The Azure virtual network can be as large as /8, but is limited to 65,536 configured IP addresses. Consider all your networking needs, including communicating with services in other virtual networks, before configuring your address space. For example, if you configure too large of an address space, you may run into issues with overlapping other address spaces within your network.| |
| 60 | +| Subnet | Must be large enough to accommodate the nodes, pods, and all Kubernetes and Azure resources that might be provisioned in your cluster. For example, if you deploy an internal Azure Load Balancer, its front-end IPs are allocated from the cluster subnet, not public IPs. The subnet size should also take into account upgrade operations or future scaling needs.<p/> To calculate the *minimum* subnet size including an extra node for upgrade operations: `(number of nodes + 1) + ((number of nodes + 1) * maximum pods per node that you configure)`<p/> Example for a 50 node cluster: `(51) + (51 * 30 (default)) = 1,581` (/21 or larger)<p/>Example for a 50 node cluster that also includes preparation to scale up an extra 10 nodes: `(61) + (61 * 30 (default)) = 1,891` (/21 or larger)<p>If you don't specify a maximum number of pods per node when you create your cluster, the maximum number of pods per node is set to *30*. The minimum number of IP addresses required is based on that value. If you calculate your minimum IP address requirements on a different maximum value, see [how to configure the maximum number of pods per node](#configure-maximum---new-clusters) to set this value when you deploy your cluster. | |
| 61 | +| Kubernetes service address range | Any network element on or connected to this virtual network must not use this range. Service address CIDR must be smaller than /12. You can reuse this range across different AKS clusters. | |
| 62 | +| Kubernetes DNS service IP address | IP address within the Kubernetes service address range that is used by cluster service discovery. Don't use the first IP address in your address range. The first address in your subnet range is used for the *kubernetes.default.svc.cluster.local* address. | |
| 63 | + |
| 64 | +## Maximum pods per node |
| 65 | + |
| 66 | +The maximum number of pods per node in an AKS cluster is 250. The *default* maximum number of pods per node varies between *kubenet* and *Azure CNI* networking, and the method of cluster deployment. |
| 67 | + |
| 68 | +| Deployment method | Kubenet default | Azure CNI default | Configurable at deployment | |
| 69 | +| --- | --- | --- | --- | |
| 70 | +| Azure CLI | 110 | 30 | Yes (up to 250) | |
| 71 | +| Resource Manager template | 110 | 30 | Yes (up to 250) | |
| 72 | +| Portal | 110 | 110 (configurable in the Node Pools tab) | Yes (up to 250) | |
| 73 | + |
| 74 | +### Configure maximum - new clusters |
| 75 | + |
| 76 | +You're able to configure the maximum number of pods per node at cluster deployment time or as you add new node pools. You can set the maximum pods per node value as high as 250. |
| 77 | + |
| 78 | +If you don't specify maxPods when creating new node pools, you receive a default value of 30 for Azure CNI. |
| 79 | + |
| 80 | +A minimum value for maximum pods per node is enforced to guarantee space for system pods critical to cluster health. The minimum value that can be set for maximum pods per node is 10 if and only if the configuration of each node pool has space for a minimum of 30 pods. For example, setting the maximum pods per node to the minimum of 10 requires each individual node pool to have a minimum of 3 nodes. This requirement applies for each new node pool created as well, so if 10 is defined as maximum pods per node each subsequent node pool added must have at least 3 nodes. |
| 81 | + |
| 82 | +| Networking | Minimum | Maximum | |
| 83 | +| --- | --- | --- | |
| 84 | +| Azure CNI | 10 | 250 | |
| 85 | +| Kubenet | 10 | 250 | |
| 86 | + |
| 87 | +> [!NOTE] |
| 88 | +> The minimum value in the previous table is strictly enforced by the AKS service. You can not set a maxPods value lower than the minimum shown as doing so can prevent the cluster from starting. |
| 89 | +
|
| 90 | +* **Azure CLI**: Specify the `--max-pods` argument when you deploy a cluster with the [`az aks create`][az-aks-create] command. The maximum value is 250. |
| 91 | +* **Resource Manager template**: Specify the `maxPods` property in the [ManagedClusterAgentPoolProfile] object when you deploy a cluster with a Resource Manager template. The maximum value is 250. |
