Creating Subnets (Calico Network)
Create subnets in the Calico network to achieve finer granularity of network isolation for resources within the cluster.
Constraints and Limitations
In an IPv6 cluster environment, the subnets created within the Calico network, by default, use VXLAN encapsulation. The ports required for VXLAN encapsulation differ from those of IPIP encapsulation. You need to ensure that UDP port 4789 is open.
IP Allocation Rules
Note: If a project or namespace is assigned multiple subnets, an IP address will be randomly selected from one of the subnets.
-
Project Allocation:
- If a project is not bound to a subnet, Pods in all namespaces under that project can only use IP addresses from the default subnet. If there are insufficient IP addresses in the default subnet, the Pods will not be able to start.
- If a project is bound to a subnet, Pods in all namespaces under that project can only use IP addresses from that specific subnet.
-
Namespace Allocation:
- If a namespace is not bound to a subnet, Pods in that namespace can only use IP addresses from the default subnet. If there are insufficient IP addresses in the default subnet, the Pods will not be able to start.
- If a namespace is bound to a subnet, Pods in that namespace can only use IP addresses from that specific subnet.
Creating a Subnet and Allocating Projects or Namespaces
-
Go to Platform Management.
-
In the left navigation bar, click Network Management > Subnets.
-
Click Create Subnet.
-
Refer to the following instructions to configure the relevant parameters.
Parameter Description CIDR After allocating the subnet to a project or namespace, the container groups within the namespace will randomly use IP addresses within this CIDR for communication.
Note: For the correspondence between CIDR and BlockSize, please refer to Reference Content.Encapsulation Protocol Select the encapsulation protocol. IPIP is not supported in dual-stack mode. - IPIP: Implements inter-segment communication using the IPIP protocol.
- VXLAN (Alpha): Implements inter-segment communication using the VXLAN protocol.
- No Encapsulation: Directly connected through routing forwarding.
Encapsulation Mode When the encapsulation protocol is IPIP or VXLAN, the encapsulation mode must be set, defaulting to Always. - Always: Always enable IPIP / VXLAN tunnels.
- Cross Subnet: Enable IPIP / VXLAN tunnels only when the host is in different subnets; direct connection via routing forwarding when the host is in the same subnet.
Outbound Traffic NAT Choose whether to enable outbound traffic NAT (Network Address Translation), which is enabled by default.
It is primarily used to set the access addresses exposed to the external network when the subnet container group accesses the external network.
When outbound traffic NAT is enabled, the host IP will be used as the access address for the current subnet container group; when not enabled, the IPs of the container groups in the subnet will be directly exposed to the external network. -
Click Confirm.
-
On the subnet details page, select Actions > Allocate Project / Allocate Namespace.
-
Complete the configuration and click Allocate.
Reference Content
The dynamic matching relationship between CIDR and blockSize is shown in the table below.
| CIDR | blockSize Size | Number of Hosts | Size of a Single IP Pool |
|---|---|---|---|
prefix<=16 | 26 | 1024+ | 64 |
16<prefix<=19 | 27 | 256~1024 | 32 |
prefix=20 | 28 | 256 | 16 |
prefix=21 | 29 | 256 | 8 |
prefix=22 | 30 | 256 | 4 |
prefix=23 | 30 | 128 | 4 |
prefix=24 | 30 | 64 | 4 |
prefix=25 | 30 | 32 | 4 |
prefix=26 | 31 | 32 | 2 |
prefix=27 | 31 | 16 | 2 |
prefix=28 | 31 | 8 | 2 |
prefix=29 | 31 | 4 | 2 |
prefix=30 | 31 | 2 | 2 |
prefix=31 | 31 | 1 | 2 |
Note: Subnet configurations with prefixes greater than 31 are not supported.