All Products
Search

This Product

    Container Service for Kubernetes:User guide for Terway Edge

    Document Center

    Container Service for Kubernetes:User guide for Terway Edge

    Last Updated:Mar 26, 2026

    Terway Edge is the network plugin for ACK Edge clusters. Developed based on Terway and Flannel (Route mode), it builds underlay networks for containers and adapts to different runtime environments: Terway in cloud node pools, ENI-based networking on Edge Node Service (ENS) nodes, and Flannel (Route mode) at the edge. This topic describes how to install and configure Terway Edge for an ACK Edge cluster.

    Important

    Select Terway Edge at cluster creation. You cannot change the network plugin after the cluster is created.

    Install Terway Edge when you create a cluster

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click Create Kubernetes Cluster.

    3. Click the ACK Edge tab and configure the following network parameters.

      Parameter Description
      VPC The ID of the virtual private cloud (VPC) where you want to deploy the cluster.
      Network Plug-in Select Terway-edge.
      vSwitch IP addresses are assigned from the CIDR blocks of the selected vSwitches to the nodes in the cluster. Select at least three vSwitches in different zones for high availability.
      Pod vSwitch IP addresses are assigned from the CIDR blocks of the selected vSwitches to the pods in the cluster. The CIDR blocks of pod vSwitches can overlap with node vSwitch CIDR blocks.
      EdgeContainer CIDR block Allocatable container network IP ranges on the edge side. For more information, see CIDR block planning.
      Service CIDR Cannot overlap with the node or pod CIDR block.
      Number of Pods per Node The maximum number of pods each edge node supports.

    Connect on-premises data centers through private networks

    To establish secure, stable, and fast private connections between on-premises data centers and the VPCs where ACK Edge clusters run, use Express Connect circuits. The following example walks through the routing configuration with these CIDR blocks:

    • Data center: 172.16.0.0/16

    • VPC: 192.168.0.0/16

    • Edge pod network: 10.0.0.0/8

    An inbound route sends packets from the edge or data center to the VPC. An outbound route sends packets from the VPC to the edge or data center.

    1. Configure inbound routes on the switch, gateway device, and virtual border router (VBR) in the data center to reach the VPC (192.168.0.0/16). Also configure inbound routes on the Express Connect router (ECR) and Cloud Enterprise Network (CEN) instance. This lets the data center reach the control planes and Elastic Compute Service (ECS) instances in the ACK Edge cluster.

    2. Configure outbound routes so that the control planes, ECS instances, and containers in the ACK Edge cluster can reach the data center (172.16.0.0/16) and edge containers (10.0.0.0/8).

    3. Configure the Express Connect circuit connections based on your environment. For more information, see Express Connect.

    image

    How Terway Edge works in different environments

    In cloud node pools

    Terway Edge runs as Terway in cloud node pools, the same as in ACK Pro clusters. For more information, see Terway.

    Note

    Terway in ACK Edge clusters runs only in inclusive ENI mode and does not support DataPath acceleration, Kubernetes network policies, or elastic network interface (ENI) trunking.

    On ENS nodes

    Terway Edge provides container networking on Edge Node Service (ENS) nodes using ENS ENIs. For more information, see Use Terway on the ENS network.

    At the edge

    Terway Edge runs as Flannel (Route mode) at the edge. When an edge node joins an ACK Edge cluster, the cluster control plane automatically assigns a pod CIDR block to that node and adds container routes to its host route table.

    How packets are routed between containers on different nodes:

    • Same local area network (LAN): Flannel configures host routes directly. Packets reach the destination container by following those routes.

    • Different LANs: Without routes on the external network devices between the LANs, packets cannot cross from one LAN to another. Use BGP to advertise container routes to those devices — see Advertise container routes with BGP.

    Advertise container routes with BGP

    When edge nodes span multiple LANs, Flannel's host routes cannot carry traffic across LAN boundaries because the external network devices between LANs have no knowledge of the container address space. To solve this, Terway Edge launches a Border Gateway Protocol (BGP) service on each configured node. That service establishes a BGP session with the gateway or Layer 3 switch in the LAN and dynamically advertises container routes so that traffic can cross LAN boundaries.

    image
    Note

    The external network devices (Layer 3 switches) must support BGP, and you must have access to configure them.

