ACK Edge clusters use Flannel as the default Container Network Interface (CNI) plugin, with VXLAN mode enabled. This page explains how Flannel allocates pod IP addresses, the networking constraints for each connection type, and how to configure an on-cloud proxy node for API server access to edge workloads.
How Flannel allocates pod IPs
Flannel ensures the pod CIDR block does not overlap with the virtual private cloud (VPC) CIDR block. The pod CIDR block is evenly divided and assigned to each node. Each pod on a node receives an IP address from that node's CIDR block. The total number of assignable pod IP addresses depends on the mask of the pod CIDR block.
Network access types
ACK Edge clusters support two connection types between cloud and edge locations. The networking constraints differ significantly between them.
Express Connect circuits
Express Connect lets you forward requests from VPC hosts to workloads in data centers. Flannel uses VXLAN to establish network connectivity between data centers and the cloud. For more information, see Express Connect.
Network requirements
| Protocol | Port | Usage |
|---|---|---|
| UDP | 8472 | Flannel VXLAN tunnel |
Do not use security rules to block port 8472.
Configure an on-cloud proxy node for API server access
If the API server needs to access pods or Services in data centers over Express Connect circuits, designate an on-cloud node as a proxy.
Before you begin:
-
Make sure the edge-controller-manager component is version 2.1 or later.
Run the following command to label an on-cloud node as the gateway. Replace node-xxx with the name of the target node.
kubectl label node node-xxx node-role.alibabacloud.com/cloud-gateway=Public network
When using the public network connection type, VPC computing devices and data center computing devices are not in the same network domain. This creates the following constraints:
| Constraint | Traffic direction | Reachable |
|---|---|---|
| VPC-to-edge | VPC containers to data center containers | No |
| Cross-site edge | Containers across multiple data centers or edge devices | No |
| Same-domain | Containers within the same VPC or the same data center | Yes |
To support container monitoring, O&M, and data transmission across the cloud-edge boundary, ACK Edge provides the Raven cloud-edge O&M tunnel.
Do not route business traffic through the Raven tunnel. The public network VPN tunnel cannot guarantee the stability required for production workloads.