When you launch a EKS cluster, by default it uses the VPC subnet IP addresses<\/strong> for pods and services. Meaning, if the VPC CIDR is It is not an issue for small clusters with less workloads. However, for large organizations using IPV4 with hybrid cloud networks this could be an issue.<\/p>\n In such organizations when you request for large IP ranges for Kubernetes clusters<\/a>., network teams often express concerns. Because they need to allocate IP address for multiple clusters in multiple environments and for multiple teams.<\/p>\n You can mitigate the IPv4 exhaustion issue by using AWS VPC secondary IP ranges such as shared address space<\/a> If you look at the following image, the Primary ENI of worker nodes<\/strong> use the primary subnet CIDR and pods uses the ENI from the secondary CIDR range.<\/p>\n Image src: aws.github.io<\/p>\n A good thing is, you can re-use the secondary ranges<\/strong> in other clusters and the primary ENI does the source network translation and the traffic going outside the cluster uses the primary ENI as source address. So you will not face any routing issues.<\/p>\n Note<\/strong>: You can use CNI plugins like calico to mitigate this issue. But for external CNI plugins you will not get any support from AWS.<\/p><\/blockquote>\n Secondary Network setup is not required for the following.<\/p>\n Let’s have a look at what is the secondary network in the Kubernetes cluster.<\/p>\n Here we use a single dedicated VPC with two different CIDR ranges, which I am considering We are using AWS CLI<\/a> commands to create the VPC<\/a>. So some utilities required are given below.<\/p>\n Create a VPC with a CIDR range Add secondary CIDR Create an Internet Gateway for the VPC to get internet access.<\/p>\n Attach Internet Gateway to the intended VPC<\/p>\n Create a route table for our subnets.<\/p>\n Add route to the internet by attaching IGW in the route table.<\/p>\n Set up environment variables for availability zones.<\/p>\n Create subnets for nodes from range Create three subnets for pods from CIDR Associate each subnet with the routing table.<\/p>\n If you are dont enable the We use Create a cluster config file to build an EKS cluster<\/p>\n Modify the details as per your requirements.<\/p>\n Here the EKS version we use is In the The VPC CNI Plugin is an add-on that will be available in each node of the clusters. basically, it is a deamonset<\/strong> named We have to make some modifications in the CNI configuration for pods to use the secondary CIDR range.<\/p>\n Prerequisites:<\/strong><\/p>\n The EKS cluster will already have Ensure the CNI plugin version is suitable for the EKS cluster version. To know more about the recommended version, please visit the official documentation<\/a>.<\/p>\n If you are using the latest version of EKS (v1.28), the VPC CNI version should be (v1.15.3), otherwise, the pods take the IPs from the primary network.<\/p><\/blockquote>\n In multiple ways, we can install or update the VPC CNI plugin. here we show one method to install the latest CNI plugin using Verify the add-ons, which are available for the EKS cluster.<\/p>\n To install the Change the The cluster service account IAM role ARN is necessary for this configuration. you can get this from IAM roles by searching To enable the custom network configurations, set up env for AWS VPC CNI daemon.<\/p>\n To set up the env for the AWS VPC CNI config label, use the following command.