Containerized applications deploy multiple services on the same node, and each service requires its own network space. To avoid conflicts with other service networks, each Pod requires an independent network space, and applications within the Pod need to communicate with other networks. Characteristics of container networks are as follows:
l Each Pod has its own independent network space and IP address. Applications in different Pods can listen on the same port without conflict.
l Pods can communicate with each other using their respective IP addresses.
Pods in the cluster can communicate with other applications using their independent IP addresses:
n Within the same cluster, Pods can access each other.
n Pods can directly access ECS in the same VPC.
n ECS in the same VPC can directly access Pods.
1. Cubecni
The Cubecni network mode uses a cloud-native network solution, directly building the container network based on the Elastic Network Interface (ENI) resources in the virtualized network of eSurfing Cloud. Pods are directly assigned IP addresses from the VPC using ENI resources, without the need to specify additional virtual Pod CIDR block.
Characteristics of Cubecni network mode:
n Containers and virtual machines are on the same network layer, facilitating cloud-native business migration.
n No reliance on packet encapsulation or routing tables; the network device allocated to containers can be used for communication.
n The scale of cluster nodes is not limited by routing tables or encapsulated FDB table quotas.
n No need to plan additional Overlay CIDR blocks for containers; cluster containers can communicate with each other by setting security group open ports.
n The container can be directly attached to the back-end of an SLB without using NodePort on the nodes for forwarding.
n NAT gateway can perform SNAT for containers without requiring SNAT on the container CIDR block on the nodes: When containers access resources within the VPC, the source IP is the container IP, which facilitates auditing; when containers access external networks, they do not rely on conntrack SNAT, reducing failure rates.
n Cubecni network mode supports configuring rules for network access between Pods using NetworkPolicy.
A NetworkPolicy is a specification of the allowed communication rules between Pods and other network endpoints. NetworkPolicy resources use labels to select Pods and define the allowed communication rules for the selected Pods.
2. Calico
In the Calico network mode, the Pod CIDR block is independent of the VPC CIDR block.
Characteristics of Calico network mode:
n Nearly lossless performance.
n The Pod CIDR block is independent of the VPC CIDR block.