DigitalOcean Kubernetes (DOKS) Networking, Reimagined

In the world of cloud-native applications, networking is the backbone that connects everything. Today, we’re excited to announce foundational additions (VPC-native cluster, VPC peering, Global load balancer, Internal load balancer) to DigitalOcean Kubernetes (DOKS) networking that will enable you to build and scale your applications globally.

DOKS networking - Current challenges for scalers

Traditional DOKS networking has served and will continue to meet the needs of many customers well. However, as some customers look to scale, they run into the following challenges.

• Isolated Kubernetes Network: Clusters existed in isolated virtualized network spaces, unable to communicate directly with each other or with VPC resources. This required routing via public IP addresses, even for internal communications. Note that this works just fine for many production applications.
• Limited geographical flexibility: Load balancing and cross-connecting services across multiple clusters in different regions was not possible. This confined applications to single data centers, limiting use cases for geo-distributed applications and cross-cluster failover.
• Lack of private load balancing: Private load balancing to cluster services was not directly possible, necessitating the use of public load balancers for internal services.

These constraints not only impacted seamless application scalability beyond a single region but also posed security and performance challenges for growing businesses.

New capabilities to improve DOKS networking

At DigitalOcean, we’re committed to keeping the user experience simple while empowering developers to build robust, scalable applications. Our vision for DOKS networking is to:

• Maintain the simplicity you love about DO
• Leverage the power of Cilium CNI while enabling native routing between DOKS cluster and VPC resources
• Enable transparent global peering and load balancing among clusters
• Eliminate the need for public network traversal for internal communications, enhancing both security and performance

With these improvements, we aim to provide you with a more flexible, scalable, and secure networking foundation for your cloud-native applications. To realize this vision, we’re introducing several key features that will transform your DOKS networking experience.

We are thrilled to announce the following new capabilities to DOKS.

• VPC-native DOKS Cluster (Early Availability): This feature enables native routing between cluster and VPC resources, seamlessly integrating DOKS clusters with your existing network architecture. During the early availability phase, node, cluster and service CIDR configuration is required during cluster creation. It’s important to note that Kubernetes does not allow CIDR changes post-creation, so this capability is only available for new clusters.
• VPC Peering (Early Availability): Enable seamless communication between cluster resources across regions and VPCs. Once VPC peering is established, DOKS peering works automatically and transparently, provided that native routing has been enabled.
• Global Load Balancer (GLB) (GA): Distribute your north-south traffic among services in different clusters with ease. This not only enhances your application’s scalability but also improves resilience and reduces latency for global users. For DOKS, GLB is configured in conjunction with regional load balancers, offering you granular control over traffic distribution.
• Internal Load Balancer (ILB) (EA): Achieve internal load balancing to DOKS services from VPC resources or another DOKS cluster. This is region agnostic, if VPC peering is configured. This keeps communication between Droplets and DOKS services within your private network, enhancing security and performance.

These features work together to create a seamless experience, enabling you to build truly distributed, resilient applications. You can run a global application with clusters in multiple regions, cluster resources communicating privately via VPC peering. Likewise all your cluster resources can talk to VPC resources and vice versa natively without going over public networks.

The Big Picture: A New Paradigm for Cloud-Native Applications

With our reimagined DOKS networking, we’re introducing a new paradigm for building and scaling cloud-native applications. Let’s explore how these new features come together to create a powerful, flexible networking ecosystem:

• Global Network Planning: Start by planning your VPC CIDRs across your entire team account globally. Allocate non-overlapping RFC1918 address ranges for your DOKS node, pod, and service networks. This foundational step provides native routing between your cluster and VPC resources, setting the stage for seamless communication.
• Inter-Cluster Communication: As your node, pod, and service addresses for DOKS resources are now unique across your team, inter-cluster native routing is automatically enabled once you configure VPC peering. This eliminates the need for complex networking workarounds and enhances security by keeping traffic off public networks.
• Service Connectivity: Remember, a Kubernetes service (of type LoadBalancer) is a logical entity for load balancing. To connect to a service from a private network, you’ll use our new Internal Load Balancer (ILB). This keeps your internal traffic internal, improving both security and performance.
• Global Traffic Management: For applications spanning multiple regions, you can now leverage our Global Load Balancer (GLB) to route traffic for the same application (e.g., helloworld.xyz) across multiple clusters in different regions. Note that GLB works with the DOKS regional load balancers to route the user traffic to the nearest datacenter. This not only improves application performance and user experience but also helps to serve as an effective disaster recovery mechanism in case of regional outages.

This new paradigm helps enable you to build truly global, resilient applications while maintaining the simplicity and ease of use you expect from DigitalOcean. Whether you’re scaling a startup or managing enterprise-grade applications, these networking enhancements provide the flexibility and power you need to succeed in the cloud-native world.

How to get started?

To get started, start by creating your new DOKS clusters with custom CIDR for node and service networks. This will ensure your cluster is ready for native routing. Routing between pods and VPC resources should work natively by default.

Use the following based on your specific use case:

• Use ILB for internal service routing between VPC resources to DOKS.
• If you need private connectivity between multiple clusters in different VPC/regions, use VPC peering.
• For North-South load balancing to the same application running in different clusters, use GLB.

Join us for a Live Office Hours Q&A:

Join us for an office hour on 11/21/2024 at 10am EST with our engineers where we’ll walk through these features in detail and answer your questions.