我的书签
添加书签
移除书签Amazon Web Services
- Network Policy for Containers: Calico provides fine-grained network security policy for individual containers.
- No 50 Node Limit: Calico allows you to surpass the 50 node limit, which exists as a consequence of the AWS 50 route limit when using the VPC routing table.
Since Calico assigns IP addresses outside the range used by AWS for EC2 instances, you must disable AWS src/dst checks on each EC2 instance in your cluster as described in the AWS documentation. This allows Calico to route traffic natively within a single VPC subnet without using an overlay or any of the limited VPC routing table entries.
If you need to split your deployment across multiple AZs for high availability then each AZ will have its own VPC subnet. To use Calico across multiple different VPC subnets or peered VPCs, in addition to disabling src/dst checks as described above you must also enable IPIP encapsulation and outgoing NAT on your Calico IP pools.
See the for information on how to configure Calico IP pools.
To enable the “CrossSubnet” IPIP feature, configure your Calico IP pool resources to enable IPIP and set the mode to “CrossSubnet”.
note
This feature was introduced in Calico v2.1, if your deployment was created with an older version of Calico, or if you if you are unsure whether your deployment is configured correctly, follow the Configuring IP-in-IP guide which discusses this in more detail.
To allow Calico networked containers to reach resources outside of AWS, you must configure outgoing NAT on your Calico IP pool.
AWS will perform outbound NAT on any traffic which has the source address of an EC2 virtual machine instance. By enabling outgoing NAT on your Calico IP pool, Calico will NAT any outbound traffic from the containers hosted on the EC2 virtual machine instances.
The following calicoctl command will create or modify an IPv4 pool with CIDR 192.168.0.0/16 using IPIP mode CrossSubnet and enables outgoing NAT. Adjust the pool CIDR for your deployment.
apiVersion: projectcalico.org/v3kind: IPPoolspec:cidr: 192.168.0.0/16ipipMode: CrossSubnetEOF
