IP Aliases

This page explains how to configure IP aliases in Kubernetes Engine.

Overview

With IP aliases, Kubernetes Engine clusters can allocate Pod IP addresses from a CIDR block known to Google Cloud Platform. This allows your cluster to interact with other Cloud Platform products and entities, and also allows more scalable clusters.

Using IP aliases has several advantages:

  • Pod IPs are reserved within the network ahead of time, which prevent conflict with other compute resources.
  • The networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs.
  • Pod IPs are natively routable within the Google Cloud Platform network (including via VPC Network Peering), so clusters can scale to larger sizes faster without using up route quota.
  • Aliased IPs can be announced through BGP by the cloud-router, enabling better support for connecting to on-premises networks.
  • Firewall controls for Pods can be applied separately from their hosting node.
  • IP aliases allow Pods to directly access hosted services without using a NAT gateway.

In Kubernetes version 1.7.5 or later, enabling IP aliases prevents Kubernetes Engine from adding per-node routes to represent Pod IPs in your cluster.

Creating a new cluster with IP aliases

The following sections explain how to create a new cluster with IP aliases. You can either have Kubernetes Engine automatically create a subnetwork, or you can manually create a subnetwork.

Creating a subnetwork automatically

Console

  1. Visit the Kubernetes Engine menu in GCP Console.

    Visit the Kubernetes Engine menu

  2. Click Create cluster.

  3. Configure your cluster as desired. Then, from the Use alias IP ranges drop-down menu, select Enabled. Several new menus appear.
  4. With the Automatically create subnet drop-down menu set to Enabled, configure the Node address range, Container address range, and Service address range as desired.
  5. Click Create.

gcloud

To create a new cluster that uses IP aliases, run the following command:

gcloud beta container clusters create --enable-ip-alias --create-subnetwork name=my-cluster-subnet

In this command, the new cluster is automatically configured with IP ranges and a subnetwork. You can either provide a name for the subnetwork (in this example, name=my-cluster-subnet) or provide an empty string ("") to have a name automatically generated.

To configure the cluster yourself, run the following command:

gcloud beta container clusters create [CLUSTER-NAME] --enable-ip-alias --create-subnetwork="" [--cluster-ipv4-cidr=[RANGE]] [--service-ipv4-cidr=[RANGE]]

In this command:

  • [CLUSTER-NAME] is the name you choose for the cluster.
  • --enable-ip-alias flag indicates that the cluster uses IP aliases.
  • --create-subnetwork flag causes a subnetwork for the cluster to be automatically created.
  • The optional --cluster-ipv4-cidr flag indicates the size and location of the cluster's CIDR range. [RANGE] can be in the form of [IP]/[SIZE], such as 10.0.0.0/18, or simply /[SIZE], which causes the IP address to be automatically assigned. If this flag is omitted, a CIDR range is automatically assigned with default sizes.
  • The optional --service-ipv4-cidr flag indicates the size and location of the Service's CIDR range. The [RANGE] specifications are identical to --cluster-ipv4-cidr. The range cannot overlap with --cluster-ip4-cidr and vice-versa. If this flag is omitted, a CIDR range is automatically assigned with default sizes.

Using an existing subnetwork with IP aliases

You can manually create a Compute Engine subnetwork with a primary range and two secondary ranges for your Kubernetes Engine cluster and use the subnet in conjunction with Kubernetes Engine IP aliases. When you create a new cluster with IP aliases, you can specify that the cluster should use the existing Compute Engine subnetwork. IP addresses from this subnet will be allocated as follows:

  • Node IPs are allocated from the primary range.
  • Pod IPs are allocated from a named secondary range specified during cluster creation.
  • Service IPs are allocated from another named secondary range specified during cluster creation.

Console

You must create a subnetwork with at least two secondary CIDR ranges for Pod and Service addresses.

