Amazon Web Services
Calico provides the following advantages when running in Amazon Web Services (AWS):
- Network Policy for Containers: Calico provides fine-grained network security policy for individual containers.
- No Overlays: Within each VPC subnet Calico doesn’t need an overlay, which means high performance networking for your containers.
- No 50 Node Limit: Calico allows you to surpass the 50 node limit, which exists as a consequence of the AWS 50 route limit when using the VPC routing table.
Routing traffic within a single VPC subnet
Since Calico assigns IP addresses outside the range used by AWS for EC2 instances, you must disable AWS src/dst checks on each EC2 instance in your cluster as described in the AWS documentation. This allows Calico to route traffic natively within a single VPC subnet without using an overlay or any of the limited VPC routing table entries.
Routing traffic across different VPC subnets / VPCs
If you need to split your deployment across multiple AZs for high availability then each AZ will have its own VPC subnet. To use Calico across multiple different VPC subnets or peered VPCs, in addition to disabling src/dst checks as described above you must also enable IPIP encapsulation and outgoing NAT on your Calico IP pools.
See the IP pool configuration reference for information on how to configure Calico IP pools.
By default, Calico’s IPIP encapsulation applies to all container-to-container traffic. However, encapsulation is only required for container traffic that crosses a VPC subnet boundary. For better performance, you can configure Calico to perform IPIP encapsulation only across VPC subnet boundaries.
To enable the “CrossSubnet” IPIP feature, configure your Calico IP pool resources to enable IPIP and set the mode to “CrossSubnet”.
note
This feature was introduced in Calico v2.1, if your deployment was created with an older version of Calico, or if you if you are unsure whether your deployment is configured correctly, follow the Configuring IP-in-IP guide which discusses this in more detail.
The following calicoctl
command will create or modify an IPv4 pool with CIDR 192.168.0.0/16 using IPIP mode CrossSubnet
. Adjust the pool CIDR for your deployment.
calicoctl apply -f - <<EOF
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
name: ippool-cs-1
spec:
cidr: 192.168.0.0/16
ipipMode: CrossSubnet
EOF
Enabling workload-to-WAN traffic
To allow Calico networked containers to reach resources outside of AWS, you must configure outgoing NAT on your Calico IP pool.
AWS will perform outbound NAT on any traffic which has the source address of an EC2 virtual machine instance. By enabling outgoing NAT on your Calico IP pool, Calico will NAT any outbound traffic from the containers hosted on the EC2 virtual machine instances.
The following calicoctl
command will create or modify an IPv4 pool with CIDR 192.168.0.0/16 using IPIP mode CrossSubnet
and enables outgoing NAT. Adjust the pool CIDR for your deployment.
calicoctl apply -f - <<EOF
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
name: ippool-1
spec:
cidr: 192.168.0.0/16
ipipMode: CrossSubnet
natOutgoing: true
EOF