All Products
Search
Document Center

Container Compute Service:Expand the available CIDR blocks for a cluster by adding a secondary CIDR block to a VPC

Last Updated:Mar 26, 2026

When a VPC runs out of idle IP addresses, you can add a secondary CIDR block to the VPC and create a new vSwitch in that block.

Important

After adding a secondary CIDR block, submit a ticket to have technical support configure the control planes for the new CIDR block. Without this configuration, the control planes cannot reach pods in the secondary CIDR block, which causes:

  • kubectl exec or kubectl logs failures

  • Webhook or APIService call failures

  • Failures to create pods or other resources

Prerequisites

Before you begin, confirm the CIDR block you want to add.

  1. Check all CIDR blocks already in use. These include, but are not limited to:

    CIDR blockWhere to find it
    VPC and vSwitch CIDR blocks of the clusterOn the Cluster Information page, click the Cluster Resources tab. Click any ID to view details in the VPC console.
    Service CIDR block of the clusterOn the Cluster Information page, click the Basic Information tab.
    CIDR blocks of Express Connect circuits, VPN gateways, and Cloud Enterprise Network (CEN) instances connected to the VPCLog on to each corresponding console to view details. In the VPC console, click the VPC ID, then go to the Resource Management tab. Under Communication between Networks, click any number to open the relevant console.
  2. Select a secondary CIDR block that does not overlap with any of the CIDR blocks listed above.

Step 1: Add a secondary CIDR block and create a vSwitch

  1. Log on to the VPC console.

  2. Add a secondary CIDR block.

    1. On the VPC page, find your VPC and click its ID.

      Note

      Alternatively, go to the Cluster Information page of the ACS cluster, click the Cluster Resources tab, and click the VPC ID to go directly to the VPC details page.

    2. Click the CIDR Block Management tab, then click Add Secondary IPv4 CIDR Block.

    3. In the dialog box, enter your CIDR block in the Custom CIDR Block field and click OK.

  3. Create a vSwitch in the secondary CIDR block.

    1. Go to the vSwitch page and click Create vSwitch.

    2. On the Create vSwitch page, select the VPC and the secondary CIDR block, specify the zone and vSwitch CIDR block, then click OK.

Step 2: Add security group rules for the secondary CIDR block

  1. Log on to the ECS console.

  2. On the Security Groups page, find your security group and click its ID.

    Note

    Alternatively, go to the Cluster Information page of the ACS cluster, click the Cluster Resources tab, and click the security group ID.

  3. Add inbound and outbound rules for the secondary CIDR block based on your requirements. For details, see Add a security group rule.

Step 3: Add the vSwitch to the cluster

Update the acs-profile ConfigMap to add the new vSwitch to the ACS cluster. The change takes effect immediately.

Note

The following steps use the console. You can also run kubectl edit configmap acs-profile -n kube-system directly in the cluster to make the same change.

  1. Log on to the ACS console. In the left-side navigation pane, click Clusters.

  2. Click the ID of the ACS cluster to go to the cluster management page.

  3. In the left-side navigation pane, choose Configurations > ConfigMaps.

  4. On the ConfigMaps page, select the kube-system namespace, find acs-profile, and click Edit YAML.

  5. In the vSwitchIds section, add the ID of the new vSwitch and click OK.

    Note

    Separate multiple vSwitch IDs with commas (,).

(Optional) Step 4: Add a SNAT entry for the new vSwitch

If the ACS cluster accesses the Internet through SNAT and your SNAT entries are scoped to individual vSwitches, add a SNAT entry for the new vSwitch. Without it, pods in the zone of the new vSwitch cannot access the Internet.

  1. Log on to the NAT Gateway console.

  2. On the Internet NAT Gateway page, click the ID of the NAT gateway.

  3. Click the SNAT Management tab, then click Create SNAT Entry.

  4. Configure the SNAT entry for the new vSwitch and click OK.

Verify the result

Create a pod in the zone of the new vSwitch. If the pod is created and assigned an IP address from the vSwitch CIDR block, the secondary CIDR block is working correctly.

For information about how to specify a vSwitch, see Specify a vSwitch.