Configure BGP peering
Big picture
Configure BGP (Border Gateway Protocol) between Calico nodes or peering with network infrastructure to distribute routing information.
Value
Calico Cloud nodes can exchange routing information over BGP to enable reachability for Calico Cloud networked workloads (Kubernetes pods or OpenStack VMs). In an on-premises deployment this allows you to make your workloads first-class citizens across the rest of your network. In public cloud deployments, it provides an efficient way of distributing routing information within your cluster, and is often used in conjunction with IPIP overlay or cross-subnet modes.
Concepts
BGP
BGP is a standard protocol for exchanging routing information between routers in a network. Each router running BGP has one or more BGP peers - other routers which they are communicating with over BGP. You can think of Calico Cloud networking as providing a virtual router on each of your nodes. You can configure Calico Cloud nodes to peer with each other, with route reflectors, or with top-of-rack (ToR) routers.
Common BGP topologies
There are many ways to configure a BGP network depending on your environment. Here are some common ways it is done with Calico Cloud.
Full-mesh
When BGP is enabled, Calico Cloud’s default behavior is to create a full-mesh of internal BGP (iBGP) connections where each node peers with each other. This allows Calico Cloud to operate over any L2 network, whether public cloud or private cloud, or, if IPIP is configured, to operate as an overlay over any network that does not block IPIP traffic. Calico Cloud does not use BGP for VXLAN overlays.
Most public clouds support IPIP. The notable exception is Azure, which blocks IPIP traffic. So if you want to run Calico as an overlay network in Azure, you must configure Calico Cloud to use VXLAN.
Full-mesh works great for small and medium-size deployments of say 100 nodes or less, but at significantly larger scales full-mesh becomes less efficient, and we recommend using route reflectors.
Route reflectors
To build large clusters of internal BGP (iBGP), BGP route reflectors can be used to reduce the number of BGP peerings used on each node. In this model, some nodes act as route reflectors and are configured to establish a full mesh amongst themselves. Other nodes are then configured to peer with a subset of those route reflectors (typically 2 for redundancy), reducing the total number BGP peering connections compared to full-mesh.
Top of Rack (ToR)
In on-premises deployments, you can configure Calico Cloud to peer directly with your physical network infrastructure. Typically, this involves disabling Calico Cloud’s default full-mesh behavior, and instead peer Calico Cloud with your L3 ToR routers. There are many ways to build an on-premises BGP network. How you configure your BGP is up to you - Calico Cloud works well with both iBGP and eBGP configurations, and you can effectively treat Calico Cloud like any other router in your network design.
Depending on your topology, you may also consider using BGP route reflectors within each rack. However, this is typically needed only if the number of nodes in each L2 domain is large (> 100).
For a deeper look at common on-premises deployment models, see Calico over IP Fabrics.
Before you begin...
Required
- Calico CNI
How to
Significantly changing Calico Cloud's BGP topology, such as changing from full-mesh to peering with ToRs, may result in temporary loss of pod network connectivity during the reconfiguration process. It is recommended to only make such changes during a maintenance window.
- Configure a global BGP peer
- Configure a per-node BGP peer
- Configure a node to act as a route reflector
- Disable the default BGP node-to-node mesh
- Change from node-to-node mesh to route reflectors without any traffic disruption
- View BGP peering status for a node
- View BGP info on all peers for a node
- Change the default global AS number
- Change AS number for a particular node
- Configure a BGP filter
- Configure a BGP peer with a BGP filter
Configure a global BGP peer
Global BGP peers apply to all nodes in your cluster. This is useful if your network topology includes BGP speakers that will be peered with every Calico Cloud node in your deployment.
The following example creates a global BGP peer that configures every Calico Cloud node to peer with 192.20.30.40 in AS 64567.
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
name: my-global-peer
spec:
peerIP: 192.20.30.40
asNumber: 64567
Configure a per-node BGP peer
Per-node BGP peers apply to one or more nodes in the cluster. You can choose which nodes by specifying the node’s name exactly, or using a label selector.
