EKS Networking: VPC CNI and Load Balancing
Use the Amazon VPC CNI plugin so pods get native VPC IP addresses, and expose services with the AWS Load Balancer Controller.
Kubernetes Networking Basics
Kubernetes requires every pod to have a unique, routable IP address and for pods to communicate with each other without NAT. The Container Network Interface (CNI) plugin is responsible for assigning IPs and configuring network routes on worker nodes. Different Kubernetes platforms use different CNI implementations; AWS uses the Amazon VPC CNI plugin to integrate Kubernetes networking directly with the VPC layer.
Amazon VPC CNI Plugin
The Amazon VPC CNI plugin assigns each pod an IP address directly from your VPC's subnet CIDR range. This means pods are first-class VPC citizens — they can be accessed by other VPC resources, on-premises systems via VPN/Direct Connect, and security groups without any overlay network translation. Each EC2 worker node maintains a pool of secondary private IPs (one per ENI slot) that are assigned to pods as they schedule.
# Check the VPC CNI version installed in your cluster
kubectl describe daemonset aws-node -n kube-system | grep Image
# View the secondary IPs assigned to a node
aws ec2 describe-network-interfaces \
--filters 'Name=attachment.instance-id,Values=i-0abcdef1234567890' \
--query 'NetworkInterfaces[].PrivateIpAddresses[].PrivateIpAddress'All lessons in this course
- EKS Control Plane and Worker Nodes
- Fargate Profiles for Serverless Pods
- EKS Networking: VPC CNI and Load Balancing
- IAM Roles for Service Accounts (IRSA)