Skip to content

Flannel networking backends

Flannel is a network backend designed for container orchestrators like Kubernetes. It handles the networking layer between nodes, allowing containers (Pods) to communicate across different hosts.^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md] To achieve this, Flannel supports several backend implementations, each encapsulating and routing packets differently.

Flannel primarily supports three backend types^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]:

  1. VXLAN (Virtual Extensible LAN)
  2. host-gw (Host Gateway)
  3. UDP (Noted for poor performance)

VXLAN

VXLAN is the standard backend for Flannel and is natively supported by the Linux kernel.^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md] It operates entirely in kernel space, handling packet encapsulation and decapsulation without relying on user-space applications.^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]

The technology uses an L2-over-L4 (MAC-in-UDP) encapsulation model^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]. This means it wraps original Layer 2 Ethernet frames inside Layer 4 UDP packets. By doing so, VXLAN allows a Layer 2 network to be stretched across a Layer 3 infrastructure^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md].

Key Concepts

  • VTEP (VXLAN Tunnel Endpoint): The edge device (in this case, the host) where the tunnel starts and ends.^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]
  • VNI (VXLAN Network Identifier): A 24-bit identifier used to distinguish segments, supporting up to ~16 million unique IDs.^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]

Benefits

  • Scalability: The VTEP handles encapsulation, meaning intermediate physical routers only see the outer IP/UDP headers and do not need to learn the MAC addresses of every individual container (VM).^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md] This prevents the exhaustion of MAC address table limits on physical switches.
  • Isolation: VNIs provide significantly greater isolation capacity (up to 16M) compared to standard VLANs (roughly 4,000).^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]
  • Migration: By building a virtual Layer 2 network on top of the existing Layer 3 infrastructure, VXLAN allows containers to maintain their IP addresses during migration, provided the underlying IP network is routable.^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]

host-gw

host-gw (Host Gateway) is a backend that improves performance by avoiding the overhead of packet encapsulation (tunneling).^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]

Mechanism

In host-gw mode, flanneld manipulates the host's routing table^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]. It sets the "next hop" for a specific container subnet (e.g., 10.244.1.0/24) to be the internal IP address of the node where that subnet resides^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md].

For example, if Node 1 needs to send a packet to a Pod on Node 2: 1. The packet matches a route rule on Node 1 specifying the destination subnet. 2. The rule sets the next hop to Node 2's IP address. 3. The packet is sent directly to Node 2 via the physical network (Layer 2). 4. Node 2 receives the packet and routes it to the specific Pod via its bridge (e.g., cni0).^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]

Requirements and Performance

  • Layer 2 Connectivity: This mode requires all nodes in the cluster to be in the same Layer 2 network (i.e., directly reachable via ARP without routing).^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]
  • Performance: Because it avoids the encapsulation and decapsulation steps required by tunneling protocols like VXLAN, host-gw offers superior performance.^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md] It typically incurs only a ~10% performance loss compared to raw network throughput, whereas tunnel-based solutions often incur 20–30%.^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]

UDP

The UDP backend was one of the earliest implementations.^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md] It encapsulates packets in UDP but primarily operates in user space.^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md] Due to the context switching between kernel and user space, this mode suffers from significant performance bottlenecks and is generally considered inferior to VXLAN or host-gw.^[400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md]

Sources

  • 400-devops-06-kubernetes-k8s-paas-kubernetes-yaml.md