Azure CNI Service CIDR and Docker Bridge CIDR

Hari Narayanan 26 Reputation points
2020-10-13T04:18:21.2+00:00

We are in the process of setting AKS for our Teams and we decided to go with CNI . I clearly understand the Range specification around POD CIDR , I have the below Question around Service CIDR and Docker Bridge CIDR . Would be great to get some ones expert opinion .

  1. Documentation says the Service CIDR and Docker Bridge CIDR should not be from the VNET or any Address spaces of any of the existing VNET architecture and we can reuse the Service CIDR and Docker Bridge CIDR across various multiple AKS clusters we create . Will there be any impact if I use the Same Service CIDR and Docker CIDR across different multiple AKS clusters iam going to create ? What if the multiple clusters are inside the same VNET or what if the VNET's that those AKS clusters will be placed are peered ? Will using the same service CIDR have impact on any of the above scenarios .
  2. Also What is the recommended address space for Service CIDR and Docker Bridge CIDR ?

Would be great if some one can help me clear these doubts , cuz i beleive setting this up perfectly will avoid any problems in the future and recreation of clusters will be a huge pain .

Thanks in advance .

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,119 questions
1 vote

Accepted answer
  1. prmanhas-MSFT 17,516 Reputation points Microsoft Employee
    2020-10-13T09:26:58.787+00:00

    @Hari Narayanan Thank you for your query!!!

    Answer for your queries is as below:

    Will there be any impact if I use the Same Service CIDR and Docker CIDR across different multiple AKS clusters iam going to create ? What if the multiple clusters are inside the same VNET or what if the VNET's that those AKS clusters will be placed are peered ? Will using the same service CIDR have impact on any of the above scenarios

    We don’t use the docker bridge for pod communication, but as Docker is configured as part of the Kubernetes setup, this docker bridge it also gets created as well, so in order to avoid that it picks random unknown CIDR that could collide with any of your existent subnets, we give the option to change it and set it a known range. So the indication for docker bridge is to define any CIDR that doesn’t to Azure, and doesn’t collide with any other subnet. The Docker bridge network address represents the default docker0 bridge network address present in all Docker installations. While docker0 bridge is not used by AKS clusters or the pods themselves, you must set this address to continue to support scenarios such as docker build within the AKS cluster. It is required to select a CIDR for the Docker bridge network address because otherwise Docker will pick a subnet automatically which could conflict with other CIDRs. You must pick an address space that does not collide with the rest of the CIDRs on your networks, including the cluster's service CIDR and pod CIDR. You can reuse this range across different AKS clusters.

    Any service of the clusterIP the type that you create from Kubernetes will get an IP from this CIDR, but this IP is only available in the cluster.

    More information here.

    Also What is the recommended address space for Service CIDR and Docker Bridge CIDR ?

    This range should not be used by any network element on or connected to this virtual network. Service address CIDR must be smaller than /12. You can reuse this range across different AKS clusters.

    The above article consist of this information as well.

    Hope it helps!!!

    Please "Accept as Answer" if it helped so it can help others in community looking for help on same topic :)


3 additional answers

Sort by: Most helpful
  1. Shetty Dhanashree Anant 6 Reputation points
    2022-09-20T14:08:32.89+00:00

    @prmanhas-MSFT :

    Just looking for same information Hari and Giessen is looking for.
    1)We can give any dummy range to service CIDR as it doesn't have any reference to any kind of conenction ?

    2) what can be minimum CIDR assigned to it

    3) could we take a CIDR of e.g. /32 or /31 for Docker Bridge CIDR

    No comments

  2. Giessen, Pieter van der 1 Reputation point
    2021-02-02T12:21:12.177+00:00

    What is the minimum size for this Docker Bridge CIDR? If it's not used, could we take a CIDR of e.g. /32 or /31?

    No comments

  3. Tilo 6 Reputation points
    2022-12-21T00:25:39.94+00:00

    default is Docker bridge CIDR 172.17.0.1/16
    so /16 should be safe but would be great to get official MS info.

    No comments