Design the network of ACS clusters - Container Compute Service

Before you create an ACS cluster, you need to design the VPC, vSwitches, and Service CIDR block of the cluster to ensure that all network resources are efficiently used and reserve sufficient address space for further business expansion. This topic describes how to design the network of an ACS cluster in a VPC.

Network scale

Regions and zones

Instances in different zones within a region can communicate with each other. Even if one zone is down, other zones work as expected. Instances within the same zone has lower latency, leading to faster access. Plan regions and zones based on the following information.

Item	Description
Latency	Shorter distances between users and resource locations mean lower latency and better performance.
Supported regions and zones	Different Alibaba Cloud services are available in different regions and zones and their inventory vary. Select a zone and a region based on your services.
Cost	The price of a cloud service may vary by region. We recommend selecting a region based on your budget.
High availability and disaster recovery	For services requiring high disaster recovery capabilities, deploy your services across zones within the same region. You can also deploy your services in multiple regions to realize inter-region disaster recovery.
Compliance	Select a region that meets the data compliance requirements and business filing policies of your country or region.

A VPC cannot be deployed across regions. To deploy your services across regions, you must create a VPC in each region and use VPC peering connections or Cloud Enterprise Network (CEN) to enable inter-VPC communication. vSwitches are zone-level resources. vSwitches are zone-level resources. Take note of the following:

If you select multiple zones due to the Elastic Compute Service (ECS) inventory limit, reserve sufficient CIDR blocks and note that latency increases when traffic detours between zones.
Some regions have only one zone, such as China (Nanjing - Local Region) Closing Down. If you have intra-region disaster recovery needs, we recommend careful consideration before selecting these regions.

Note

For information about the regions where ACS is available, see Supported regions.

Number of VPCs

VPC provides a secure and flexible network environment in the cloud where VPCs are isolated from each other and instance in a VPC can communicate with each other. Plan the number of your VPCs according to your needs.

	Scenario
One VPC	Your service is small and deployed in one region with no needs for network isolation. You use VPC for the first time. You are concerned about costs related to cross-VPC connections.
Multiple VPCs	Your services are large and deployed in different regions. Your services are in one region, but must be isolated. Your business architecture is complex, and each department needs independent management.

Note

By default, you can create at most 10 VPCs in each region. You can go to the Quota Management page or Quota Center to increase the quota.

Number of vSwitches

vSwitches are zone-level resources that host all cloud services within a VPC. Creating vSwitches helps you properly plan IP addresses. All vSwitches in a VPC can communicate with each other by default.

Item	Description
Latency	The latency between zones in the same region is low. However, complex system calls and cross-zone calls may increase the latency.
High availability and disaster recovery	We recommend creating at least two vSwitches in a VPC and deploy the vSwitches across zones for cross-zone disaster recovery. You can deploy services in multiple zones and centrally configure security rules. This enhances the system availability and disaster recovery.
Business scale and division	Create vSwitches by business modules. For example, you can deploy the web layer, logic layer, and data layer in different vSwitches to create a standard web architecture.

Plan your vSwitches based on the following information:

Create at least two vSwitches and deploy them across zones for failover capability. When one vSwitch is down, the other takes over and realizes cross-zone disaster recovery.
The latency between zones in the same region is theoretically low. However, the actual latency needs to be verified. The network latency may increase due to the complex network topology and cross-zone calls. We recommend enhancing and validating your architecture to balance both high availability and low latency.
The number of vSwitches required depends on your system scale and architecture design. Typically, create vSwitches based on business modules. For example, deploy public-facing services in a public vSwitch. Deploying services across zones facilitates centralized security policy configuration and governance.

Note

By default, you can create at most 150 vSwitches in a VPC. You can go to the Quota Management page or Quota Hub to increase the quota.

Number of pods

Number of pods	Scenario	VPC	Zone
< 1000	Non-core businesses	One VPC	One (two or more are recommended)
Unlimited	Regular businesses that require multiple zones	One VPC	Two or more
Unlimited	Core businesses that require high reliability and multiple regions	Multiple VPCs	Two or more

Network design

The VPC CIDR block contains the vSwitch CIDR block. The ACS network CIDR block consists of the pod CIDR block and Service CIDR block.

