All Products
Search

This Product

    Container Compute Service:Design the network of ACS clusters

    Document Center

    Container Compute Service:Design the network of ACS clusters

    Last Updated:Mar 26, 2026

    Plan the Virtual Private Cloud (VPC), vSwitches, and Service CIDR block before creating an Alibaba Cloud Container Service (ACS) cluster. Proper planning ensures efficient use of IP address space and leaves room for future scaling.

    Network architecture overview

    An ACS cluster network has three layers:

    • VPC — the outermost network boundary. Contains all vSwitches and defines the overall IP address space.

    • vSwitches — zone-level subdivisions within the VPC. Pod IP addresses are drawn from pod vSwitches.

    • Service CIDR block — a separate IP range reserved for Kubernetes Services (ClusterIP type). Effective only within the cluster.

    image

    Must-knows before you plan

    Keep the following constraints in mind. Violating any of them causes routing errors that are difficult to fix after cluster creation.

    • The vSwitch CIDR block must be a subset of the VPC CIDR block.

    • The Service CIDR block must not overlap with any vSwitch CIDR block.

    • In multi-cluster or hybrid cloud scenarios, no two cluster CIDR blocks may overlap with each other or with VPC CIDR blocks.

    • The Service CIDR block cannot be modified after the cluster is created.

    • Pod IP addresses in one cluster cannot reach Services (ClusterIP) in another cluster in the same VPC — only pod-to-pod traffic crosses cluster boundaries.

    CIDR block reference

    The following table summarizes address ranges, sizing limits, and key constraints for each network resource.

    Resource Allowed ranges Key constraints
    VPC Standard RFC private blocks: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or their subsets. Custom blocks are also allowed, except 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, and 169.254.0.0/16. Subnet mask: /8 to /28. In multi-VPC or hybrid cloud scenarios, use subnet masks of /16 or shorter to leave room for multiple non-overlapping VPCs.
    vSwitch Must be a subset of the VPC CIDR block. Must not overlap with the Service CIDR block. Default limit: 150 vSwitches per VPC (increase quota).
    Service CIDR block Any private range that does not overlap with VPC or vSwitch CIDR blocks. Cannot be modified after cluster creation. The Service CIDR block of different clusters in the same VPC can overlap.
    IPv6 Assigned by VPC after IPv6 is enabled. See Assign IPv6 addresses to pods.

    Network scale planning

    Regions and zones

    Select regions and zones based on the following factors.

    Factor Guidance
    Latency Deploy resources close to your users. Instances within the same zone have the lowest latency.
    Availability Different Alibaba Cloud services have different regional availability and inventory. Verify that the services you need are available in your target region.
    Cost Resource pricing varies by region.
    High availability and disaster recovery Deploy across two or more zones within a region for zone-level failover. Deploy across regions for region-level disaster recovery.
    Compliance Select a region that meets data residency and regulatory requirements for your country or region.

    A VPC cannot span regions. To deploy across regions, create a separate VPC in each region and connect them using VPC peering connection, VPN Gateway, or Cloud Enterprise Network (CEN).

    Note the following when selecting zones:

    • If Elastic Compute Service (ECS) inventory in one zone is limited, you may need to span multiple zones. Reserve sufficient CIDR blocks for each zone and account for increased cross-zone latency.

    • Some regions have only one zone, such as China (Nanjing - Local Region) Closing Down. These regions cannot support intra-region disaster recovery.

    Note

    For the regions where ACS is available, see Supported regions.

    Number of VPCs

    Deployment pattern When to use
    One VPC Small service footprint in a single region with no isolation requirements. First-time VPC deployment. Cost-sensitive: avoiding cross-VPC connection charges.
    Multiple VPCs Services span multiple regions. Strict isolation is required between environments (e.g., production vs. staging). Different departments need independent network management.
    Note

    The default limit is 10 VPCs per region. Increase the quota if needed.

    Number of vSwitches

    vSwitches are zone-level resources. All vSwitches within a VPC communicate with each other by default.

    • Create at least two vSwitches deployed in different zones. When one zone experiences an outage, the other takes over, providing zone-level failover.

    • Organize vSwitches by business tier. For example, deploy the web tier, application tier, and data tier in separate vSwitches to define a standard layered architecture and apply security policies at each boundary.

    Cross-zone latency within the same region is generally low, but verify actual latency for your workload. Complex call chains can amplify the effect of cross-zone network hops.

    Note

    The default limit is 150 vSwitches per VPC. Increase the quota if needed.

    Pod capacity planning

    Choose your VPC and zone topology based on expected pod count and reliability requirements.

    Pod count Scenario VPC topology Zone topology
    < 1,000 Non-core workloads Single VPC Single zone (two or more recommended)
    Unlimited Standard workloads requiring multi-zone redundancy Single VPC Two or more zones
    Unlimited Mission-critical workloads requiring multi-region high availability Multiple VPCs Two or more zones per VPC

    Multi-zone configuration example

    The following example shows a two-zone cluster configuration with a /16 VPC.

    VPC CIDR block vSwitch CIDR block Service CIDR block Max assignable pod IPs
    192.168.0.0/16 Zone I: 192.168.0.0/19 172.21.0.0/20 8,192
    192.168.0.0/16 Zone J: 192.168.32.0/19 172.21.0.0/20 8,192

    Each /19 vSwitch provides 8,192 IP addresses for pods. The two vSwitches use non-overlapping ranges within the same VPC. The Service CIDR block (172.21.0.0/20) is outside the VPC range and is shared across both zones.

    Network communication design

    Single cluster in a single VPC

    Specify a Service CIDR block that does not overlap with the VPC CIDR block when you create the cluster. This enables intra-cluster communication and prevents IP conflicts with other resources in the VPC.

    image

    Multiple clusters in a single VPC

    When running multiple clusters in the same VPC:

    • The VPC CIDR block is shared. Each cluster's Service CIDR block must not overlap with vSwitch CIDR blocks, but Service CIDR blocks across clusters can overlap.

    • Pod vSwitches can be reused across clusters.

    • Pods in one cluster can communicate directly with pods in another cluster. However, Services (ClusterIP) are accessible only within their own cluster. To expose Services externally, use LoadBalancer Services or Ingress.

    image

    Multiple clusters across VPCs

    Use multiple VPCs in the following scenarios.

    Inter-region deployment

    A VPC cannot span regions. Create a separate VPC and cluster in each region, then connect VPCs using VPC peering connection, VPN Gateway, or Cloud Enterprise Network (CEN).

    image

    Business system isolation

    If production and staging environments or different business systems require strict network isolation, deploy each in its own VPC. Connect VPCs within the same region using VPC peering connection, VPN Gateway, or Cloud Enterprise Network (CEN).

    image

    Large-scale multi-department deployments

    When each business unit or department needs independent cluster and resource management, assign a dedicated VPC to each.

    image
    Important

    To avoid routing errors from IP conflicts when connecting clusters across VPCs, new clusters must satisfy all of the following:

    • The cluster CIDR block does not overlap with any VPC CIDR block in the topology.

    • The cluster CIDR block does not overlap with the CIDR blocks of other clusters.

    • The cluster CIDR block does not overlap with the Service CIDR blocks of other clusters.

    Communication between clusters and on-premises data centers

    This scenario is similar to the multi-VPC setup. Some CIDR blocks in the VPC are routed to the on-premises data center via a Virtual Border Router (VBR). The cluster's Service CIDR block must not overlap with any of these routed CIDR blocks. To access pods in the VPC from the data center, configure a routing table on the VBR.

    image

    What's next