To create a subnetwork, perform these steps:

  1. Visit the VPC network menu in GCP Console.
  2. Select the network you wish to use with Kubernetes Engine.
  3. Click Add subnet.
  4. Fill the Name field with a name for your subnetwork.
  5. From the Region drop-down menu, select your preferred region.
  6. Fill the IP address range with your preferred range for VMs and internal load balancer IPs, such as 10.4.0.0/22.
  7. To create the first secondary range, click Create secondary IP range.
  8. Fill the Subnet range name field with a name for the secondary range, then fill the Secondary IP range field with a CIDR range for the cluster's Pods, such as 10.0.0.0/14.
  9. To add the second secondary range, click Add IP range.
  10. Fill the Subnet range name field with a name for the secondary range, then fill the Secondary IP range field with a CIDR range for the cluster's Services, such as 10.4.4.0/22.
  11. Click Add.

To create a cluster:

  1. Visit the Kubernetes Engine menu in GCP Console.

    Visit the Kubernetes Engine menu

  2. Click Create cluster.

  3. Configure your cluster as desired. Then, from the Use alias IP ranges drop-down menu, select Enabled. Several new menus appear.
  4. From the Automatically create subnet drop-down menu, select Disabled
  5. From the Network drop-down menu, select the desired network.
  6. From the Node subnet, Container subnet, and Services subnet drop-down menus, select the desired subnets.
  7. Click Create.

gcloud

To create custom subnetworks, run the following command, where [SUBNET-NAME] is the name you choose for the subnetwork:

gcloud beta compute networks subnets create [SUBNET-NAME] --range 10.4.0.0/22 --secondary-range my-pods=10.0.0.0/14 --secondary-range my-services=10.4.4.0/22

The above example command creates a single primary range for nodes and two secondary ranges: one for Pods called my-pods and another for Services called my-services.

To create the cluster with the subnetworks, run the following command, where [CLUSTER-NAME] is the name you choose for the cluster:

gcloud beta container clusters create [CLUSTER-NAME] --enable-ip-alias --subnetwork=[SUBNET-NAME] --cluster-secondary-range-name=my-pods --services-secondary-range-name=my-services

Considerations for cluster sizing

Below are several considerations for IP alias sizing, organized by resource type.

To learn about Google Cloud Platform's usable CIDR ranges, refer to Virtual Private Cloud (VPC) Network Overview in the Compute Engine documentation.

Node IP

Node IPs and Internal load balancers are both allocated from the primary range specified in a subnet. Kubernetes Engine requires a CIDR prefix length between 19 and 28 bits, which corresponds to between 16 (=2^(32-28)=2^4) and 8192 (=2^(32-19)=2^13) addresses.

When you create the cluster, ensure that you choose a subnetwork range that is large enough for the cluster's anticipated growth.

For example, to create a cluster with up to 60 nodes or Internal load balancers, you need to allocate a contiguous block of 64 addresses (=2^6). In terms of CIDR prefix length, this corresponds to a /26 network (=32-6).

Pod IP

Each node requires that 256 IP addresses, or a /24 block, be reserved for use by Pods running on it. As with the node IP range, this range cannot be changed after the cluster is created; therefore, it is important to size the Pod IP block to accommodate for the number of nodes multiplied by 256. Kubernetes Engine requires that the secondary prefix range for Pods have between 11 and 19 bits, which corresponds to a contiguous block of between 8,192 and 2,097,152 addresses.

Building off of the above example, a cluster with 60 nodes requires a block of 64 x 256 = 16,384 contiguous IP addresses be allocated for Pods. This would amount to reserving 6 + 8 = 14 bits for addresses, which corresponds to a '/18' network (=32-14).

Service IP

The Service IP range is immutable after the cluster is created; therefore, it is important that you size the Service CIDR block to accommodate the maximum number of Service objects you intend to deploy. Kubernetes Engine requires that the secondary prefix range for Service IPs have between 18 and 22 bits, which corresponds to a contiguous block of between 1,024 and 16,384 addresses.

By default, Kubernetes Engine uses a /20 network, which allows up to 4,092 (=2^(32-20) - 4 = 2^12 - 4 = 4096 - 4) Services in your cluster.

Restrictions

  • Additional subnetworks cannot be used in tandem with IP aliases.
  • You cannot currently migrate an existing cluster to a cluster that uses IP aliases. This limitation will be removed in future releases.
  • Cluster IPs for internal services are only available from within the cluster. If you want to access a Kubernetes service from within the VPC, but from outside of the cluster (i.e.; from a Compute Engine instance), use an Internal load balancer

What's next

Send feedback about...

Kubernetes Engine