| 92 | +* **Azure portal**: Change the `Max pods per node` field in the node pool settings when creating a cluster or adding a new node pool. |
| 93 | + |
| 94 | +### Configure maximum - existing clusters |
| 95 | + |
| 96 | +The maxPod per node setting can be defined when you create a new node pool. If you need to increase the maxPod per node setting on an existing cluster, add a new node pool with the new desired maxPod count. After migrating your pods to the new pool, delete the older pool. To delete any older pool in a cluster, ensure you're setting node pool modes as defined in the [system node pools document][system-node-pools]. |
| 97 | + |
| 98 | +## Deployment parameters |
| 99 | + |
| 100 | +When you create an AKS cluster, the following parameters are configurable for Azure CNI networking: |
| 101 | + |
| 102 | +**Virtual network**: The virtual network into which you want to deploy the Kubernetes cluster. If you want to create a new virtual network for your cluster, select *Create new* and follow the steps in the *Create virtual network* section. If you want to select an existing virtual network, make sure it's in the same location and Azure subscription as your Kubernetes cluster. For information about the limits and quotas for an Azure virtual network, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-resource-manager-virtual-networking-limits). |
| 103 | + |
| 104 | +**Subnet**: The subnet within the virtual network where you want to deploy the cluster. If you want to create a new subnet in the virtual network for your cluster, select *Create new* and follow the steps in the *Create subnet* section. For hybrid connectivity, the address range shouldn't overlap with any other virtual networks in your environment. |
| 105 | + |
| 106 | +**Azure Network Plugin**: When Azure network plugin is used, the internal LoadBalancer service with "externalTrafficPolicy=Local" can't be accessed from VMs with an IP in clusterCIDR that doesn't belong to AKS cluster. |
| 107 | + |
| 108 | +**Kubernetes service address range**: This parameter is the set of virtual IPs that Kubernetes assigns to internal [services][services] in your cluster. This range can't be updated after you create your cluster. You can use any private address range that satisfies the following requirements: |
| 109 | + |
| 110 | +* Must not be within the virtual network IP address range of your cluster |
| 111 | +* Must not overlap with any other virtual networks with which the cluster virtual network peers |
| 112 | +* Must not overlap with any on-premises IPs |
| 113 | +* Must not be within the ranges `169.254.0.0/16`, `172.30.0.0/16`, `172.31.0.0/16`, or `192.0.2.0/24` |
| 114 | + |
| 115 | +Although it's technically possible to specify a service address range within the same virtual network as your cluster, doing so isn't recommended. Unpredictable behavior can result if overlapping IP ranges are used. For more information, see the [FAQ](#frequently-asked-questions) section of this article. For more information on Kubernetes services, see [Services][services] in the Kubernetes documentation. |
| 116 | + |
| 117 | +**Kubernetes DNS service IP address**: The IP address for the cluster's DNS service. This address must be within the *Kubernetes service address range*. Don't use the first IP address in your address range. The first address in your subnet range is used for the *kubernetes.default.svc.cluster.local* address. |
| 118 | + |
| 119 | +## Frequently asked questions |
| 120 | + |
| 121 | +* **Can I deploy VMs in my cluster subnet?** |
| 122 | + |
| 123 | + Yes. |
| 124 | + |
| 125 | +* **What source IP do external systems see for traffic that originates in an Azure CNI-enabled pod?** |
| 126 | + |
| 127 | + Systems in the same virtual network as the AKS cluster see the pod IP as the source address for any traffic from the pod. Systems outside the AKS cluster virtual network see the node IP as the source address for any traffic from the pod. |
| 128 | + |
| 129 | +* **Can I configure per-pod network policies?** |
| 130 | + |
| 131 | + Yes, Kubernetes network policy is available in AKS. To get started, see [Secure traffic between pods by using network policies in AKS][network-policy]. |
| 132 | + |
| 133 | +* **Is the maximum number of pods deployable to a node configurable?** |
| 134 | + |
| 135 | + Yes, when you deploy a cluster with the Azure CLI or a Resource Manager template. See [Maximum pods per node](#maximum-pods-per-node). |
| 136 | + |
| 137 | + You can't change the maximum number of pods per node on an existing cluster. |
