Release Notes and Announcements

Release Notes

Announcements

Release Notes

Product Introduction

Overview

Strengths

Architecture

Scenarios

Features

Concepts

Native Kubernetes Terms

Common High-Risk Operations

Regions and Availability Zones

Service Regions and Service Providers

Open Source Components

Purchase Guide

Purchase Instructions

Purchase a TKE General Cluster

Purchasing Native Nodes

Purchasing a Super Node

Getting Started

Beginner’s Guide

Quickly Creating a Standard Cluster

Examples

Container Application Deployment Check List

Cluster Configuration

General Cluster Overview

Cluster Management

Network Management

Storage Management

Node Management

GPU Resource Management

Remote Terminals

Application Configuration

Workload Management

Service and Configuration Management

Component and Application Management

Auto Scaling

Container Login Methods

Observability Configuration

Ops Observability

Cost Insights and Optimization

Scheduler Configuration

Scheduling Component Overview

Resource Utilization Optimization Scheduling

Business Priority Assurance Scheduling

QoS Awareness Scheduling

Security and Stability

TKE Security Group Settings

Identity Authentication and Authorization

Application Security

Multi-cluster Management

Planned Upgrade

Backup Center

Cloud Native Service Guide

Cloud Service for etcd

TMP

TKE Serverless Cluster Guide

TKE Registered Cluster Guide

Use Cases

Cluster

Serverless Cluster

Scheduling

Security

Service Deployment

Network

Release

Logs

Monitoring

OPS

Terraform

DevOps

Auto Scaling

Containerization

Microservice

Cost Management

Hybrid Cloud

Troubleshooting

Disk Full

High Workload

Memory Fragmentation

Cluster DNS Troubleshooting

Cluster kube-proxy Troubleshooting

Cluster API Server Inaccessibility Troubleshooting

Service and Ingress Inaccessibility Troubleshooting

Common Service & Ingress Errors and Solutions

Engel Ingres appears in Connechtin Reverside

CLB Ingress Creation Error

Troubleshooting for Pod Network Inaccessibility

Pod Status Exception and Handling

Authorizing Tencent Cloud OPS Team for Troubleshooting

CLB Loopback

API Documentation

History

Introduction

API Category

Making API Requests

Elastic Cluster APIs

Resource Reserved Coupon APIs

Cluster APIs

Third-party Node APIs

Relevant APIs for Addon

Network APIs

Node APIs

Node Pool APIs

TKE Edge Cluster APIs

Cloud Native Monitoring APIs

Scaling group APIs

Super Node APIs

Other APIs

Data Types

Error Codes

TKE API 2022-05-01

FAQs

TKE General Cluster

TKE Serverless Cluster

About OPS

Hidden Danger Handling

About Services

Image Repositories

About Remote Terminals

Event FAQs

Resource Management

Service Agreement

TKE Service Level Agreement

TKE Serverless Service Level Agreement

Glossary

Container Cluster Network Solution Selection

PDF

Focus Mode

Font Size

Last updated: 2025-12-31 14:09:19

Container Network Interface
Container Network Interface (CNI) is a pluginization standard for configuring container networks. It defines a group of specifications that can seamlessly integrate with container orchestration systems such as Kubernetes to enable communication between containers on multiple hosts. CNI provides virtual networks based on IP addresses, IP address assignment, and other features to meet the network needs of container Pods in various complex scenarios.
Tencent Kubernetes Engine (TKE) provides three CNI solutions: VPC-CNI, GlobalRouter, and Cilium-Overlay.
Note:
TKE recommends that users use the VPC-CNI solution in the public cloud scenario and the Cilium-Overlay solution in the registered node scenario.
VPC-CNI Solution
The VPC-CNI solution is CNI implemented by TKE based on Tencent Cloud Virtual Private Cloud (VPC). It can directly assign native VPC Elastic Network Interface (ENI) to Pods to realize interconnectivity between Pods. This solution is suitable for scenarios with high requirements for latency. In this network mode, containers and nodes reside on the same network plane, and container IP addresses are ENI IP addresses assigned by the IPAMD component. For details, see VPC-CNI Mode.
GlobalRouter Solution
The GlobalRouter solution is CNI implemented by TKE based on the global routing capability of Tencent Cloud VPC. The Pod CIDR block is independent of the VPC CIDR block. Pod CIDR information from different nodes is distributed to VPC through global routing, enabling Pods on different nodes to access each other. For details, see GlobalRouter Mode.
Cilium-Overlay Solution
The Cilium-Overlay solution is a container network plugin implemented by TKE based on Cilium VxLAN, enabling network management for adding registered nodes to TKE clusters in distributed cloud scenarios. For details, see Cilium-Overlay Mode.
TKE Solution Comparison
Solution
VPC-CNI (recommended)
Global Router
Cilium-Overlay
Introduction
Pod network addresses are divided from VPC subnet addresses. It is recommended that they use a subnet exclusively.
VPC cloud network capabilities such as Elastic IP (EIP), Cloud Load Balancer (CLB), and security groups are available.
The Pod IP range is independent of the VPC subnet IP range.
Pods on different nodes can directly access each other through global routing and forwarding.
The container network and node network are not on the same plane.
The container network is an overlay network based on the node network.
Strengths
CIDR blocks do not need to be assigned by node, avoiding the waste of IP addresses.
Data plane forwarding does not require a network bridge, which improves network forwarding performance.
Pods can be assigned fixed IP addresses. This mode is suitable for scenarios that require containers to have fixed IP addresses.
The container IP range is independent of the VPC CIDR block. This solution is easy to use, with a quick Pod startup.
﻿
The container IP range is independent of the VPC CIDR block, with ample addresses and high scalability.
Pod networks encapsulate messages with VxLAN. This solution is suitable for interconnection between cloud nodes and off-cloud nodes, with better compatibility.
Scenarios
Scenarios with high requirements for network latency.
Scenarios where the migration of the traditional architecture to a container platform requires the container to have a fixed IP address.
Businesses with special network security policies. For example, database services require special security group policies.
Simple business scenarios with no special requirements for IP address assignment and network performance.
Scenarios where nodes do not support ENI.
Only suitable for scenarios with registered nodes.
Use Limits
The container network and node network belong to the same VPC network. IP address resources are limited.
The number of containers in a node is limited by ENI and the number of assignable IP addresses.
The fixed IP address mode does not support scheduling Pods with fixed IP addresses across availability zones (AZs).
The container network address cannot conflict with the node network address.
Additional configuration is required in interconnection scenarios such as Direct Connect, Peering Connection, and Cloud Connect Network (CCN).
Fixed Pod IP addresses are not supported.
Pod IP addresses cannot be accessed directly outside the cluster.
Two IP addresses need to be obtained from the specified subnet to create a private network CLB instance, so that registered nodes in the IDC can access API servers and public cloud services.
Fixed Pod IP addresses are not supported.
Whether the Direct Connection of CLB Is Supported
Supported. For details, see Using Services with CLB-to-Pod Direct Access Mode.
Supported (allowlist application required). For details, see Using Services with CLB-to-Pod Direct Access Mode.
Not supported.
Whether Fixed IP Addresses Are Supported
Supported.
Not supported.
Not supported.
IPv4/IPv6 Dual-Stack
Supported.
Not supported.
Not supported.
Specifying Subnets for IP Address Assignment
Supported.
Not supported.
Not supported.
Expanding Pod IP Ranges
Supported.
Supported (not productized yet).
Not supported.
Setting a Pod Security Group
Supported.
Not supported.
Not supported.
Binding EIP to a Pod
Supported.
Not supported.
Not supported.
Pod Access to the Public Network
Supported (NAT and EIP).
Supported (IP address disguise).
Supported.