<\/p>\n Create and apply EKS Custom Resource (CR) for ENIConfig resources.<\/p>\n Replace the security group ID sg-0b2df31a3a4aa9b25<\/strong> with your EKS clusters’ security group ID. you can find this from the EKS console, networking section.<\/p>\n The existing nodes should be terminated and create new nodes. This is required to reflect the CNI configuration changes<\/strong> to the nodes, until then your pods won’t get the IPs from the secondary range.<\/p>\n To get the node name and details, use the following command.<\/p>\n You will get the node name from this command output.<\/p>\n To Cordon, the nodes, use the following command.<\/p>\n This command will stop scheduling pods to this node.<\/p>\n Replace it Drain the node to reschedule all the pods from this node to another node.<\/p>\n Find the instance ID, which you want to terminate.<\/p>\n To terminate the instance use the following command.<\/p>\n Now this instance is deleted and a new instance will be created automatically. because nodes are bound with an Auto Scaling Group.<\/p>\n To view the list of nodes and their details.<\/p>\n To test the setup, deploy the nginx web server in the nodes.<\/p>\n To view the list of pods, use the following command.<\/p>\n You will get an output similar to this and ensure all the pods are working fine.<\/p>\n I have tried out this setup to understand how to attach the multiple CIDR networks to a VPC<\/strong> to manage a EKS cluster.<\/p>\n You can further improve the setup for your requirements and also keep in mind that there is a calculation in how many pods you can create in a node depending on how many ENI support with the instance type.<\/p>\n In this setup, I have explained a few things about the 10.0.0.0\/20<\/code><\/strong> (4,096<\/strong> IPs), the node IPs, pod IPs and service IPs are assigned from CIDR range.<\/p>\n100.64.0.0\/16<\/code><\/strong> or 172.x series.<\/p>\n![\"AWS](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-95-7.png\")
<\/figure>\n\n
EKS Secondary Network Setup<\/h2>\n
192.168.0.0\/16<\/code> as a primary range for nodes and 100.64.0.0\/16<\/code> as the secondary range for the pods.<\/p>\nStep 1: Create a VPC and Associate a Secondary CIDR<\/h3>\n
\n
192.168.0.0\/16<\/code>. We use this range to create the nodes.<\/p>\nexport VPC_ID=$(aws ec2 create-vpc --cidr-block 192.168.0.0\/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=EKS-VPC}]' --query 'Vpc.VpcId' --output text)\n<\/code><\/pre>\n100.64.0.0\/16<\/code> to the VPC. This range is for creating pods.<\/p>\naws ec2 associate-vpc-cidr-block --vpc-id $VPC_ID --cidr-block 100.64.0.0\/16<\/code><\/pre>\nexport IGW_ID=$(aws ec2 create-internet-gateway --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=EKS-IGW}]' --query 'InternetGateway.InternetGatewayId' --output text)<\/code><\/pre>\naws ec2 attach-internet-gateway --vpc-id ${VPC_ID} --internet-gateway-id ${IGW_ID}<\/code><\/pre>\nexport RTB_ID=$(aws ec2 create-route-table --vpc-id $VPC_ID --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=EKS-RouteTable}]' --query 'RouteTable.RouteTableId' --output text)<\/code><\/pre>\naws ec2 create-route --route-table-id ${RTB_ID} --destination-cidr-block 0.0.0.0\/0 --gateway-id ${RTB_ID}<\/code><\/pre>\nAZ_1=\"us-west-2a\"\nAZ_2=\"us-west-2b\"\nAZ_3=\"us-west-2c\"<\/code><\/pre>\n192.168.0.0\/16<\/code>, each in a different availability zone.