| 138 | + |
| 139 | +* **How do I configure additional properties for the subnet that I created during AKS cluster creation? For example, service endpoints.** |
| 140 | + |
| 141 | + The complete list of properties for the virtual network and subnets that you create during AKS cluster creation can be configured in the standard virtual network configuration page in the Azure portal. |
| 142 | + |
| 143 | +* **Can I use a different subnet within my cluster virtual network for the *Kubernetes service address range*?** |
| 144 | + |
| 145 | + It's not recommended, but this configuration is possible. The service address range is a set of virtual IPs (VIPs) that Kubernetes assigns to internal services in your cluster. Azure Networking has no visibility into the service IP range of the Kubernetes cluster. Due to the lack of visibility into the cluster's service address range, it's possible to later create a new subnet in the cluster virtual network that overlaps with the service address range. If such an overlap occurs, Kubernetes could assign a service an IP that's already in use by another resource in the subnet, causing unpredictable behavior or failures. By ensuring you use an address range outside the cluster's virtual network, you can avoid this overlap risk. |
| 146 | + |
| 147 | +## Next step |
| 148 | + |
| 149 | +> [!div class="nextstepaction"] |
| 150 | +> [Configure Azure CNI networking in Azure Kubernetes Service (AKS)](configure-azure-cni.md) |
| 151 | +
|
| 152 | +Learn more about networking in AKS in the following articles: |
| 153 | + |
| 154 | +* [Use a static IP address with the Azure Kubernetes Service (AKS) load balancer](static-ip.md) |
| 155 | + |
| 156 | +* [Use an internal load balancer with Azure Kubernetes Service (AKS)](internal-lb.md) |
| 157 | + |
| 158 | +* [Create a basic ingress controller with external network connectivity][aks-ingress-basic] |
| 159 | + |
| 160 | +* [Enable the HTTP application routing add-on][aks-http-app-routing] |
| 161 | + |
| 162 | +* [Create an ingress controller that uses an internal, private network and IP address][aks-ingress-internal] |
| 163 | + |
| 164 | +* [Create an ingress controller with a dynamic public IP and configure Let's Encrypt to automatically generate TLS certificates][aks-ingress-tls] |
| 165 | + |
| 166 | +* [Create an ingress controller with a static public IP and configure Let's Encrypt to automatically generate TLS certificates][aks-ingress-static-tls] |
| 167 | + |
| 168 | +<!-- IMAGES --> |
| 169 | +[advanced-networking-diagram-01]: ./media/networking-overview/advanced-networking-diagram-01.png |
| 170 | +[portal-01-networking-advanced]: ./media/networking-overview/portal-01-networking-advanced.png |
| 171 | + |
| 172 | +<!-- LINKS - External --> |
| 173 | +[services]: https://kubernetes.io/docs/concepts/services-networking/service/ |
| 174 | +[cni-networking]: https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md |
| 175 | +[kubenet]: concepts-network.md#kubenet-basic-networking |
| 176 | +[github]: https://raw.githubusercontent.com/microsoft/Docker-Provider/ci_prod/kubernetes/container-azm-ms-agentconfig.yaml |
| 177 | + |
| 178 | +<!-- LINKS - Internal --> |
| 179 | +[az-aks-create]: /cli/azure/aks#az_aks_create |
| 180 | +[aks-ssh]: ssh.md |
| 181 | +[ManagedClusterAgentPoolProfile]: /azure/templates/microsoft.containerservice/managedclusters#managedclusteragentpoolprofile-object |
| 182 | +[aks-network-concepts]: concepts-network.md |
| 183 | +[aks-network-nsg]: concepts-network.md#network-security-groups |
| 184 | +[aks-ingress-basic]: ingress-basic.md |
| 185 | +[aks-ingress-tls]: ingress-tls.md |
| 186 | +[aks-ingress-static-tls]: ingress-static-ip.md |
| 187 | +[aks-http-app-routing]: http-application-routing.md |
| 188 | +[aks-ingress-internal]: ingress-internal-ip.md |
| 189 | +[az-extension-add]: /cli/azure/extension#az_extension_add |
| 190 | +[az-extension-update]: /cli/azure/extension#az_extension_update |
| 191 | +[az-feature-register]: /cli/azure/feature#az_feature_register |
| 192 | +[az-feature-list]: /cli/azure/feature#az_feature_list |
| 193 | +[az-provider-register]: /cli/azure/provider#az_provider_register |
| 194 | +[network-policy]: use-network-policies.md |
| 195 | +[nodepool-upgrade]: manage-node-pools.md#upgrade-a-single-node-pool |
| 196 | +[network-comparisons]: concepts-network.md#compare-network-models |
| 197 | +[system-node-pools]: use-system-pools.md |
| 198 | +[prerequisites]: configure-azure-cni.md#prerequisites |
0 commit comments