Skip to main content
Calico Cloud documentation

Configure BGP peering

Big picture

Configure BGP (Border Gateway Protocol) between Calico nodes or peering with network infrastructure to distribute routing information.

Value

Calico Cloud nodes can exchange routing information over BGP to enable reachability for Calico Cloud networked workloads (Kubernetes pods or OpenStack VMs). In an on-premises deployment this allows you to make your workloads first-class citizens across the rest of your network. In public cloud deployments, it provides an efficient way of distributing routing information within your cluster, and is often used in conjunction with IPIP overlay or cross-subnet modes.

Concepts

BGP

BGP is a standard protocol for exchanging routing information between routers in a network. Each router running BGP has one or more BGP peers - other routers which they are communicating with over BGP. You can think of Calico Cloud networking as providing a virtual router on each of your nodes. You can configure Calico Cloud nodes to peer with each other, with route reflectors, or with top-of-rack (ToR) routers.

Common BGP topologies

There are many ways to configure a BGP network depending on your environment. Here are some common ways it is done with Calico Cloud.

Full-mesh

When BGP is enabled, Calico Cloud’s default behavior is to create a full-mesh of internal BGP (iBGP) connections where each node peers with each other. This allows Calico Cloud to operate over any L2 network, whether public cloud or private cloud, or, if IPIP is configured, to operate as an overlay over any network that does not block IPIP traffic. Calico Cloud does not use BGP for VXLAN overlays.

note

Most public clouds support IPIP. The notable exception is Azure, which blocks IPIP traffic. So if you want to run Calico as an overlay network in Azure, you must configure Calico Cloud to use VXLAN.

Full-mesh works great for small and medium-size deployments of say 100 nodes or less, but at significantly larger scales full-mesh becomes less efficient, and we recommend using route reflectors.

Route reflectors

To build large clusters of internal BGP (iBGP), BGP route reflectors can be used to reduce the number of BGP peerings used on each node. In this model, some nodes act as route reflectors and are configured to establish a full mesh amongst themselves. Other nodes are then configured to peer with a subset of those route reflectors (typically 2 for redundancy), reducing the total number BGP peering connections compared to full-mesh.

Top of Rack (ToR)

In on-premises deployments, you can configure Calico Cloud to peer directly with your physical network infrastructure. Typically, this involves disabling Calico Cloud’s default full-mesh behavior, and instead peer Calico Cloud with your L3 ToR routers. There are many ways to build an on-premises BGP network. How you configure your BGP is up to you - Calico Cloud works well with both iBGP and eBGP configurations, and you can effectively treat Calico Cloud like any other router in your network design.

Depending on your topology, you may also consider using BGP route reflectors within each rack. However, this is typically needed only if the number of nodes in each L2 domain is large (> 100).

For a deeper look at common on-premises deployment models, see Calico over IP Fabrics.

Before you begin...

Required

  • Calico CNI

How to

note

Significantly changing Calico Cloud's BGP topology, such as changing from full-mesh to peering with ToRs, may result in temporary loss of pod network connectivity during the reconfiguration process. It is recommended to only make such changes during a maintenance window.

Configure a global BGP peer

Global BGP peers apply to all nodes in your cluster. This is useful if your network topology includes BGP speakers that will be peered with every Calico Cloud node in your deployment.

The following example creates a global BGP peer that configures every Calico Cloud node to peer with 192.20.30.40 in AS 64567.

apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
name: my-global-peer
spec:
peerIP: 192.20.30.40
asNumber: 64567

Configure a per-node BGP peer

Per-node BGP peers apply to one or more nodes in the cluster. You can choose which nodes by specifying the node’s name exactly, or using a label selector.

The following example creates a BGPPeer that configures every Calico Cloud node with the label, rack: rack-1 to peer with 192.20.30.40 in AS 64567.

apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
name: rack1-tor
spec:
peerIP: 192.20.30.40
asNumber: 64567
nodeSelector: rack == 'rack-1'

Configure a node to act as a route reflector

Calico Cloud nodes can be configured to act as route reflectors. To do this, each node that you want to act as a route reflector must have a cluster ID - typically an unused IPv4 address.

