Beta

AWS EKS

EKS Networking

How networking works

In this guide, we’ll walk through how the AWS VPC CNI plugin assigns IPs to your EKS cluster’s nodes and pods. Each node and pod runs on Elastic Network Interfaces (ENIs) within the VPC subnets in their Availability Zone. Understanding this CNI integration helps you optimize pod density, avoid IP exhaustion, and fine-tune scaling parameters.

The image is a diagram illustrating how a Container Network Interface (CNI) works within a Virtual Private Cloud (VPC), showing a Kubernetes cluster with nodes connected to a subnet via Elastic Network Interfaces (ENIs) in an availability zone.

1. Confirm Your EKS Cluster

Start by verifying which EKS cluster is active:

eksdemo get clusters
+-----------+--------+-----------+---------+----------+
|   Age     | Status |  Cluster  | Version | Platform |
+-----------+--------+-----------+---------+----------+
| 45 minutes| ACTIVE | *kodekloud|  1.28   | eks.7    | Public   |
+-----------+--------+-----------+---------+----------+
* Indicates current context in local kubeconfig

2. Inspect VPCs and Subnets

It’s recommended to dedicate one VPC per EKS cluster to simplify IP management:

eksdemo get vpc

eksdemo get subnets

A /16 VPC block yields ~65,000 IPv4 addresses—enough for control plane, nodes, pods, and endpoints.

Warning

Running multiple clusters in a single VPC can lead to IP exhaustion. Always project your pod and node scale before choosing CIDR sizes.

3. List ENIs in the VPC

AWS attaches ENIs for both control-plane interfaces and worker-node networking. Use this table to distinguish primary vs. secondary ENIs:

ENI TypeDescriptionAttached ToIPs per ENI
Primary ENIeth0, node’s main interfaceEC2 instances (nodes)1
Secondary ENIeth1, eth2… for pod trafficEC2 instances (nodes)Up to 12
Control-PlaneManaged by AWS for the EKS API endpointseks_control_plane1
eksdemo get network-interfaces

4. Kubernetes Data Plane: Nodes & Pods

Verify that your nodes are Ready and system pods are running:

kubectl get nodes

kubectl get pods -A -o wide

By default, EKS runs:

  • aws-node DaemonSet (VPC CNI plugin)
  • kube-proxy
  • coredns for DNS resolution

5. Examine the aws-node DaemonSet

Describe the DaemonSet to view replicas and container images:

kubectl describe ds aws-node -n kube-system

Key fields:

  • Desired / Current / Ready pod counts
  • Init Container: aws-vpc-cni-init
  • Main Container: aws-node (configures ENIs, warm IP pools)
  • Sidecar: aws-eks-nodeagent (eBPF network policies)

6. aws-node Pod Spec Breakdown

Below is a trimmed excerpt of the DaemonSet pod spec:

initContainers:
  - name: aws-vpc-cni-init
    image: amazon-k8s-cni-init:v1.6.3
    env:
      - name: ENABLE_IPv6
        value: "false"
    volumeMounts:
      - name: cni-bin-dir
        mountPath: /host/opt/cni/bin

containers:
  - name: aws-node
    image: amazon-k8s-cni:v1.16.2-eksbuild.1
    env:
      - name: WARM_ENI_TARGET
        value: "1"
      - name: WARM_PREFIX_TARGET
        value: "1"
      - name: VPC_ID
        value: "vpc-068d84bd223c3afd6"
    volumeMounts:
      - name: cni-net-dir
        mountPath: /host/etc/cni/net.d
      - name: run-dir
        mountPath: /var/run/aws-node

  - name: aws-eks-nodeagent
    image: aws-network-policy-agent:v1.0.7-eksbuild.1
    args:
      - --enable-network-policy=true
      - --enable-ipv6=false
    volumeMounts:
      - name: bpf-pin-path
        mountPath: /sys/fs/bpf

Note

Adjust environment variables like WARM_ENI_TARGET and WARM_PREFIX_TARGET to control how many spare IPs the plugin keeps ready.

7. View Init Container Logs

The init container seeds CNI binaries and tunes sysctls:

kubectl logs -n kube-system aws-node-xxxxx -c aws-vpc-cni-init

Sample output:

Copying CNI plugin binaries ...
Updated net/ipv4/conf/eth0/rp_filter to 2
CNI init container done

8. Inspect Node Network Interfaces

SSH into any worker node to see eth0 (primary) and secondary ENIs:

ip a

Typical output:

2: eth0: inet 192.168.132.239/19 ...
3: eniXXXX@if3: inet 192.168.141.232/19 ...
  • eth0: Node’s primary IP
  • eni…: Pod IPs handled by the CNI

9. Review Host CNI Configuration

The init container writes /etc/cni/net.d/10-aws.conflist on each node:

cat /etc/cni/net.d/10-aws.conflist

Key sections:

  • "type": "aws-cni" plugin
  • "vethPrefix": "eni"
  • "mtu": "9001"
  • Egress CNI stub

10. List CNI Plugin Binaries

CNI executables live under /opt/cni/bin on each node:

ls -1 /opt/cni/bin

Examples include:

  • aws-cni
  • egress-cni
  • bridge, dhcp, host-local, bandwidth, firewall

11. Verify the aws-cni Binary

Confirm supported CNI versions using the help flag:

/opt/cni/bin/aws-cni --help

Output shows supported protocols:

CNI protocol versions supported: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 1.0.0

Further Reading

Watch Video

Watch video content

Previous
Authentication
Next
Prefix Delegation