Search code examples
azurekubernetesazure-akssubnetcni

AKS Azure CNI Reserving a static ip from aks node sub net


i have been testing this situation, where i pick an IP address from the nodepool subnet and using it as a external ip of an load-balancer service. it works, but i wonder if this is a correct thing to do?

i would like to know how AKS Azure CNI keeps track of what are the IPS have been assigned to pods? can we control this , so that we can reserve some ips from this subnet range?

as a summery is it possible to 'reserve' an ip(s) from aks subnet so they wont get auto assigned to pods?

thank you, asitha

looking for recommendations


Solution

  • For setting external IP for LB type service, I assume you're referring to services of internal LB type. Yes, you can pick an unused IP from nodepool subnet and assign it to a service of internal LB type, but better to let Azure pick the IP instead of you picking it manually.

    As for how Azure CNI manages IP addresses, when you create a node, that node will get assigned an IP from the nodepool subnet, but also another 30 (default max pod per node, can be changed) IPs are pre-allocated to that instance too, and these IPs will no longer available in the nodepool subnet until the node is removed, even when there are no pods running on that node (yet).

    You can check the pre-allocation of IPs by going to the virtual network of your aks cluster, under the "connected devices", you can all IPs allocated to a single cluster node (or vmss instance, in another term), as below:

    enter image description here

    I don't think there is a way to reserve IP from the nodepool subnet, but Azure does allow you to allocate IPs from a different subnet for services of internal LB: https://learn.microsoft.com/en-us/azure/aks/internal-lb#specify-a-different-subnet

    Also, there is another preview feature to allocate IP dynamically instead of pre-allocate IPs to nodes: https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support-preview