vSphere with Tanzu requires multiple networks. This section discusses networking design not covered in the NSX-T Data Center detailed design.

You deploy all vSphere with Tanzu workloads to NSX-T overlay networks. NSX-T Edge appliances in the shared edge and workload cluster are deployed to VLAN-backed networks.

Figure 1. Network Design for vSphere with Tanzu in a Workload Domain
Table 1. Networks Used by vSphere with Tanzu

Network

Routable / NAT

Usage

Supervisor Cluster Control Plane Network

Routable

Used by the Supervisor Cluster control plane nodes.

Pod Networks

NAT

Used by Kubernetes pods that run in the cluster. Any Tanzu Kubernetes Clusters instantiated in the Supervisor Cluster also use this pool.

Service IP Pool Network

NAT

Used by Kubernetes applications that need a service IP address.

Ingress IP Pool Network

Routable

Used by NSX-T Data Center to create an IP pool for load balancing.

Egress IP Pool Network

Routable

Used by NSX-T Data Center to create an IP pool for NAT endpoint use.

Namespace Networks

NAT

When you create a namespace, a /28 NSX-T Data Center overlay segment and corresponding IP pool is instantiated to service pods in that namespace. If that IP space runs out, an additional /28 NSX-T overlay segment and IP pool are instantiated.

Tanzu Kubernetes Cluster Networks

NAT

When you create a Tanzu Kubernetes cluster, a Tier-1 Gateway is instantiated in NSX-T Data Center. On that Tier-1 Gateway, a /28 NSX-T overlay segment and IP pool is also instantiated.

Table 2. Design Decisions on vSphere with Tanzu Networking

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-KUBWLD-VI-KUB-011

Deploy a /28 segment for use by the Supervisor Cluster control plane nodes.

Supports the Supervisor Cluster control plane nodes.

The NSX-T segment must be manually created.

SDDC-KUBWLD-VI-KUB-012

Dedicate a /20 subnet for pod networking.

A single /20 subnet is sufficient for deployments under 2000 pods.

Private IP space behind a NAT that you can use in multiple Supervisor Clusters.

SDDC-KUBWLD-VI-KUB-013

Dedicate a /22 subnet for services.

A single /22 subnet is sufficient for deployments under 2000 pods.

Private IP space behind a NAT that you can use in multiple Supervisor clusters.

SDDC-KUBWLD-VI-KUB-014

Dedicate a /24 or larger subnet on your corporate network for ingress endpoints.

A /24 subnet is sufficient for most deployments under 2000 pods, but you must evaluate your ingress needs before deployment.

This subnet must be routable to the rest of the corporate network.

SDDC-KUBWLD-VI-KUB-015

Dedicate a /24 or larger subnet on your corporate network for egress endpoints.

A /24 subnet is sufficient for most deployments under 2000 pods, but you must evaluate your egress needs before deployment.

This subnet must be routable to the rest of the corporate network.