Security Group for pods -ENI without IPv4 address in dual stack subnets

Question

Security Group for pods -ENI without IPv4 address in dual stack subnets

happosade opened this issue 4 months ago · 4 comments

What would you like to be added:

We'd like to use security group for pods without assigning IPv4 address to ENI that's being created. Currently it seems like ENIs created to subnet has both IPv4 and IPv6 addresses. Subnet is dual stack.

Why is this needed:

We have migrated to dual stack subnets in order to avoid IPv4 exhaustion in VPCs, since our address space is somewhat limited. This feature request would allow nodes to be in dual stack, but keep the pods themselves in IPv6 only. This helps with IPv4 addressing, since there are way fewer addresses available compared IPv6 addresses.

Answer 1 · 2024-06-11T17:29:41.000Z

@happosade Are you referring to IP addresses assigned to Branch ENIs that are associated with individual SGPP pods? or the IPv4 address associated with the Primary ENI of the node itself?

Answer 2 · 2024-06-14T07:15:28.000Z

@achevuru I tried to make some sense out of the console for debugging reasons, but I'm not completely sure anymore. The problem that I believed there to be is when some pods needs their own SG, it'll create new ENIs. After a while we've accumulated some unused ENIs that keeps eating up the IPv4 addresses.

The core problem that we currently have is that our IPv4 usage rate is way higher than what we assumed earlier on, this seemed to be only logical explanation for it, but it could be something else too.