This topic describes networks supported by Alibaba Cloud Container Service for Kubernetes (ACK). Specifically, the interconnections supported within container networks, functions of container networks, infrastructures of container networks, the network plugin Terway, and network policies.

Interconnections within container networks

ACK provides stable and high-performance container networks by integrating Kubernetes networks and Alibaba Cloud Virtual Private Cloud (VPC) networks. The following features are supported within the interconnections of a container network:
  • Pods that can access each other in a Kubernetes cluster.
  • A pod that can access a service in a Kubernetes cluster.
  • An Elastic Compute Service (ECS) instance that can access a service.
  • A pod and an ECS instance that are mutually accessible in the same VPC, if a valid security group rule is set.

Functions of container networks


In Kubernetes, a service is an object, which is assigned with a fixed IP address. The service forwards its received traffic to the corresponding pods according to label selectors. In addition, services in Kubernetes can work as load balancers for pods.

Services in Kubernetes solve the troubles caused by the following issues:
  • Pods may be inaccessible because controllers in Kubernetes delete pods and then recreate new pods at any time.
  • The IP address of a pod cannot be obtained. A pod is assigned with an IP address only after the pod is started.
  • It is not feasible to access pods one by one because an application consists of a group of pods that run the same image.
For more information, see Create a service.


IP addresses of services and pods can only be accessed within a Kubernetes cluster. Any request outside a Kubernetes cluster must be forwarded by a load balancer to the NodePort that is exposed by the destination service on a node, and then kube-proxy forwards the request to the corresponding pod by using an edge router or deserts the request. An Ingress in Kubernetes is an object that provides routing rules for the requests that enter into a Kubernetes cluster.

An Ingress can be configured to provide services with externally-reachable URLs, load balance traffic, terminate SSL / TLS, HTTP routes, and more. To implement these Ingress rules, the cluster administrator must deploy an Ingress controller. The Ingress controller listens to the changes occurred to the Ingress and services, configures load balancer according to the Ingress rules, and provides access endpoints.

The Ingress function is implemented by the following parts:
  • Nginx: works as a load balancer to distribute requests to pods.
  • Ingress controller: obtains the IP address of the pod that corresponds to the service by accessing the cluster API server, and then adds the IP address to the configuration file of Nginx.
  • Ingress: creates a virtual machine for Nginx.

For more information, see Create an Ingress on the web UI.

Infrastructures of container networks

Infrastructures of container networks consist of VPCs and SLB instances.


Virtual Private Cloud (VPC) is a type of private network developed by Alibaba Cloud. Different VPCs are logically isolated from other virtual networks in Alibaba Cloud. In a VPC, you can create and manage instances of cloud resources, such as ECS instances (cloud servers), RDS instances (cloud databases), and SLB instances.

A VPC consists of a private CIDR block, a VRouter, and at least a VSwitch.


By setting a virtual service address, SLB virtualizes added ECS instances into an application service pool that has high performance and high availability, and distributes client requests to ECS instances in the server pool based on forwarding rules.

SLB also checks the health status of added backend servers, and automatically isolates abnormal ECS instances to eliminate Single Point of Failures (SPOFs), improving the overall service capability of your application. Additionally, working with Alibaba Anti-DDoS, SLB can defend DDoS attacks.

SLB consists of the following components:
  • SLB instances

    An SLB instance is a running load balancing service that distributes incoming traffic to backend servers. To use the SLB service, you must create an SLB instance, and then configure the instance with at least one listener and two backend servers.

  • Listeners

    A listener checks client requests and forwards the requests to backend servers according to the configured rules. It also performs health checks on backend servers.

  • Backend servers

    Backend servers are the ECS instances added to an SLB instance to process the distributed requests. You can add ECS instances to the default server group, a VServer group, or an active/standby server group for better management.

Network plugin Terway

Terway is a network plugin developed by ACK. It is fully compatible with the Flannel plugin.

The following are features of Terway:
  • Terway allocates Alibaba Cloud Elastic Network Interfaces (ENIs) to containers.
  • Terway defines the access policies between containers according to the Kubernetes network policies. It is compatible with the Calico network policies.

The container network supported by Terway shows higher communication performance because no VXLAN or any other tunnel technology is used to encapsulate packets. Specifically, in the container network that the Terway network plugin is installed, each pod in a Kubernetes cluster has a network stack and IP address. When pods that run on one ECS instance communicate with each other, packets are forwarded within the ECS instance. When pods that run on different ECS instance communicate with each other, packets are forwarded by a VRouter of the VPC where the Kubernetes cluster is located.

Network policy

A network policy is a specification of how pods are allowed to communicate with each other and other network endpoints.

In Kubernetes, the object used to configure a network policy is NetworkPolicy. It uses labels to select pods, and defines rules which specify what traffic is allowed to the selected pods. For more information, see Use a network policy.