When you configure an ACS cluster network, you need to set the following parameters and pay attention to the CIDR blocks:

VPC
- You can specify one of the following CIDR blocks or their subsets as the primary IPv4 CIDR block of the VPC: 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8. These CIDR blocks are standard private CIDR blocks as defined by RFC. The subnet mask must be 8 to 28 bits in length. Example: 192.168.0.0/16.
- You can also use a custom CIDR block other than 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, 169.254.0.0/16, and their subnets as the primary IPv4 CIDR block of the VPC.
- In scenarios where multiple VPCs are used or in hybrid cloud scenarios where data centers and VPCs are co-located, we recommend that you use subsets of standard RFC CIDR blocks as VPC CIDR blocks with subnet masks no more than 16 bits in length. Make sure that the CIDR blocks of the VPCs and data centers do not overlap with each other.
- IPv6 CIDR blocks are assigned to pods by VPC after IPv6 is enabled in the VPC. For more information, see Assign IPv6 addresses to pods.
vSwitch
The IP addresses of pods are assigned from the CIDR blocks of pod vSwitches. This allows pods to communicate with each other. A pod is a group of containers in a Kubernetes cluster. Each pod has an IP address. The CIDR blocks of vSwitches in the VPC must be subsets of the VPC CIDR block. When you specify the CIDR blocks of vSwitches, take note of the following items:
- You must select vSwitches that belong to the VPC where the cluster resides.
- In an ACS network, the IP addresses of pods are assigned by pod vSwitches.
- The CIDR block cannot overlap with the Service CIDR block.
Service CIDR block
Important
The Service CIDR block cannot be modified after it is created.
The CIDR block of Services. The Service CIDR block provides IP addresses for ClusterIP type Services. Service is a Kubernetes concept. Each Service has an IP address. When you specify the Service CIDR block, take note of the following items:
- The IP address of a Service is effective only within the ACS cluster.
- The Service CIDR block cannot overlap with the vSwitch CIDR block.

The following table provides an example of multi-zone configuration for container networks in ACS scenarios:

VPC CIDR block	vSwitch CIDR block	Service CIDR block	Maximum number of assignable pod IP addresses
192.168.0.0/16	Zone I 192.168.0.0/19	172.21.0.0/20	8,192
192.168.0.0/16	Zone J 192.168.32.0/19	172.21.0.0/20	8,192

Network communication design

A single cluster in a single VPC

When you create a VPC, the VPC CIDR block is specified. When you create an ACS cluster, you need to specify a Service CIDR block that does not overlap with the VPC CIDR block. This ensures the network communication within the cluster and prevents conflicts with external VPCs.

Multiple clusters in a single VPC

Create multiple clusters in a VPC.

The CIDR block of the VPC is specified when you create the VPC. When you create a cluster, the VPC CIDR block and Service CIDR block of each cluster cannot overlap with each other.
The Service CIDR blocks of all clusters can overlap, and pod vSwitches can be reused.

Note

In this case, clusters are partially interconnected. Pods in one cluster can directly access pods in another cluster, but cannot access Services in another cluster (such as ClusterIP type Services that can only be accessed within the cluster. To expose Services, you can use LoadBalancer Services or Ingress).

Multiple clusters across VPCs

We recommend that you plan the connection of multiple clusters across VPCs in the following scenarios:

Inter-region deployment

A VPC cannot be deployed across regions. If you want to deploy your services in different regions, you must create multiple VPCs and multiple clusters. You can enable communication between VPCs across regions by using VPC peering connection, VPN Gateway, Cloud Enterprise Network, and other products.

Business system isolation

If multiple business systems in a region require strict isolation by using VPCs, such as isolation between the production environment and the staging environment, you can deploy the production cluster and the test cluster in different VPCs to provide better logical isolation and security. You can also enable communication between VPCs in the same region by using VPC peering connection, VPN Gateway, Cloud Enterprise Network, and other products.

Large-scale business system

If your business architecture is complex and each service and department require an independent VPC to manage their clusters and resources, we recommend that you configure multiple VPCs and multiple clusters.

Important

To avoid issues such as routing errors caused by IP conflicts in multi-cluster interconnection across VPC scenarios, you must follow the following network planning requirements for newly created clusters:

The CIDR block of the new cluster does not overlap with the VPC CIDR block.
The CIDR block of the new cluster does not overlap with the CIDR block of other clusters.
The CIDR block of the new cluster does not overlap with the Service CIDR block of other clusters.

Communication between clusters and data centers

Similar to the Multiple clusters across VPCs scenario, some CIDR blocks in the VPC are routed to the data center, and the Service CIDR block of the cluster cannot overlap with these CIDR blocks. To access pods in the VPC from the data center, you must configure a routing table for the VBR in the data center.