我一直在尝试在 VPC 中切换到 IPv6,以节省与 IPv4 使用相关的成本。我的设置包括 EKS 和 RDS Aurora,并且我使用 Terraform 配置所有内容。
但是,当我尝试为 EKS 创建具有公有子网和私有子网的纯 IPv6 VPC 时,遇到以下错误:
"At least one subnet in each AZ should have 2 free IPs. Invalid AZs: { [eu-central-1a, eu-central-1b] }, provided subnets: { subnet-06a43f*, subnet-05350*}"
另一方面,如果我为 EKS 设置双栈 IPv6 子网,则 NAT 网关需要 IPv4。但是,当我尝试在没有 IPv4 NAT 网关的情况下部署 EKS 时,出现此错误:
"Error: waiting for EKS Node Group (-eks-cluster:-eks-workers) to be created: unexpected state 'CREATE_FAILED', wanted target 'ACTIVE'. Last error: i-0bb3*: NodeCreationFailure: Instances failed to join the Kubernetes cluster."
让它工作的唯一方法似乎是启用使用 IPv4 的 NAT 网关,不幸的是,这违背了我通过切换到 IPv6 来降低成本的目标。
还有其他人经历过这种情况吗?关于如何有效过渡到 IPv6 而不会遇到这些问题有什么建议吗?
module "vpc_and_subnets" {
source = "terraform-aws-modules/vpc/aws"
version = "5.13.0"
name = local.name
cidr = local.vpc_cidr
azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 3, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 3, k + length(local.azs))]
database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 3, k + 2*length(local.azs))]
enable_ipv6 = true
#public_subnet_ipv6_native = true
#private_subnet_ipv6_native = true
create_egress_only_igw = true
public_subnet_ipv6_prefixes = [for k, v in local.azs : k]
private_subnet_ipv6_prefixes = [for k, v in local.azs : k + length(local.azs)]
database_subnet_ipv6_prefixes = [for k, v in local.azs : k + 2*length(local.azs)]
private_subnet_assign_ipv6_address_on_creation = true
public_subnet_assign_ipv6_address_on_creation = true
# create nat gateways
enable_nat_gateway = var.enable_nat_gateway
#single_nat_gateway = var.single_nat_gateway
#one_nat_gateway_per_az = var.one_nat_gateway_per_az
# enable dns hostnames and support
enable_dns_hostnames = var.enable_dns_hostnames
enable_dns_support = var.enable_dns_support
# tags for public, private subnets and vpc
tags = var.tags
public_subnet_tags = var.additional_public_subnet_tags
private_subnet_tags = var.additional_private_subnet_tags
# create internet gateway
#create_igw = var.create_igw
instance_tenancy = var.instance_tenancy
create_database_subnet_group = true
create_database_subnet_route_table = true
create_database_internet_gateway_route = true
database_subnet_group_name = "${var.name}-${var.database_subnet_group_name}"
}
module "eks" {
# invoke public eks module
source = "terraform-aws-modules/eks/aws"
version = "20.8.3"
# eks cluster name and version
cluster_name = var.eks_cluster_name
cluster_version = var.k8s_version
# vpc id where the eks cluster security group needs to be created
vpc_id = var.vpc_id
cluster_ip_family = var.cluster_ip_family
create_cni_ipv6_iam_policy = true
# subnets where the eks cluster needs to be created
control_plane_subnet_ids = var.control_plane_subnet_ids
enable_cluster_creator_admin_permissions = true
# to enable public and private access for eks cluster endpoint
cluster_endpoint_private_access = true
cluster_endpoint_public_access = true
cluster_endpoint_public_access_cidrs = var.public_access_cidrs
# create an OpenID Connect Provider for EKS to enable IRSA
enable_irsa = true
# install eks managed addons
# more details are here - https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html
cluster_addons = {
# extensible DNS server that can serve as the Kubernetes cluster DNS
coredns = {
preserve = true
most_recent = true
}
# maintains network rules on each Amazon EC2 node. It enables network communication to your Pods
kube-proxy = {
most_recent = true
}
# a Kubernetes container network interface (CNI) plugin that provides native VPC networking for your cluster
vpc-cni = {
most_recent = true
}
aws-ebs-csi-driver = {
most_recent = true
}
aws-efs-csi-driver = {
most_recent = true
}
}
# Extend cluster security group rules
cluster_security_group_additional_rules = {
egress_nodes_ephemeral_ports_tcp = {
description = "To node 1025-65535"
protocol = "tcp"
from_port = 1025
to_port = 65535
type = "egress"
source_node_security_group = true
}
}
# Extend node-to-node security group rules
node_security_group_additional_rules = {
ingress_self_all = {
description = "Node to node all ports/protocols"
protocol = "-1"
from_port = 0
to_port = 0
type = "ingress"
self = true
}
}
# subnets where the eks node groups needs to be created
subnet_ids = var.eks_node_groups_subnet_ids
# eks managed node group named worker
eks_managed_node_groups = var.eks_managed_node_groups
eks_managed_node_group_defaults = var.eks_managed_node_group_defaults
}
resource "aws_security_group_rule" "allow_worker_nodes" {
security_group_id = module.eks.cluster_primary_security_group_id
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
source_security_group_id = module.eks.node_security_group_id
}
由于某些 AWS 服务当前依赖于 IPv4,尤其是在涉及 NAT 网关和某些 AWS 托管服务(如 EKS)时,在 AWS 中设置仅 IPv6 可能具有挑战性。
理解问题:
具有 EKS 的仅限 IPv6 的 VPC:
无需 IPv4 NAT 网关的双栈设置:
可能的解决方案:
混合方法:
对控制平面使用 IPv4,对节点使用 IPv6:
降低 NAT 网关成本:
监控 AWS 更新:
地形调整: