Hello ! and welcome to our session on CNI Custom Networking for Amazon EKS
One of the main benefits of using containers is the ability to scale, but it also brings some operational challenges - specifically on the networking side. By default, when new NICs are allocated for pods, IP addresses are allocated from the subnet of the node's primary NIC.
A couple of challenges with this approach:
- There is a limited number of IP addresses in this subnet and as you keep scaling, you will run into an IP exhaustion scenario.
- As per the security best practices, the pods must use different security groups and subnets than the node's primary network interface.
One of the best possible solutions to these challenges is the custom CNI capability for Amazon EKS. This allows users to configure a private subnet for pods that is completely agnostic of the node’s primary network.
In this video, we will demo how customers can use Rafay’s Kubernetes Operations Platform and build Amazon EKS clusters with Custom CNI capability.
We start with the clusters tab on Rafay’s Operations console and create a new Amazon EKS cluster. Give it a name and continue. Now, pick various configuration options for your cluster.
As you go to the cluster settings option, you will find VPC and Subnets. Here you can either use Rafay’s auto-create mechanism or pick your own existing VPC and subnets which we will start with.
Then the most important step of the demo. Under CNI providers, select “aws-cni” and click “Customize AS CNI”. Now, select “Enable Custom CNI” checkbox which opens up new options to choose from like “auto-create” and “Use your existing CNI”.
Since we picked the “Use your own subnet/VPC I the previous page, we should go ahead with using existing CNI in this case which will lead to further options of adding your additional config values.
Now for this demo purpose, let's see how the auto-create option works. In this scenario, Rafay creates the subnets and VPCs from the CIDR block you specify.
Now, under “Customize AWS-CNI” option, enable the custom CNI and select “Auto-Create CNI” option followed by a desired Custom CNI CIDR address block. Hit “Save” and your cluster is ready to be provisioned.
Once you provision the cluster and the workloads, let us switch to the AWS console to check the network properties of this cluster. As you click on the VPC configuration under the Networking tab of the EKS cluster, you will notice 2 CIDR blocks and one of them being the custom CNI CIDR block you specified while creating the EKS cluster.
Now, let's switch back to the Rafay Ops console and launch a Zero Trust Kubectl command line to check the details of all the pods running on this cluster. As you can see from the results, we have the workload pods assigned IP address from the secondary custom CNI CIDR block.
And that is how you leverage the Amazon EKS Custom CNI networking capability.
Thank you for watching.