Network

VPC

VPC where a cluster resides

VPC enables you to provision logically isolated, configurable, manageable virtual networks for cloud servers, cloud containers, and cloud databases. The VPC gives you complete control over your virtual network, allowing you to select your own IP address range, create subnets, configure security groups, and even assign EIPs and allocate bandwidth in your network, enabling secure and easy access to your business system.

VPC CIDR Block

VPC CIDR Block of a cluster

Default Node Subnet

Node subnet of a cluster

A subnet is a network that manages ECS network planes. It supports IP address management and DNS. ECSs in a subnet are assigned with its IP addresses.

By default, ECSs in all subnets of the same VPC can communicate with one another, but ECSs in different VPCs cannot.

You can create a VPC peering connection to enable ECSs in different VPCs to communicate with each other.

Default Node Subnet | IPv4 CIDR Block/IPv6 CIDR Block

Node subnet CIDR block of a cluster

IPv4/IPv6 Dual Stack

Whether to enable IPv6 dual stack.

Network Model

Network model of a cluster

After a cluster is created, its network model cannot be changed. For details about the comparison between different network models, see Overview.

Default Node Security Group

Default security group of the worker nodes in a cluster

You can select a custom security group as the default node security group for a cluster, and you need to allow traffic from specified ports in the security group to ensure normal communications in the cluster.

If the custom security group needs some modifications, the modified security group applies only to newly created or accepted nodes. For existing nodes, you need to manually modify the security group rules.

Non-Translated CIDR Blocks for External Communication (available only in clusters using the VPC network model)

In a cluster using a VPC network, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are regarded as private CIDR blocks of the cluster by default. If the VPC to which the cluster resides uses a secondary CIDR block, operations such as creating or resetting a node will also add the secondary CIDR block to the private CIDR blocks.

If a pod tries to access a private CIDR block, the source node will not perform NAT on the pod IP address. Instead, the upper-layer VPC can directly send the pod data packet to the destination, which means, the pod IP address is directly used to communicate with the private CIDR block in the cluster.

This function is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later versions.

Network Policies (supported by clusters using the container tunnel network model)

Whether to enable network policies. This configuration is supported by clusters of v1.25.16-r10, v1.27.16-r10, v1.28.15-r0, v1.29.10-r0, v1.30.6-r0, v1.31.1-r0, and later versions.

• Disabled: The network policy capability is not supported, and the created policies do not take effect.
• Enabled: If the CIDR blocks of a customer's service conflict with the on-premises CIDR blocks, the link to a newly added gateway may not be established.

  For example, when a cluster accesses an external address through a Direct Connect connection, the switch outside the cloud does not support ip-option. If the network policy is enabled, the network access may fail.

Request Forwarding

Forwarding mode of a cluster

After a cluster is created, the service forwarding mode cannot be changed. IPVS and iptables are supported. For details, see Comparing iptables and IPVS.

IPv4 Service CIDR Block/IPv6 Service CIDR Block

Each Service in a cluster has its own IP address. When creating a CCE cluster, you can specify the Service address range (Service CIDR block). The Service CIDR block cannot overlap with the subnet or the container CIDR block. The Service CIDR block can be used only within a cluster.

Service Port Range

NodePort port range