VMware Container Networking with Antrea | 17 Sept 2020 | Build 16862191

Check for additions and updates to these release notes.

What's New

VMware Container Networking with Antrea provides many new features to support container network connectivity and network policy enforcement in Kubernetes in both on-premises and public cloud deployment scenarios.

Built into Tanzu

VMware Container Networking with Antrea is built into Tanzu and can be used as the default Kubernetes CNI network plugin in both vSphere 7.0 U1 Tanzu Kubernetes Guest Clusters and Tanzu Kubernetes Grid 1.2 and later deployments.

Container Networking Overlay

VMware Container Networking with Antrea will work in both on-premises and public cloud topologies including vSphere with Tanzu, Tanzu Kubernetes Grid, managed Kubernetes-as-a-Service such as AWS EKS, Azure AKS, and Google GKE, and other DIY upstream Kubernetes deployments. The following container networking overlay modes are currently supported:

  • Geneve encapsulation (TKGS and Tanzu Kubernetes Grid)
  • Policy-only (AWS EKS and Azure AKS)
  • No-encap (Google GKE)

Network Policy

VMware Container Networking with Antrea is a fully compliant Kubernetes Network Policy enforcement engine. The following network policy features are supported:

  • Kubernetes Network Policy v1 enforcement
  • Native Antrea policy features enabled with feature gates (feature preview):
    • Cluster Network Policy – provides cluster scoped network policies across multiple Kubernetes namespaces (not available in TKGS)
    • Tiering – provides policy grouping and precedence mapping (not available in TKGS)

Diagnostics and Observability

VMware Container Networking with Antrea

  • antctl command line interface for querying information from the different Antrea components and generating support bundles that convey all of the Antrea configuration and present state to assist our support team in reproducing and diagnosing issues.
  • Traceflow support which enables a user to inject user-defined network traffic between two Kubernetes pods and trace the resultant data path including network policy effects.
  • Prometheus surfaces load and data flow metrics to assist operators (feature preview).
  • Monitoring CRDs provide operators with current control plane status and health.
  • Log Rotation Options


  • Octant Plugin provides UI for traceflows, cluster inventory, and monitoring control plane health.


  • IP source guard (spoof guard) to prevent pod IP address spoofing.
  • Controller API TLS certificate management and rotation.

Service Load Balancing

  • Antrea Proxy Antrea Proxy provides a native OvS service load balancer implementation, which translates service VIPs inline using match-action flows.

IP Address Management

  • Support for Kubernetes static NodeIPAM, which assigns static CIDR block to each node.

Compatibility Requirements

K8S Distribution K8S Versions OS Cloud NSXT Default Overlay
vSphere with Tanzu Guest Clusters
(Tanzu Kubernetes Grid Service)
1.16, 1.17, 1.18 PhotonOS 3 vSphere 7.0 U1 3.0 Geneve Encapsulation
Tanzu Kubernetes Grid 1.2 1.16, 1.17, 1.18 PhotonOS 3
Ubuntu 18.04
Amazon Linux 2
vSphere 6.7, 7.0
3.0.2 Geneve Encapsulation
AWS EKS v1.15.11 Amazon Linux 2 AWS N/A Policy-Only (chained CNI)


check-circle-line exclamation-circle-line close-line
Scroll to top icon