NinoSkopac
commented
1 month ago I believe I have found the answer: https://github.com/projectcalico/calico/issues/7338
Closed NinoSkopac closed 1 month ago
NinoSkopac
commented
1 month ago I believe I have found the answer: https://github.com/projectcalico/calico/issues/7338
shapirov103
commented
1 month ago @NinoSkopac with support of Network Policies natively by VPC-CNI, what is your use case to use Calico? Are you trying to work around the issue of IPv4 exhaustion, by using an overlay network? We do have an approach for IPv4 exhaustion with secondary CIDRs and VPC-CNI configuration if that is what you are after.
NinoSkopac
commented
1 month ago Dear @shapirov103 ,
My use case is as follows. I have a container that requires full cone NAT. To achieve that I give the container an elastic IP using the EIP controller: https://github.com/aws-samples/aws-pod-eip-controller. An EIP allows unsolicited connections to come in on a set port, which is basically the definition of full cone NAT.
The problem is as you say IPv4 exhaustion. I want to have hundreds of these containers running in the same time and each of them requires an elastic IP, which is impossible due to AWS limits.
I want to use an egress gateway and give it an elastic IP and then route the traffic from the previously mentioned hundreds of containers through the egress gateway. Will it work? I don't know.
I'd put those hundreds of containers in a namespace and configure Cilium rather than Calico due to former being FOSS to do the routing.
I'll look into the link you gave me, thank you very much and have a great day!
xiaosuiba
commented
1 month ago Dear @shapirov103 ,
My use case is as follows. I have a container that requires full cone NAT. To achieve that I give the container an elastic IP using the EIP controller: https://github.com/aws-samples/aws-pod-eip-controller. An EIP allows unsolicited connections to come in on a set port, which is basically the definition of full cone NAT.
The problem is as you say IPv4 exhaustion. I want to have hundreds of these containers running in the same time and each of them requires an elastic IP, which is impossible due to AWS limits.
I want to use an egress gateway and give it an elastic IP and then route the traffic from the previously mentioned hundreds of containers through the egress gateway. Will it work? I don't know.
I'd put those hundreds of containers in a namespace and configure Cilium rather than Calico due to former being FOSS to do the routing.
I'll look into the link you gave me, thank you very much and have a great day!
I found this egressgateway which can work with calico: egressgateway
NinoSkopac
commented
1 month ago Dear @xiaosuiba ,
thank you so much for that link.
However, I have decided not to use Calico, I'm going to use Cilium. GKE went from Calico to Cilium. Calico is not FOSS, Cilium is. I hope I can pull it off using Cilium Egress Gateway: https://docs.cilium.io/en/stable/network/egress-gateway/egress-gateway/
lukasmrtvy
commented
1 month ago @NinoSkopac Cilium Egress Gateway is not HA, it allows You to use only one egress node
Describe the documentation issue
Looking at https://aws-quickstart.github.io/cdk-eks-blueprints/addons/calico-operator/ I'm not sure if it's Calico open source or Calico Enterprise - it seems the former?
This page https://docs.tigera.io/calico-cloud/about/product-comparison tells me I need Calico Enterprise for an Egress Gateway.
Links
https://aws-quickstart.github.io/cdk-eks-blueprints/addons/calico-operator/