Amazon Elastic Kubernetes Service Adds IPv6 Networking

Beginning immediately, you’ll be able to deploy functions that use IPv6 deal with house on Amazon Elastic Kubernetes Service (EKS).

Lots of our clients are standardizing Kubernetes as their compute infrastructure platform for cloud and on-premises functions. Amazon EKS makes it straightforward to deploy containerized workloads. It gives extremely out there clusters and automates duties comparable to patching, node provisioning, and updates.

Kubernetes makes use of a flat networking mannequin that requires every pod to obtain an IP deal with. This simplified method permits low-friction porting of functions from digital machines to containers however requires a major variety of IP addresses that many non-public VPC IPv4 networks will not be outfitted to deal with. Some cluster directors work round this IPv4 house limitation by putting in container community plugins (CNI) that virtualize IP addresses a layer above the VPC, however this structure limits an administrator’s capability to successfully observe and troubleshoot functions and has a unfavorable affect on community efficiency at scale. Additional, to speak with web providers exterior the VPC, site visitors from IPv4 pods is routed by means of a number of community hops earlier than reaching its vacation spot, which provides latency and places a pressure on community engineering groups who want to take care of complicated routing setups.

To keep away from IP deal with exhaustion, decrease latency at scale, and simplify routing configuration, the answer is to make use of IPv6 deal with house.

IPv6 shouldn’t be new. In 1996, I purchased my first e book on “IPng, Web Protocol Subsequent Technology”, because it was known as 25 years in the past. It gives a 128-bit deal with house, permitting three.Four x 10^38 doable IP addresses for our units, servers, or containers. We may assign an IPv6 deal with to each atom on the floor of the planet and nonetheless have sufficient addresses left to do one other 100-plus Earths.

There are a couple of benefits to utilizing Amazon EKS clusters with an IPv6 community. First, you’ll be able to run extra pods on one single host or subnet with out the chance of exhausting all out there IPv4 addresses out there in your VPC. Second, it permits for lower-latency communications with different IPv6 providers, operating on-premises, on AWS, or on the web, by avoiding an additional NAT hop. Third, it relieves community engineers of the burden of sustaining complicated routing configurations.

Kubernetes cluster directors can concentrate on migrating and scaling functions with out spending efforts working round IPv4 limits. Lastly, pod networking is configured in order that the pods can talk with IPv4-based functions exterior the cluster, permitting you to undertake the advantages of IPv6 on Amazon EKS with out requiring that every one dependent providers deployed throughout your group are first migrated to IPv6.

As normal, I constructed a brief demo to indicate you the way it works.

How It Works
Earlier than I get began, I create an IPv6 VPC. I exploit this CDK script to create an IPv6-enabled VPC in a couple of minutes (thanks Angus Lees for the code). Simply set up CDK v2 (npm set up -g aws-cdk@subsequent) and deploy the stack (cdk bootstrap && cdk deploy).

When the VPC with IPv6 is created, I exploit the console to configure auto-assignment of IPv6 addresses to sources deployed within the public subnets (I do that for every public subnet).

I pay attention to the subnet IDs created by the CDK script above (they’re listed within the output of the script) and outline a few variables I’ll use all through the demo. I additionally create a cluster IAM position and a node IAM position, as described within the Amazon EKS documentation. When you have already got clusters deployed, these two roles exist already.

I open a Terminal and kind:

CLUSTER_ROLE_ARN="arn:aws:iam::0123456789:position/EKSClusterRole"
NODE_ROLE_ARN="arn:aws:iam::0123456789:position/EKSNodeRole"
SUBNET1="subnet-06000a8"
SUBNET2="subnet-03000cc"
CLUSTER_NAME="AWSNewsBlog"
KEYPAIR_NAME="my-key-pair-name"

Subsequent, I create an Amazon EKS IPv6 cluster. In a terminal, I sort:

aws eks create-cluster --cli-input-json "
"title": "$",
"model": "1.21",
"roleArn": "$",
"resourcesVpcConfig": ,
"kubernetesNetworkConfig": 
    "ipFamily": "ipv6"

"

I exploit the describe-cluster whereas ready for the cluster to be created. When the cluster is prepared, it has "standing" : "ACTIVE"

aws eks describe-cluster --name "$"

Then I create a node group:

aws eks create-nodegroup                       
        --cluster-name $         
        --nodegroup-name AWSNewsBlog-nodegroup 
        --node-role $NODE_ROLE_ARN           
        --subnets "$" "$"    
        --remote-access ec2SshKey=$KEYPAIR_NAME
		
{
    "nodegroup": 
        "nodegroupName": "AWSNewsBlog-nodegroup",
        "nodegroupArn": "arn:aws:eks:us-west-2:0123456789:nodegroup/AWSNewsBlog/AWSNewsBlog-nodegroup/3ebe70c7-6c45-d498-6d42-4001f70e7833",
        "clusterName": "AWSNewsBlog",
        "model": "1.21",
        "releaseVersion": "1.21.Four-20211101",

        "standing": "CREATING",
        "capacityType": "ON_DEMAND",

... redacted for brevity ...

