This section describes how to configure custom Windows clusters that are using Host Gateway (L2bridge) mode.

Disabling Private IP Address Checks

If you are using Host Gateway (L2bridge) mode and hosting your nodes on any of the cloud services listed below, you must disable the private IP address checks for both your Linux or Windows hosts on startup. To disable this check for each node, follow the directions provided by each service below.

Service Directions to disable private IP address checks
Amazon EC2 Disabling Source/Destination Checks
Google GCE Enabling IP Forwarding for Instances (By default, a VM cannot forward a packet originated by another VM)
Azure VM Enable or Disable IP Forwarding

Cloud-hosted VM Routes Configuration

If you are using the Host Gateway (L2bridge) backend of Flannel, all containers on the same node belong to a private subnet, and traffic routes from a subnet on one node to a subnet on another node through the host network.

  • When worker nodes are provisioned on AWS, virtualization clusters, or bare metal servers, make sure they belong to the same layer 2 subnet. If the nodes don’t belong to the same layer 2 subnet, host-gw networking will not work.

  • When worker nodes are provisioned on GCE or Azure, they are not on the same layer 2 subnet. Nodes on GCE and Azure belong to a routable layer 3 network. Follow the instructions below to configure GCE and Azure so that the cloud network knows how to route the host subnets on each node.

To configure host subnet routing on GCE or Azure, first run the following command to find out the host subnets on each worker node:

kubectl get nodes -o custom-columns=nodeName:.metadata.name,nodeIP:status.addresses[0].address,routeDestination:.spec.podCIDR

Then follow the instructions for each cloud provider to configure routing rules for each node:

Service Instructions
Google GCE For GCE, add a static route for each node: Adding a Static Route.
Azure VM For Azure, create a routing table: Custom Routes: User-defined.