Companies are increasingly adopting managed Kubernetes services, such as Microsoft Azure Kubernetes Service (AKS), to build container-based applications. Leveraging a managed Kubernetes service is a quick and easy way to deploy an enterprise-grade Kubernetes cluster, offload mundane operations such as provisioning new nodes, upgrading the OS/Kubernetes, and scaling resources according to business needs.
AKS also provides a fault-tolerant Kubernetes control plane endpoint and automates the worker node maintenance and deployment process. With regards to networking within the cluster, AKS provides an integrated CNI to address basic Kubernetes networking requirements, such as configuring network interfaces and providing connectivity between pods. However, the basic container networking in Microsoft AKS comes with a limited set of IP addresses. As businesses grow, so does application usage. Having a limited set of IPs can cause scale, availability, and manageability challenges for Microsoft AKS users.
In this blog post, I will discuss IP address exhaustion on Microsoft AKS and how Calico can solve this issue. I will also explore how Calico can address scalability challenges and provide resources that can quickstart your journey in using Calico to solve IP address exhaustion on AKS.
Microsoft AKS BYOCNI
Earlier this year, Microsoft AKS introduced the ability to bring your own Container Network Interface (BYOCNI) to address more advanced networking requirements for scale, availability, and manageability.
Thanks to this new program, AKS customers can use Calico Open Source networking on AKS to scale networking to their business needs, have higher available service uptime, and automate IP management. This includes automatically solving IP address exhaustion. Microsoft recommends the Calico Open Source CNI to address application scale and availability issues caused by IP exhaustion.
Read our in-depth blog post: BYOCNI: Introducing Calico CNI for Microsoft AKS
What causes IP exhaustion?
Managing IP addresses is an essential part of container networking. Often, users overlook this aspect when planning their application’s networking requirements, especially for smaller clusters with a limited number of workloads. Business growth leads to bigger clusters and more workloads, causing IPs to become a scarce commodity. For example, when the user uses pod IP addresses that can be routed outside the cluster, the IP address must be unique across the network at large. Different IP address ranges (classless inter-domain routing, aka CIDR) are needed for pods in each cluster when running multiple clusters. If the quantity of IP addresses is limited, the user has to allocate and budget these IP addresses regularly. When users exhaust the available IPs, it limits the application’s scale and creates management overhead. Further, unexpected and non-budgeted demand for IPs to address a surge in application usage may also cause the sudden unavailability of an application.
Solving IP address exhaustion with Calico
Calico Open Source is a networking and security solution that seamlessly integrates with Microsoft AKS under BYOCNI. With Calico’s IPAM capabilities, users can address their scale, availability, and management issues related to IP addresses.
Calico’s IPAM allows users to stretch IP resources as much as possible by providing private networks within their cluster. Calico uses IP pools to define which IP ranges are valid to use for allocating pod IP addresses. These IP pools are configured by the administrator. When using Calico’s overlay mode, the IP pools can be any private network IP range.
IP pools are also divided into blocks, which are then assigned to particular nodes in the cluster. Blocks are allocated dynamically to nodes as the number of running pods grows or shrinks. This ensures efficient use of IP addresses when only a few pods are running on a node, and also eliminates any upper limit on the number of pods per node due to a constrained number of available IPs. To top it off, Calico does IP allocation automatically, thus eliminating the scale and manageability issues related to IP exhaustion.
Additional Calico capabilities
Besides fixing IP exhaustion issues on AKS, Calico is also built for the following use cases:
- Scaling with legacy firewalls
You can explicitly designate specific workloads to access your protected resources, such as databases behind an IP-based legacy firewall.
You can also define IP ranges and explicitly assign pods to those ranges to interact with resources outside the cluster that make decisions based on IP ranges. It can even be granular to an exact IP address. This means you can now leverage their existing knowledge captured in traditional IP-based systems to enrich their cloud-native applications.
- Securing workloads
With Calico, you can enforce security policies mapped to the dynamic nature of Kubernetes using label selectors that define groups of pods rather than IP addresses. This helps with workload isolation for security and compliance purposes.
Security policies written as code empower developers and DevOps to not only define security themselves (instead of learning network-layer details), but also integrate the authoring of security policies into their git workflows and CI/CD processes.
- Fixed IP for workload migration
During workload migration to the Kubernetes environment from a traditional source based on IP address, such as databases, you can assign a static IP to the pod for controlled and secure connectivity between two endpoints using Calico. This ensures that migration is done correctly and does not cause business disruption.
Some users may have an app configured to communicate with a database over a specific IP address that cannot be network address translated (NAT). As part of the cloud migration initiative, this database was migrated into the AKS cluster and now runs as a pod. With Calico, users can assign a specific IP address to this database pod that other legacy apps can use, allowing interactions without causing disruption to existing flows. This setup keeps business continuity and reduces the app’s migration time.
How to get started?
You can get started by deploying Calico CNI in your Microsoft AKS following our Microsoft AKS documentation and begin addressing IP exhaustion issues. As IP exhaustion will be eliminated with these simple steps, you can explore the use of the three use cases listed above to maximize the advantages of Microsoft AKS and not worry about containerized workload security and communication.
Another useful resource is this Microsoft Global Black Belt Office hours (starting at 28:29), published on May 19, 2022, where Tigera joins Microsoft to talk about how AKS solves IP exhaustion using Calico.
If you’re interested in further strengthening your security posture on AKS, read our AKS Security: The Basics and 5 Critical Best Practices learn guide to develop a Kubernetes security and observability plan for your AKS clusters.
Under Microsoft’s BYOCNI program, AKS and Calico CNI come together to address IP exhaustion issues on your containerized applications and help your application scale, ensuring services are available at all times. Calico can also secure the communication of your AKS clusters with specific external resources without additional management or operational overhead.
Ready to learn more? Gain hands-on experience with our upcoming Microsoft AKS configuration security and compliance workshop.
Join our mailing list
Get updates on blog posts, workshops, certification programs, new releases, and more!