To configure a node to be a route reflector with cluster ID 244.0.0.1, run the following command.

kubectl annotate node my-node projectcalico.org/RouteReflectorClusterID=244.0.0.1

Typically, you will want to label this node to indicate that it is a route reflector, allowing it to be easily selected by a BGPPeer resource. You can do this with kubectl. For example:

kubectl label node my-node route-reflector=true

Now it is easy to configure route reflector nodes to peer with each other and other non-route-reflector nodes using label selectors. For example:

kind: BGPPeer
apiVersion: projectcalico.org/v3
metadata:
name: peer-with-route-reflectors
spec:
nodeSelector: all()
peerSelector: route-reflector == 'true'
note

Adding routeReflectorClusterID to a node spec will remove it from the node-to-node mesh immediately, tearing down the existing BGP sessions. Adding the BGP peering will bring up new BGP sessions. This will cause a short (about 2 seconds) disruption to dataplane traffic of workloads running in the nodes where this happens. To avoid this, make sure no workloads are running on the nodes, by provisioning new nodes or by running kubectl drain on the node (which may itself cause a disruption as workloads are drained).

Disable the default BGP node-to-node mesh

The default node-to-node BGP mesh may be turned off to enable other BGP topologies. To do this, modify the default BGP configuration resource.

Run the following command to disable the BGP full-mesh:

calicoctl patch bgpconfiguration default -p '{"spec": {"nodeToNodeMeshEnabled": false}}'
note

If the default BGP configuration resource does not exist, you need to create it first. See BGP configuration for more information.

note

Disabling the node-to-node mesh will break pod networking until/unless you configure replacement BGP peerings using BGPPeer resources. You may configure the BGPPeer resources before disabling the node-to-node mesh to avoid pod networking breakage.

Change from node-to-node mesh to route reflectors without any traffic disruption

Switching from node-to-node BGP mesh to BGP route reflectors involves tearing down BGP sessions and bringing up new ones. This causes a short dataplane network disruption (of about 2 seconds) for workloads running on the nodes in the cluster. To avoid this, you may provision route reflector nodes and bring their BGP sessions up before tearing down the node-to-node mesh sessions.

Follow these steps to do so:

  1. Provision new nodes to be route reflectors. The nodes should not be schedulable and they should have routeReflectorClusterID in their spec. These won't be part of the existing node-to-node BGP mesh, and will be the route reflectors when the mesh is disabled. These nodes should also have a label like route-reflector to select them for the BGP peerings. Alternatively, you can drain workloads from existing nodes in your cluster by running kubectl drain <NODE> to configure them to be route reflectors, but this will cause a disruption on the workloads on those nodes as they are drained.

  2. Also set up a BGPPeer spec to configure route reflector nodes to peer with each other and other non-route-reflector nodes using label selectors.

  3. Wait for these peerings to be established. This can be verified by running sudo calicoctl node status on the nodes. Alternatively, you can create a CalicoNodeStatus resource to get BGP session status for the node.

  4. Disable the BGP node-to-node mesh for the cluster.

  5. If you did drain workloads from the nodes or created them as unschedulable, mark the nodes as schedulable again (e.g. by running kubectl uncordon <NODE>).

View BGP peering status for a node

Create a CalicoNodeStatus resource to monitor BGP session status for the node.

Alternatively, you can run the calicoctl node status command on a given node to learn more about its BGP status.

note

This command communicates with the local Calico Cloud agent, so you must execute it on the node whose status you are attempting to view.

View BGP info on all peers for a node

You can use calicoctl to view the BGP information for all peers of a particular node, including connection status, routing statistics, and BGP state. This is useful for confirming that your configuration is behaving as desired, and for more detailed troubleshooting.