		

As soon as the node group is created, I see two EC2 cases within the console. I exploit the AWS Command Line Interface (CLI) to confirm that the cases acquired an IPv6 deal with:

aws ec2 describe-instances --query "Reservations[].Cases[? State.Name == 'running' ][].NetworkInterfaces[].Ipv6Addresses" --output textual content 

2600:1f13:812:0000:0000:0000:0000:71eb
2600:1f13:812:0000:0000:0000:0000:3c07

I exploit the kubectl command to confirm the cluster from a Kubernetes viewpoint.

kubectl get nodes -o vast

NAME                                       STATUS   ROLES    AGE     VERSION               INTERNAL-IP                              EXTERNAL-IP    OS-IMAGE         KERNEL-VERSION                CONTAINER-RUNTIME
ip-10-Zero-Zero-108.us-west-2.compute.inner   Prepared    <none>   second13h   v1.21.Four-eks-033ce7e   2600:1f13:812:0000:0000:0000:0000:2263   18.Zero.Zero.205   Amazon Linux 2   5.Four.149-73.259.amzn2.x86_64   docker://20.10.7
ip-10-Zero-1-217.us-west-2.compute.inner   Prepared    <none>   second13h   v1.21.Four-eks-033ce7e   2600:1f13:812:0000:0000:0000:0000:7f3e   52.Zero.Zero.122   Amazon Linux 2   5.Four.149-73.259.amzn2.x86_64   docker://20.10.7

Then I deploy a Pod. I comply with these steps within the EKS documentation. It deploys a pattern nginx net server.

kubectl create namespace aws-news-blog
namespace/aws-news-blog created

# sample-service.yml is out there at https://docs.aws.amazon.com/eks/newest/userguide/sample-deployment.html
kubectl apply -f  sample-service.yml 
service/my-service created
deployment.apps/my-deployment created

kubectl get pods -n aws-news-blog -o vast
NAME                             READY   STATUS    RESTARTS   AGE   IP                           NODE                                       NOMINATED NODE   READINESS GATES
my-deployment-5dd5dfd6b9-7rllg   1/1     Working   Zero          17m   2600:0000:0000:0000:405b::2   ip-10-Zero-1-217.us-west-2.compute.inner   <none>           <none>
my-deployment-5dd5dfd6b9-h6mrt   1/1     Working   Zero          17m   2600:0000:0000:0000:46f9::    ip-10-Zero-Zero-108.us-west-2.compute.inner   <none>           <none>
my-deployment-5dd5dfd6b9-mrkfv   1/1     Working   Zero          17m   2600:0000:0000:0000:46f9::1   ip-10-Zero-Zero-108.us-west-2.compute.inner   <none>           <none>

I pay attention to the IPv6 deal with of my pods, and attempt to join it from my laptop computer. As my superior service supplier doesn’t present me with an IPv6 at dwelling but, the connection fails. That is anticipated because the pods do not need an IPv4 deal with in any respect. Discover the -g possibility telling curl to not think about : within the IP deal with because the separator for the port quantity and -6 to inform curl to attach by means of IPv6 solely (required while you present curl with a DNS hostname).

curl -g -6 http://[2600:0000:0000:35000000:46f9::1]
curl: (7) Could not connect with server

To check IPv6 connectivity, I begin a twin stack (IPv4 and IPv6) EC2 occasion in the identical VPC because the cluster. I SSH connect with the occasion and check out the curl command once more. I see I obtain the default HTML web page served by nginx. IPv6 connectivity to the pod works!

curl -g -6 http://[2600:0000:0000:35000000:46f9::1]
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>

... redacted for brevity ...

<p><em>Thanks for utilizing nginx.</em></p>
</physique>
</html>

If it doesn’t give you the results you want, confirm the three parameters to allow web entry for a subnet : does your VPC has an Web Gateway? Does the routing desk hooked up to the subnet has a default path to the Web Gateway? Does the safety group for the cluster EC2 nodes has a rule permitting incoming connections on port TCP 80 from ::/Zero? The Web Gateway and the routing desk are routinely configured by the CDK script I offered as a part of this demo.

A Few Issues to Bear in mind
Earlier than I wrap up, I’d wish to reply some frequent questions acquired from clients who’ve already experimented with this new functionality:

Pricing and Availability
IPv6 help on your Amazon Elastic Kubernetes Service (EKS) cluster is out there immediately in all AWS Areas the place Amazon EKS is out there, at no further price.

Go strive it out and construct your first IPv6 cluster immediately.

— seb