<\/p>\nSUBNET_ID_NODE_1=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 192.168.0.0\/19 --availability-zone $AZ_1 --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Node-Subnet-1}]' | jq -r '.Subnet.SubnetId')\n\nSUBNET_ID_NODE_2=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 192.168.32.0\/19 --availability-zone $AZ_2 --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Node-Subnet-2}]' | jq -r '.Subnet.SubnetId')\n\nSUBNET_ID_NODE_3=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 192.168.64.0\/19 --availability-zone $AZ_3 --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Node-Subnet-3}]' | jq -r '.Subnet.SubnetId')<\/code><\/pre>\n100.64.0.0\/16<\/code>.<\/p>\nSUBNET_ID_POD_1=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 100.64.0.0\/19 --availability-zone $AZ_1 --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Pod-Subnet-1}]' | jq -r '.Subnet.SubnetId')\n\n\nSUBNET_ID_POD_2=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 100.64.32.0\/19 --availability-zone $AZ_2 --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Pod-Subnet-2}]' | jq -r '.Subnet.SubnetId')\n\n\nSUBNET_ID_POD_3=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 100.64.64.0\/19 --availability-zone $AZ_3 --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Pod-Subnet-3}]' | jq -r '.Subnet.SubnetId')<\/code><\/pre>\n\naws ec2 associate-route-table --subnet-id $SUBNET_ID_NODE_1 --route-table-id $RTB_ID\naws ec2 associate-route-table --subnet-id $SUBNET_ID_NODE_2 --route-table-id $RTB_ID\naws ec2 associate-route-table --subnet-id $SUBNET_ID_NODE_3 --route-table-id $RTB_ID\n\naws ec2 associate-route-table --subnet-id $SUBNET_ID_POD_1 --route-table-id $RTB_ID\naws ec2 associate-route-table --subnet-id $SUBNET_ID_POD_2 --route-table-id $RTB_ID\naws ec2 associate-route-table --subnet-id $SUBNET_ID_POD_3 --route-table-id $RTB_ID\n<\/code><\/pre>\nEnable auto-assign public IPv4 address<\/code> to all subnets. this is required to automatically assign a public IP address to all nodes.<\/p>\naws ec2 modify-subnet-attribute --subnet-id $SUBNET_ID_NODE_1 --map-public-ip-on-launch\naws ec2 modify-subnet-attribute --subnet-id $SUBNET_ID_NODE_2 --map-public-ip-on-launch\naws ec2 modify-subnet-attribute --subnet-id $SUBNET_ID_NODE_3 --map-public-ip-on-launch\n\naws ec2 modify-subnet-attribute --subnet-id $SUBNET_ID_POD_1 --map-public-ip-on-launch\naws ec2 modify-subnet-attribute --subnet-id $SUBNET_ID_POD_2 --map-public-ip-on-launch\naws ec2 modify-subnet-attribute --subnet-id $SUBNET_ID_POD_3 --map-public-ip-on-launch<\/code><\/pre>\nEnable auto-assign public IPv4 address<\/code> option, the nodes won’t be attached with the EKS cluster.<\/p><\/blockquote>\nStep 2: Create an EKS Cluster<\/h3>\n
eksctl<\/code> command line utility to create a cluster in EKS<\/a>, make sure you have already installed this in your local system.<\/p>\nvim eks-cluster.yml<\/code><\/pre>\nv1.28<\/code>, the latest one, and subnets, created from 192.168.0.0\/16<\/code> CIDR for nodes.<\/p>\nnodeGroups<\/code> section, choose your instance type, desired capacity, and your public key name. For this setup, we use t3.medium<\/code> instance type with two nodes.<\/p>\napiVersion: eksctl.io\/v1alpha5\nkind: ClusterConfig\n\nmetadata:\n name: custom-cluster\n region: us-west-2\n version: \"1.28\"\n\nvpc:\n subnets:\n public:\n us-west-2a: $SUBNET_ID_NODE_1\n us-west-2b: $SUBNET_ID_NODE_2\n us-west-2c: $SUBNET_ID_NODE_3\n\nnodeGroups:\n - name: ng-spot\n instanceType: t3.medium\n labels: { role: builders }\n minSize: 2\n maxSize: 4\n volumeSize: 30\n desiredCapacity: 2\n ssh:\n allow: true\n publicKeyName: techiescamp\n tags:\n Name: ng-spot\n<\/code><\/pre>\nStep 3: Configure AWS VPC CNI Plugin<\/h3>\n