The following example creates a BGPPeer that configures every Calico Cloud node with the label, rack: rack-1 to peer with 192.20.30.40 in AS 64567.
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
name: rack1-tor
spec:
peerIP: 192.20.30.40
asNumber: 64567
nodeSelector: rack == 'rack-1'
Configure a node to act as a route reflector
Calico Cloud nodes can be configured to act as route reflectors. To do this, each node that you want to act as a route reflector must have a cluster ID - typically an unused IPv4 address.
To configure a node to be a route reflector with cluster ID 244.0.0.1, run the following command.
kubectl annotate node my-node projectcalico.org/RouteReflectorClusterID=244.0.0.1
Typically, you will want to label this node to indicate that it is a route reflector, allowing it to be easily selected by a BGPPeer resource. You can do this with kubectl. For example:
kubectl label node my-node route-reflector=true
Now it is easy to configure route reflector nodes to peer with each other and other non-route-reflector nodes using label selectors. For example:
kind: BGPPeer
apiVersion: projectcalico.org/v3
metadata:
name: peer-with-route-reflectors
spec:
nodeSelector: all()
peerSelector: route-reflector == 'true'
Adding routeReflectorClusterID
to a node spec will remove it from the node-to-node mesh immediately, tearing down the
existing BGP sessions. Adding the BGP peering will bring up new BGP sessions. This will cause a short (about 2 seconds)
disruption to dataplane traffic of workloads running in the nodes where this happens. To avoid this, make sure no
workloads are running on the nodes, by provisioning new nodes or by running kubectl drain
on the node (which may
itself cause a disruption as workloads are drained).
Disable the default BGP node-to-node mesh
The default node-to-node BGP mesh may be turned off to enable other BGP topologies. To do this, modify the default BGP configuration resource.
Run the following command to disable the BGP full-mesh:
calicoctl patch bgpconfiguration default -p '{"spec": {"nodeToNodeMeshEnabled": false}}'
If the default BGP configuration resource does not exist, you need to create it first. See BGP configuration for more information.
Disabling the node-to-node mesh will break pod networking until/unless you configure replacement BGP peerings using BGPPeer resources. You may configure the BGPPeer resources before disabling the node-to-node mesh to avoid pod networking breakage.
Change from node-to-node mesh to route reflectors without any traffic disruption
Switching from node-to-node BGP mesh to BGP route reflectors involves tearing down BGP sessions and bringing up new ones. This causes a short dataplane network disruption (of about 2 seconds) for workloads running on the nodes in the cluster. To avoid this, you may provision route reflector nodes and bring their BGP sessions up before tearing down the node-to-node mesh sessions.
Follow these steps to do so:
-
Provision new nodes to be route reflectors. The nodes should not be schedulable and they should have
routeReflectorClusterID
in their spec. These won't be part of the existing node-to-node BGP mesh, and will be the route reflectors when the mesh is disabled. These nodes should also have a label likeroute-reflector
to select them for the BGP peerings. Alternatively, you can drain workloads from existing nodes in your cluster by runningkubectl drain <NODE>
to configure them to be route reflectors, but this will cause a disruption on the workloads on those nodes as they are drained. -
Also set up a BGPPeer spec to configure route reflector nodes to peer with each other and other non-route-reflector nodes using label selectors.
-
Wait for these peerings to be established. This can be verified by running
sudo calicoctl node status
on the nodes. Alternatively, you can create aCalicoNodeStatus
resource to get BGP session status for the node. -
If you did drain workloads from the nodes or created them as unschedulable, mark the nodes as schedulable again (e.g. by running
kubectl uncordon <NODE>
).
View BGP peering status for a node
Create a CalicoNodeStatus resource to monitor BGP session status for the node.
Alternatively, you can run the calicoctl node status
command on a given node to learn more about its BGP status.
This command communicates with the local Calico Cloud agent, so you must execute it on the node whose status you are attempting to view.
View BGP info on all peers for a node
You can use calicoctl
to view the BGP information for all peers of a particular node, including connection status, routing statistics, and BGP state. This is useful for confirming that your configuration is behaving as desired, and for more detailed troubleshooting.
