Azure AKS network plan

Sajan S S 81 Reputation points
2021-01-25T04:49:09.513+00:00

Hello ,

I have few queries related to AKS network planning , I am working on an AKS based project for a client from finance sector and have planned different clusters for each environment .

Key considerations are,

  1. Private AKS cluster .
  2. Azure CNI
  3. Azure Network polices (No opensoruce hence no Calico)
  4. Application Gateway standard V2 as ingress .
  5. Each environment inside spoke vnet VNnet ( each environment like prod ,noprod, UAT etc ).
  6. Plan is to use /22 for each AKS subnet .

Looking for more clarity on service CIDR & Docker bridge ,what I need to know is ,

  1. if reuse service CIDR and Docker bridge and across environments can it create problem in future ? , event though Microsoft link says you should not reuse these , additional address space for these is not easy as it sounds .
  2. As my AKS subnet is /22 , is it okay to use a service CIDR of /23 or /24 ?
  3. What should be Docket bridge IP range , can we use a smaller rage like /24 ?

Looking for response to these specific queries .

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,456 questions
{count} votes

Accepted answer
  1. shiva patpi 13,366 Reputation points Microsoft Employee Moderator
    2021-01-27T00:01:07.72+00:00

    Hello @SajanSS-1385 ,

    Regarding "As my AKS subnet is /22 , is it okay to use a service CIDR of /23 or /24 ?"

    You can definitely use that range but not a recommended option, Just make sure that this address must not overlap with any subnet IP ranges used in the cluster subnet parameter. Kubernetes Service Range cannot be in the same subnet as the AKS Cluster. Basically as you know Kubernetes service address range is a set of virtual IPs that Kubernetes assigns to internal
    services in your cluster. You can use any private address range to satisfy the IPAddress range . K8s service range is not a routable range and only K8s knows about it, routing packets from containers to a service within the cluster . Please make a note that , this range should not be used by any network element on or connected to this virtual network. Service address CIDR must be smaller than /12

    What should be Docket bridge IP range , can we use a smaller rage like /24 ?

    *Yes - you can use the smaller range. When you try creating this Docker Bridge IP range using azure portal , it will use a default range like 172.17.0.1/16 for docker network (You can use /24 too) . I would suggest go with the default one. Basically this is the address space for docker bridge networking which will be used for docker build etc. (Not used by AKS cluster or PODS) You should definitely pick up and address space which will not conflict with other spaces. Mainly this range lets the AKS nodes communicate with the underlying management platform *

    If reuse service CIDR and Docker bridge and across environments can it create problem in future ? , event though Microsoft link says you should not reuse these , additional address space for these is not easy as it sounds

    Service CIDR and Docker CIDR can be definitely re-used with out any issue . For example if you have Prod/Test/Integration environment - you can re-use same service CIDR across all those environments . Recommendation is to use unique CIDR across different environments

    Additional references:-

    Hope it helps! Please make sure to Accept As Answer if it has helped you out so that it can be useful to the community out there.

    2 people found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.