aws-node<\/code>, and will be present in each node. This plugin attaches the Elastic Network Interface (ENI) to the nodes and assigns private IPs for pods from the VPC.<\/p>\n\n
vpc-cni<\/code> add-on in the cluster, but the version might not be suitable. so to verify the existing EKS CNI version, use the following command.<\/p>\nkubectl describe daemonset aws-node --namespace kube-system | grep Image | cut -d \"\/\" -f 2<\/code><\/pre>\neksctl<\/code> utility.<\/p>\neksctl utils describe-addon-versions --kubernetes-version 1.28 | grep AddonName<\/code><\/pre>\nvpc-cni<\/code> add-on, use the following command.<\/p>\neksctl create addon --cluster custom-cluster --name vpc-cni --version v1.15.3-eksbuild.1 \\\n --service-account-role-arn arn:aws:iam::814200988517:role\/eksctl-custom-cluster-cluster-ServiceRole-48dmfzxgMzcx --force<\/code><\/pre>\ncustom-cluster<\/code> to your cluster name and also modify the add-on name vpc-cni<\/code> and its version v1.15.3<\/code>, if necessary.<\/p>\ncluster-ServiceRole<\/code>.<\/p>\nkubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true<\/code><\/pre>\nkubectl set env daemonset aws-node -n kube-system ENI_CONFIG_LABEL_DEF=failure-domain.beta.kubernetes.io\/zone<\/code><\/pre>\ncat <<EOF | kubectl apply -f -\napiVersion: crd.k8s.amazonaws.com\/v1alpha1\nkind: ENIConfig\nmetadata:\n name: $AZ_1\nspec:\n securityGroups: \n - sg-0b2df31a3a4aa9b25\n subnet: $SUBNET_ID_POD_1\nEOF\n\ncat <<EOF | kubectl apply -f -\napiVersion: crd.k8s.amazonaws.com\/v1alpha1\nkind: ENIConfig\nmetadata:\n name: $AZ_2\nspec:\n securityGroups: \n - sg-0b2df31a3a4aa9b25\n subnet: $SUBNET_ID_POD_2\nEOF\n\ncat <<EOF | kubectl apply -f -\napiVersion: crd.k8s.amazonaws.com\/v1alpha1\nkind: ENIConfig\nmetadata:\n name: $AZ_3\nspec:\n securityGroups: \n - sg-0b2df31a3a4aa9b25\n subnet: $SUBNET_ID_POD_3\nEOF<\/code><\/pre>\nStep 4: Recreate Nodes<\/h3>\n
kubectl get nodes<\/code><\/pre>\nkubectl cordon ip-192-168-0-102.us-west-2.compute.internal<\/code><\/pre>\nip-192-168-0-102.us-west-2.compute.internal<\/code> with your node name.<\/p>\nkubectl drain ip-192-168-0-102.us-west-2.compute.internal --ignore-daemonsets<\/code><\/pre>\nINSTANCE_ID=$(kubectl get node ip-192-168-0-102.us-west-2.compute.internal -o jsonpath='{.spec.providerID}' | awk -F '\/' '{print $NF}')<\/code><\/pre>\naws ec2 terminate-instances --instance-ids $INSTANCE_ID --region us-west-2<\/code><\/pre>\nkubectl get nodes<\/code><\/pre>\nkubectl create deployment nginx-test --image=nginx --replicas=3<\/code><\/pre>\nkubectl get pods -o wide<\/code><\/pre>\nNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES\nnginx-deployment-7c79c4bf97-4bwbw 1\/1 Running 0 6m52s 100.64.74.80 ip-192-168-70-175.us-west-2.compute.internal <none> <none>\nnginx-deployment-7c79c4bf97-bnxfw 1\/1 Running 0 6m52s 100.64.80.90 ip-192-168-70-175.us-west-2.compute.internal <none> <none>\nnginx-deployment-7c79c4bf97-v25hp 1\/1 Running 0 21m 100.64.80.140 ip-192-168-70-175.us-west-2.compute.internal <none> <none><\/code><\/pre>\nConclusion<\/h2>\n
vpc-cni<\/code>, but there are many functionalities available there, so if you are interested to know more about that, please refer to this document<\/a>.<\/p>\n
\n