How EKS Networking Works

Amazon EKS networking is powerful — but also one of the most misunderstood parts of running Kubernetes on AWS.

Many production outages happen because teams:

  • Underestimate subnet requirements
  • Don’t understand ENI limits
  • Ignore prefix delegation behavior
  • Misjudge pod density scaling
  • Hit scaling ceilings unexpectedly

This guide explains exactly how EKS networking works in 2026, so you can design clusters correctly.

1️⃣ The Core Difference: EKS Uses Real VPC IPs

In default Amazon EKS deployments:

✔ Nodes get IPs from your VPC subnets
✔ Pods also get IPs from your VPC subnets

This happens through the AWS VPC CNI plugin.

Unlike overlay-based networking models:

  • Pods are first-class citizens in your VPC
  • They receive real, routable IP addresses
  • No encapsulation overlay is required

This gives excellent performance and native AWS routing.

But it also means:

Kubernetes scalability is directly tied to your VPC subnet and ENI limits.

2️⃣ What Is the AWS VPC CNI?

The AWS VPC CNI (Container Network Interface) is the networking plugin used by default in EKS.

Its responsibilities:

  • Allocate IP addresses to pods
  • Attach ENIs (Elastic Network Interfaces) to worker nodes
  • Assign secondary IPs or prefixes
  • Manage warm IP pools

When a pod is scheduled:

  1. The worker node requests an available IP.
  2. The IP comes from the node’s attached ENIs.
  3. That IP belongs directly to the VPC subnet.

There is no NAT layer between pods and VPC.

3️⃣ What Is an ENI?

An Elastic Network Interface (ENI) is a virtual network card attached to an EC2 instance.

Each EC2 instance has limits:

  • Maximum number of ENIs
  • Maximum number of IP addresses (or prefixes) per ENI

These limits directly influence maximum pod density.

4️⃣ Classic Scaling Formula (Secondary IP Mode)

In traditional secondary-IP mode:

(max ENIs per instance × IPs per ENI) - 1

Why minus 1?

One IP is used by the node itself.

Example:

If an instance supports:

  • 3 ENIs
  • 10 IPs per ENI

Then:

3 × 10 = 30
Minus 1 for node
→ 29 pods maximum

Even if your subnet is large, the instance cannot exceed this ceiling.

5️⃣ Prefix Delegation (Modern Scaling Model)

Since 2023–2026, prefix delegation mode is widely supported and recommended for higher density clusters.

Instead of assigning individual IPs:

  • ENIs receive /28 prefixes
  • Each prefix contains 16 IP addresses
  • Multiple prefixes can attach to a single ENI

This significantly increases effective pod capacity per node.

Key impact:

  • Pod density is no longer limited strictly by secondary IP count
  • Each ENI can support multiple prefix blocks
  • Scaling improves dramatically for larger instance types

However:

  • Subnet capacity is still consumed
  • ENI limits still exist
  • Subnet sizing remains critical

Prefix delegation improves efficiency — it does not remove IP planning requirements.

6️⃣ Enhanced Subnet Discovery (Newer Behavior)

Modern AWS VPC CNI supports automatic subnet discovery.

If properly tagged:

  • The CNI can allocate pod IPs from multiple subnets in a VPC
  • Not only from the node’s original subnet

This reduces scaling friction across Availability Zones and CIDR blocks.

However:

  • All subnets must still have available IP space
  • Poor CIDR planning can still cause exhaustion

7️⃣ Why EKS Subnets Run Out of IPs

This remains the most common production issue.

Because:

  • Every node consumes 1 IP
  • Every pod consumes 1 IP (or part of a prefix allocation)
  • AWS reserves 5 IPs per subnet

If you run:

  • 20 nodes
  • 50 pods per node

You need:

20 + (20 × 50) = 1,020 IPs
Plus growth buffer
Plus 5 AWS reserved

A /24 subnet has only 251 usable IPs.

It will fail immediately.

Prefix mode does not eliminate this math — it only changes allocation efficiency.

8️⃣ IPv6 Considerations

EKS supports IPv6 clusters.

In IPv6 mode:

  • Nodes receive IPv6 addresses
  • Pods receive IPv6 prefixes
  • Address space is effectively enormous

This removes many IPv4 exhaustion constraints.

However:

  • IPv6 clusters require IPv6-enabled VPCs
  • IPv4 service access may still exist
  • Operational complexity increases

Most clusters in 2026 still operate primarily on IPv4.

9️⃣ EKS vs Other Kubernetes Providers

ProviderPod IP ModelSubnet Pressure
EKSPods use VPC IPsHigh
AKSOverlay or VNet IPsDepends on mode
GKEAlias IP rangesMore predictable

EKS offers clean AWS-native routing, but requires careful IP planning.

🔟 Best Practices for Production EKS Clusters (2026)

  1. Start worker subnets at /21 or larger.
  2. Understand instance ENI and prefix limits before selecting node types.
  3. Use prefix delegation for higher pod density.
  4. Add at least 25–30% IP buffer.
  5. Monitor IP consumption in CloudWatch.
  6. Avoid deploying production EKS into /24 worker subnets.
  7. Plan for multi-subnet scaling across AZs.

Use the EKS Subnet Calculator

To safely plan your cluster:

EKS Subnet Calculator

It calculates:

  • Required IP addresses
  • Subnet prefix recommendations
  • AWS reserved IP adjustments
  • Growth buffer impact

Final Thoughts

EKS networking is simple in concept:

Pods receive real VPC IPs.

But scaling depends on:

  • ENI limits
  • Prefix delegation mode
  • Subnet CIDR sizing
  • Growth planning
  • Multi-subnet allocation

If you understand ENIs and prefix delegation, you understand EKS scaling.

And that understanding prevents the most common Kubernetes networking outage in AWS environments.

Want to understand how this compares to other Kubernetes providers?

Kubernetes Networking Comparison Guide