Terway Edge provides underlay networks for containers, enabling direct communication through routers and switches — no tunnels or NAT required. This topic explains how to configure Terway Edge so that containers in edge data centers can communicate with each other and with workloads in the cloud VPC.
Three scenarios are covered:
-
Communication between edge containers — bidirectional traffic between on-cloud VPCs and on-premises data centers via Cloud Enterprise Network (CEN)
-
Communication between containers across LANs — containers on different local area networks (LANs) in the same domain, all managed by one ACK Edge cluster
-
Communication between containers across domains — containers in entirely separate network domains connected via Express Connect or CEN
How it works
The core requirement is a fully routed network: every pod CIDR must be reachable end-to-end across all nodes, whether on-cloud or on-premises. Without this, pod traffic stalls at the data center core switch because the switch has no routes for pod subnets.
Terway Edge meets this requirement by configuring Border Gateway Protocol (BGP) on cluster nodes. Designated nodes act as BGP speakers and advertise their pod subnets to the data center's core switch. The switch then forwards pod traffic to the correct node without NAT.
Prerequisites
Before you begin, make sure you have:
-
An ACK Edge cluster running Kubernetes 1.28 or later. See Create an ACK Edge cluster.
-
The Terway Edge network plug-in installed on the cluster. See Usage guide for Terway Edge.
-
A virtual private cloud (VPC), Cloud Enterprise Network (CEN), Virtual Border Router (VBR), and Express Connect circuits provisioned.
-
A Transit Router (TR) created in CEN to connect the VPC and the on-premises data center, with both the VBR and the VPC attached to the TR.
Billing
-
For Cloud Enterprise Network (CEN) billing, see Billing rules.
-
For Express Connect (leased line) billing, see Billing overview.
Communication between edge containers
Edge communication provides bidirectional connectivity between on-cloud workloads and edge devices. On-cloud resources include Elastic Compute Service (ECS) instances, Elastic Container Instance, and the managed control plane in the VPC. Edge resources include on-premises network devices and computing devices in the self-managed data center.
The following example uses these CIDR blocks:
| Component | CIDR block |
|---|---|
| On-cloud devices (VPC) | 192.168.0.0/16 |
| Edge data center hosts | 10.0.0.0/16 |
| Edge data center containers | 10.10.0.0/16 (configurable when creating the ACK Edge cluster) |
Step 1: Configure the uplink route (edge data center to on-cloud VPC)
-
On the data center core switch, set the next hop for the VPC CIDR block (
192.168.0.0/16) to the VBR.If an additional switch or border gateway sits at a higher level, configure routing rules there as well so that packets destined for
192.168.0.0/16are forwarded directly to the VBR via Express Connect circuits. -
On the VBR, set the next hop for the VPC CIDR block (
192.168.0.0/16) to the TR. -
In the TR route table, set the next hop for the VPC CIDR block (
192.168.0.0/16) to the on-cloud VPC.
Step 2: Configure the downlink route (on-cloud VPC to edge data center)
-
In the VPC route table, set the next hop for the data center host CIDR block (
10.0.0.0/16) and the container CIDR block (10.10.0.0/16) to the TR. -
In the TR route table, set the next hop for
10.0.0.0/16and10.10.0.0/16to the VBR. -
On the VBR, set the next hop for
10.0.0.0/16and10.10.0.0/16to the data center core switch. Traffic is carried over Express Connect circuits.
Step 3: Configure BGP advertised routes for cluster nodes
After configuring the uplink and downlink routes, the VPC and data center hosts can communicate. However, container traffic cannot yet traverse the data center: the core switch has no routes for pod subnets. Fix this by creating a BGPPeer resource that designates specific nodes as BGP speakers to advertise pod routes to the switch.
Before writing the YAML, collect the following values from your network administrator:
| Field | What to collect |
|---|---|
localAsNumber |
The autonomous system number (ASN) assigned to your container network domain |
peerIP |
The IP address of the data center core switch |
peerAsNumber |
The ASN assigned to the switch's autonomous system |
In this example, Node-1, Node-2, and Node-3 act as BGP speakers and announce pod routes for all nodes attached to the core switch. All nodes belonging to this switch carry the label ASN=65010.
apiVersion: network.openyurt.io/v1alpha1
kind: BGPPeer
metadata:
name: peer
spec:
localSpeakers:
- Node-1
- Node-2
- Node-3
localAsNumber: 65010 # ASN of the container network's self-managed domain
peerIP: 10.0.0.1 # IP address of the core switch
peerAsNumber: 65001 # ASN of the switch's self-managed domain
nodeSelector: ASN=65010 # Selects all nodes with this labelDesignate at least three nodes as BGP speakers. This ensures high availability and keeps BGP sessions alive during add-on upgrades, preventing pod routes from aging out and causing network disruptions.