Run the following command from anywhere you have access to kubectl
:
calicoctl bgp peers <NODE_NAME>
Where <NODE_NAME>
is the resource name for one of the Calico node pods within your cluster.
The above command can be run from anywhere you have access to kubectl. We recommend running it as a kubectl plugin.
If you install the binary as a kubectl plugin using the above instructions, you can then run the command as follows:
kubectl calico bgp peers <NODE_NAME>
Change the default global AS number
By default, all Calico nodes use the 64512 autonomous system, unless a per-node AS has been specified for the node. You can change the global default for all nodes by modifying the default BGPConfiguration resource. The following example command sets the global default AS number to 64513.
kubectl patch bgpconfiguration default -p '{"spec": {"asNumber": "64513"}}'
If the default BGP configuration resource does not exist, you need to create it first. See BGP configuration for more information.
Change AS number for a particular node
You can configure an AS for a particular node by modifying the node object using calicoctl
. For example, the following command changes the node named node-1 to belong to AS 64514.
calicoctl patch node node-1 -p '{"spec": {"bgp": {"asNumber": "64514"}}}'
Configure a BGP filter
BGP filters control which routes are imported and exported between BGP peers.
The BGP filter rules (importVX, exportVX) are applied sequentially, taking the
action
of the first matching rule. When no rules are matched, the default
action
is Accept
.
In order for a BGPFilter to be used in a BGP peering, its name
must be added to filters
of the corresponding BGPPeer resource.
The following example creates a BGPFilter
kind: BGPFilter
apiVersion: projectcalico.org/v3
metadata:
name: my-first-bgp-filter
spec:
exportV4:
- action: Accept
matchOperator: In
cidr: 77.0.0.0/16
- action: Reject
matchOperator: NotIn
cidr: 88.0.0.0/16
importV4:
- action: Reject
matchOperator: NotIn
cidr: 44.0.0.0/16
exportV6:
- action: Reject
matchOperator: NotEqual
cidr: 9000::0/64
importV6:
- action: Accept
matchOperator: Equal
cidr: 5000::0/64
- action: Reject
matchOperator: NotIn
cidr: 5000::0/64
Configure a BGP peer with a BGP filter
BGP peers can use BGP filters to control which routes are imported or exported between them.
The following example creates a BGPFilter and associates it with a BGPPeer
BGPFilters are applied in the order listed on a BGPPeer
kind: BGPFilter
apiVersion: projectcalico.org/v3
metadata:
name: first-bgp-filter
spec:
exportV4:
- action: Accept
matchOperator: In
cidr: 77.0.0.0/16
- action: Reject
matchOperator: NotIn
cidr: 88.0.0.0/16
importV4:
- action: Reject
matchOperator: NotIn
cidr: 44.0.0.0/16
exportV6:
- action: Reject
matchOperator: NotEqual
cidr: 9000::0/64
importV6:
- action: Accept
matchOperator: Equal
cidr: 5000::0/64
- action: Reject
matchOperator: NotIn
cidr: 5000::0/64
---
kind: BGPFilter
apiVersion: projectcalico.org/v3
metadata:
name: second-bgp-filter
spec:
exportV4:
- action: Reject
matchOperator: In
cidr: 99.0.0.0/16
- action: Reject
matchOperator: In
cidr: .0.0.0/16
importV4:
- action: Accept
matchOperator: NotIn
cidr: 55.0.0.0/16
- action: Reject
matchOperator: In
cidr: 66.0.0.0/16
exportV6:
- action: Accept
matchOperator: Equal
cidr: 7000::0/64
- action: Accept
matchOperator: Equal
cidr: 8000::0/64
- action: Reject
matchOperator: NotIn
cidr: 7000::0/64
importV6:
- action: Reject
matchOperator: NotEqual
cidr: 4000::0/64
---
kind: BGPPeer
apiVersion: projectcalico.org/v3
metadata:
name: peer-with-filter
spec:
peerSelector: has(filter-bgp)
filters:
- first-bgp-filter
- second-bgp-filter