    Prerequisites

    Before you begin, collect the following information from your network team:

    • The IP address of your LAN gateway or Layer 3 switch (used as spec.peerIP)

    • The autonomous system number (ASN) of the switch (spec.peerAsNumber)

    • The ASN to assign to the BGP speakers in the cluster (spec.localAsNumber). Use a private ASN in the range 64512–65535.

    • (Optional) The BGP authentication password, if your switch requires one

    Step 1: Configure a BGP speaker in the cluster

    Create a CustomResourceDefinition (CRD) of the BGPPeer type to configure the BGP speaker.

    1. Create a file named bgppeer.yaml with the following content. Adjust the values for your environment.

      Parameter Required Description Value/range
      metadata.name Yes Name of the BGP peer Any valid Kubernetes resource name
      spec.localSpeakers Yes Nodes that act as BGP speakers and advertise container routes for all nodes in the LAN Node names; select at least two nodes
      spec.localAsNumber Yes The ASN of the autonomous system (AS) the BGP speakers belong to Private ASNs: 64512–65535
      spec.peerIP Yes IP address of the LAN gateway or Layer 3 switch Valid IPv4 address
      spec.peerAsNumber Yes ASN of the LAN gateway or Layer 3 switch Valid ASN
      spec.gateway No Custom gateway for cross-AS container traffic. Defaults to the LAN gateway or vSwitch address. Valid IPv4 address
      spec.nodeSelector Yes Selects nodes that belong to the same AS. Use all() if all edge nodes are in the same LAN; otherwise, use a node pool label to scope to a node pool. Label selector or all()
      spec.authPassword No BGP session authentication password. Create a Secret in the kube-system namespace first, then reference its key and name here. Secret reference 
      apiVersion: network.openyurt.io/v1alpha1
kind: BGPPeer
metadata:
  name: peer
spec:
  localSpeakers:
    - node-1
    - node-2
  localAsNumber: 65010
  peerIP: 172.16.0.1
  peerAsNumber: 65001
  nodeSelector: alibabacloud.com/nodepool-id=npxxx
  # Optional.
  authPassword:
    secretKeyRef:
      name: bgp-secret
      key: password
---
# Optional.
apiVersion: v1
kind: Secret
metadata:
  name: bgp-secret
  namespace: kube-system
type: Opaque
data:
  password: bXlTZWNyZXRWYWx1ZQ==  # The value is encoded in Base64.

    2. Apply the configuration.

      kubectl apply -f bgppeer.yaml

    3. Verify the BGPPeer was created.

      kubectl get bgppeer peer

      Expected output:

      NAME   LOCALSPEAKERS         LOCALASNUMBER   PEERIP         PEERASNUMBER     AGE
peer   ["node-1","node-2"]   65010           172.16.0.1     65001            10m

    Step 2: Configure BGP on external network devices

    Important

    • Select at least three nodes as BGP peers. This keeps BGP sessions stable during component updates and prevents container route expiration from disrupting traffic.

    • Terway Edge enables BGP Graceful Restart by default with a 600-second timeout. BGP Graceful Restart allows the forwarding plane to continue passing traffic while the BGP control plane restarts, minimizing disruption during upgrades. Configure BGP Graceful Restart on your Layer 3 switch to match.

    1. Configure BGP settings according to your network device model and start the BGP service.

    2. Add the BGP speaker nodes you selected in Step 1 as BGP peers on the external device, so the BGP sessions can be established.

    Step 3: Verify BGP session establishment and container route advertisement

    1. Check the BGPPeer events to confirm sessions were established.

      kubectl describe bgppeers peer-1

      If the output contains FailedEstablish events, the BGP session failed to establish. Check that the BGP settings on the external device match the speaker configuration — peer IP, ASNs, and authentication password if set.

    2. On the external network device, verify that the container routes from the cluster appear in its routing table.

    What's next