Step 4: Configure the switch to accept BGP routes
-
Enable BGP on your network device. Follow the configuration commands specific to your device model.
-
Configure
Node-1,Node-2, andNode-3as BGP peers on the switch. After configuration, verify that the BGP sessions are established.ImportantConfigure BGP graceful restart with a restart timer of at least 300 seconds. This preserves routing information and prevents network interruptions if a BGP session drops unexpectedly.
Step 5: Verify connectivity
On the data center core switch, check the BGP session status and inspect the routing table. Confirm that:
-
The BGP session with each speaker node shows an Established state.
-
Routes to the pod subnets appear in the routing table. For example, a route to
10.10.0.0/24should point to the corresponding node's IP (10.0.0.10) as the next hop.
The exact commands vary by switch vendor. Refer to your device documentation for the BGP neighbor status and routing table inspection commands.
Communication between containers across LANs
If your data center spans multiple local area networks (LANs) in the same domain, connect all devices to a single ACK Edge cluster for centralized management.
Containers on the same node communicate through the host network stack. For containers on different nodes, Terway Edge routes traffic based on LAN membership:
| Node relationship | Routing behavior |
|---|---|
| Same LAN (same ASN) | Next hop is the peer node's IP address (Layer 2) |
| Different LANs (different ASNs) | Default route of the host, pointing to the switch address (Layer 3) |
Two nodes on the same LAN
When both nodes are on the same LAN, they communicate over the Layer 2 network. For example, pods on Node-1 send packets directly to Node-2 through the Layer 2 network, which then delivers them into pods via the Node-2 host network stack.
Two nodes on different LANs
When nodes are on different LANs, Layer 2 connectivity does not exist between them. Use Layer 3 forwarding via BGP sessions to ensure connectivity.
The following example shows pods on Node-1 (LAN A) reaching pods on Node-5 (LAN B).
Before writing the YAML, collect the following values for each LAN:
| Field | LAN A | LAN B |
|---|---|---|
localAsNumber |
ASN of LAN A container network | ASN of LAN B container network |
peerIP |
IP address of Switch A | IP address of Switch B |
peerAsNumber |
ASN of Switch A | ASN of Switch B |
-
Establish a BGP session between
Node-1andSwitch Ato advertise container routes in LAN A toSwitch A:apiVersion: network.openyurt.io/v1alpha1 kind: BGPPeer metadata: name: peer-a spec: localSpeakers: - Node-1 localAsNumber: 65010 # ASN of LAN A container network peerIP: 10.0.10.1 # IP address of Switch A peerAsNumber: 65002 # ASN of Switch A nodeSelector: ASN=65010 # Selects all nodes with this label -
Establish a BGP session between
Node-5andSwitch Bto advertise container routes in LAN B toSwitch B:apiVersion: network.openyurt.io/v1alpha1 kind: BGPPeer metadata: name: peer-b spec: localSpeakers: - Node-5 localAsNumber: 65020 # ASN of LAN B container network peerIP: 10.0.20.1 # IP address of Switch B peerAsNumber: 65003 # ASN of Switch B nodeSelector: ASN=65020 # Selects all nodes with this label -
Establish a BGP session between
Switch AandSwitch Bso each switch learns the other's container routes. After this configuration, packet paths are:-
Sending:
Node-1→Switch A→Switch B→Node-5 -
Receiving:
Node-5→Switch B→Switch A→Node-1
-
-
(Optional) If a core switch connects the on-cloud VPC hosts and containers, establish BGP sessions between
Switch AandCore Switch, and betweenSwitch BandCore Switch.
Communication between containers across domains
The following example connects data centers in two separate network domains to ACK Edge clusters.
-
Create a BGP session to advertise container routes from network domain A to
Switch A:apiVersion: network.openyurt.io/v1alpha1 kind: BGPPeer metadata: name: peer-a spec: localSpeakers: - Node-1 localAsNumber: 65010 # ASN of domain A container network peerIP: 10.0.10.1 # IP address of Switch A peerAsNumber: 65001 # ASN of Switch A nodeSelector: ASN=65010 # Selects all nodes with this label -
Create a BGP session to advertise container routes from network domain B to
Switch B:apiVersion: network.openyurt.io/v1alpha1 kind: BGPPeer metadata: name: peer-b spec: localSpeakers: - Node-5 localAsNumber: 65020 # ASN of domain B container network peerIP: 10.0.20.1 # IP address of Switch B peerAsNumber: 65002 # ASN of Switch B nodeSelector: ASN=65020 # Selects all nodes with this label -
Connect the two data centers based on your network setup:
-
With Express Connect circuits between the data centers: Establish a BGP session between
Switch AandSwitch Bto advertise container routes of each domain to the other. -
Without Express Connect circuits: Establish BGP between
Switch Aand the VBR, and betweenSwitch Band the VBR. The VBRs then forward cross-domain traffic.
-