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

Solution	VPC-CNI (recommended)	Global Router	Cilium-Overlay
Introduction	Pod network addresses are divided from VPC subnet addresses. It is recommended that they use a subnet exclusively. VPC cloud network capabilities such as Elastic IP (EIP), Cloud Load Balancer (CLB), and security groups are available.	The Pod IP range is independent of the VPC subnet IP range. Pods on different nodes can directly access each other through global routing and forwarding.	The container network and node network are not on the same plane. The container network is an overlay network based on the node network.
Strengths	CIDR blocks do not need to be assigned by node, avoiding the waste of IP addresses. Data plane forwarding does not require a network bridge, which improves network forwarding performance. Pods can be assigned fixed IP addresses. This mode is suitable for scenarios that require containers to have fixed IP addresses.	The container IP range is independent of the VPC CIDR block. This solution is easy to use, with a quick Pod startup.	The container IP range is independent of the VPC CIDR block, with ample addresses and high scalability. Pod networks encapsulate messages with VxLAN. This solution is suitable for interconnection between cloud nodes and off-cloud nodes, with better compatibility.
Scenarios	Scenarios with high requirements for network latency. Scenarios where the migration of the traditional architecture to a container platform requires the container to have a fixed IP address. Businesses with special network security policies. For example, database services require special security group policies.	Simple business scenarios with no special requirements for IP address assignment and network performance. Scenarios where nodes do not support ENI.	Only suitable for scenarios with registered nodes.
Use Limits	The container network and node network belong to the same VPC network. IP address resources are limited. The number of containers in a node is limited by ENI and the number of assignable IP addresses. The fixed IP address mode does not support scheduling Pods with fixed IP addresses across availability zones (AZs).	The container network address cannot conflict with the node network address. Additional configuration is required in interconnection scenarios such as Direct Connect, Peering Connection, and Cloud Connect Network (CCN). Fixed Pod IP addresses are not supported.	Pod IP addresses cannot be accessed directly outside the cluster. Two IP addresses need to be obtained from the specified subnet to create a private network CLB instance, so that registered nodes in the IDC can access API servers and public cloud services. Fixed Pod IP addresses are not supported.
Whether the Direct Connection of CLB Is Supported	Supported. For details, see Using Services with CLB-to-Pod Direct Access Mode.	Supported (allowlist application required). For details, see Using Services with CLB-to-Pod Direct Access Mode.	Not supported.
Whether Fixed IP Addresses Are Supported	Supported.	Not supported.	Not supported.
IPv4/IPv6 Dual-Stack	Supported.	Not supported.	Not supported.
Specifying Subnets for IP Address Assignment	Supported.	Not supported.	Not supported.
Expanding Pod IP Ranges	Supported.	Supported (not productized yet).	Not supported.
Setting a Pod Security Group	Supported.	Not supported.	Not supported.
Binding EIP to a Pod	Supported.	Not supported.	Not supported.
Pod Access to the Public Network	Supported (NAT and EIP).	Supported (IP address disguise).	Supported.

tencent cloud

Tencent Kubernetes Engine

Container Cluster Network Solution Selection

Container Network Interface

VPC-CNI Solution

GlobalRouter Solution

Cilium-Overlay Solution

TKE Solution Comparison

Help and Support