Run the following command from anywhere you have access to kubectl:

calicoctl bgp peers <NODE_NAME>

Where <NODE_NAME> is the resource name for one of the Calico node pods within your cluster.

note

The above command can be run from anywhere you have access to kubectl. We recommend running it as a kubectl plugin.

If you install the binary as a kubectl plugin using the above instructions, you can then run the command as follows:

kubectl calico bgp peers <NODE_NAME>

Change the default global AS number

By default, all Calico nodes use the 64512 autonomous system, unless a per-node AS has been specified for the node. You can change the global default for all nodes by modifying the default BGPConfiguration resource. The following example command sets the global default AS number to 64513.

kubectl patch bgpconfiguration default -p '{"spec": {"asNumber": "64513"}}'
note

If the default BGP configuration resource does not exist, you need to create it first. See BGP configuration for more information.

Change AS number for a particular node

You can configure an AS for a particular node by modifying the node object using calicoctl. For example, the following command changes the node named node-1 to belong to AS 64514.

calicoctl patch node node-1 -p '{"spec": {"bgp": {"asNumber": "64514"}}}'

Configure a BGP filter

BGP filters control which routes are imported and exported between BGP peers.

The BGP filter rules (importVX, exportVX) are applied sequentially, taking the action of the first matching rule. When no rules are matched, the default action is Accept.

In order for a BGPFilter to be used in a BGP peering, its name must be added to filters of the corresponding BGPPeer resource.

The following example creates a BGPFilter

kind: BGPFilter
apiVersion: projectcalico.org/v3
metadata:
name: my-first-bgp-filter
spec:
exportV4:
- action: Accept
matchOperator: In
cidr: 77.0.0.0/16
- action: Reject
matchOperator: NotIn
cidr: 88.0.0.0/16
importV4:
- action: Reject
matchOperator: NotIn
cidr: 44.0.0.0/16
exportV6:
- action: Reject
matchOperator: NotEqual
cidr: 9000::0/64
importV6:
- action: Accept
matchOperator: Equal
cidr: 5000::0/64
- action: Reject
matchOperator: NotIn
cidr: 5000::0/64

Configure a BGP peer with a BGP filter

BGP peers can use BGP filters to control which routes are imported or exported between them.

The following example creates a BGPFilter and associates it with a BGPPeer

note

BGPFilters are applied in the order listed on a BGPPeer

kind: BGPFilter
apiVersion: projectcalico.org/v3
metadata:
name: first-bgp-filter
spec:
exportV4:
- action: Accept
matchOperator: In
cidr: 77.0.0.0/16
- action: Reject
matchOperator: NotIn
cidr: 88.0.0.0/16
importV4:
- action: Reject
matchOperator: NotIn
cidr: 44.0.0.0/16
exportV6:
- action: Reject
matchOperator: NotEqual
cidr: 9000::0/64
importV6:
- action: Accept
matchOperator: Equal
cidr: 5000::0/64
- action: Reject
matchOperator: NotIn
cidr: 5000::0/64
---
kind: BGPFilter
apiVersion: projectcalico.org/v3
metadata:
name: second-bgp-filter
spec:
exportV4:
- action: Reject
matchOperator: In
cidr: 99.0.0.0/16
- action: Reject
matchOperator: In
cidr: .0.0.0/16
importV4:
- action: Accept
matchOperator: NotIn
cidr: 55.0.0.0/16
- action: Reject
matchOperator: In
cidr: 66.0.0.0/16
exportV6:
- action: Accept
matchOperator: Equal
cidr: 7000::0/64
- action: Accept
matchOperator: Equal
cidr: 8000::0/64
- action: Reject
matchOperator: NotIn
cidr: 7000::0/64
importV6:
- action: Reject
matchOperator: NotEqual
cidr: 4000::0/64
---
kind: BGPPeer
apiVersion: projectcalico.org/v3
metadata:
name: peer-with-filter
spec:
peerSelector: has(filter-bgp)
filters:
- first-bgp-filter
- second-bgp-filter

Additional resources