This page explains how VPC network virtualization connects instances within a VPC and between instances and the internet. It ties together VNI pools, IP pools, BGP configuration, routing profiles, and DPU behavior into a single end-to-end picture.
Refer to this page when diagnosing connectivity failures, planning a new site deployment, or explaining the system to a network team.
Related pages
The following diagram shows how the principal components relate. Each DPU maintains a separate VRF for every VPC hosted on its managed host. Routes flow between VRFs and the fabric via BGP EVPN.
Pool definitions (ranges, prefix sizes) are configured in the API server pools section; see
VNI Resource Pools and
IP Resource Pools.
datacenter_asn and asn are separatedatacenter_asn is the ASN component embedded in route-targets (<datacenter_asn>:<vni>). It
identifies the datacenter to the network fabric and must match the route-target values programmed
on network devices.
asn is a site-wide fallback ASN inherited from the earlier
Ethernet Virtualizer model. Each DPU is now allocated a unique ASN from the fnn-asn pool for
VRF and BGP session use. The asn field is still present and used for DPU-to-host DHCP behavior.
Do not conflate the two.
Both values must agree with the network team’s deployment. A mismatch causes route-targets that NICo programs to differ from those the network devices import, resulting in a black hole.
The DPU agent polls NICo for its network configuration every 30 seconds. The response is assembled from the configured pools, routing profiles, and site settings, and contains everything the DPU needs to configure its VRFs, BGP sessions, and VTEPs.
The handler proceeds as follows:
NotFound
error is returned and the DPU places itself into isolated mode.use_admin_network. The DPU is placed on the admin network when no instance is
allocated, when the instance has no interfaces configured for this DPU, or when the host is in
specific transient lifecycle states.fnn.routing_profiles. If the profile name is not defined there, the DPU
configuration call fails.vpc-dpu-lo pool.fnn-asn pool)lo-ip pooldeny_prefixes and site_fabric_prefixes ACL datadatacenter_asnrouting_profile (imports, exports, leak flags)additional_route_target_importsThe DPU applies the received configuration to HBN via NVUE and reports back to NICo. NICo marks the instance as ready only after the DPU confirms the configuration has been applied. See DPU Configuration for the full lifecycle.
NICo guarantees that a managed host never carries tenant traffic unless an explicit tenant configuration places it into a VPC. A “default VPC” in the cloud-provider sense — a system-created VPC that every tenant inherits — does not exist. Tenants get the VPCs an operator (or the tenant API) creates for them; absent any such VPC, an instance has no place to send tenant traffic.
The guarantee is upheld by an admin overlay that is separate from every tenant VPC, and by a fail-closed default when no configuration is available at all.
During site initialisation NICo creates an admin VPC together with a set of admin network segments. These are not tenant-visible and exist only to give the DPU somewhere safe to attach a host before, between, and after tenant allocations. The admin VPC follows the same VPC / VRF mechanics as any tenant VPC — it has its own VRF on each DPU, its own VNI, and its own routing profile — but it is reserved for NICo’s own use.
use_admin_networkWhen the API server assembles ManagedHostNetworkConfig for a DPU, it sets
use_admin_network = true whenever any of the following hold:
With use_admin_network = true the DPU agent places every host interface into the admin VRF
instead of any tenant VPC’s VRF. From the wire’s perspective, the host is on the admin overlay
and cannot exchange traffic with any tenant instance.
A DPU that cannot retrieve its configuration at all — for example, because the host is unknown to
NICo and GetManagedHostNetworkConfig returns NOT_FOUND — places itself into isolated
mode: every host interface is detached from any overlay until NICo issues an explicit
configuration. This is the fail-closed default. Nothing in the data path silently falls back to a
tenant network.
The instance state machine blocks the termination flow until the DPU confirms that all tenant interfaces have been moved off tenant VPCs and onto the admin overlay (or that the machine has been tagged with a health alert preventing reuse). This is what guarantees that a tenant whose instance has been released cannot remain on the wire as a “ghost instance” pending disk wipe.
For the per-fabric isolation story across Ethernet, InfiniBand, and NVLink, see Network Isolation.
Instances in the same VPC communicate via the VPC VRF on each DPU. No operator configuration beyond VNI pool provisioning and routing profile assignment is required to enable this.
The flow:
<datacenter_asn>:<vpc_vni>.vpc-dpu-lo pool) as the EVPN next-hop.fnn.additional_route_target_imports injects extra route-targets into every VPC VRF across the
entire site, regardless of the VPC’s routing
profile. This is appropriate for routes that all VPCs must be able to reach unconditionally,
such as control-plane service VIPs. The standard import for site-controller VIPs uses route-target
:50100 (see Networking Requirements).
A default route must be present in the VPC VRF for instances to reach destinations outside the overlay. There are three mechanisms by which this can happen. The correct choice depends on the site’s network deployment model and must be agreed between the NICo operator and the network team.
The routing profile specifies route_target_imports. The network advertises a default route
tagged with one of those route-targets. The DPU imports it into the VPC VRF.
Configure this in fnn.routing_profiles.<name>.route_target_imports:
This is the most explicit mechanism and is preferred when the network team operates a dedicated gateway VRF that exports a default route with a known route-target.
The network advertises a default route tagged with <datacenter_asn>:<vpc_vni>. Because the VPC
automatically imports its own native route-target, the default route lands in the VRF without any
route_target_imports entry in the profile.
This mechanism relies on datacenter_asn and the VPC VNI matching what the network device
programs. It is operationally simpler for the NICo side but requires the network team to track
per-VPC VNIs.
leak_default_route_from_underlayleak_default_route_from_underlay instructs the DPU to leak the default route from the underlay
(default VRF) directly into the tenant VRF, bypassing BGP route-target mechanics entirely.
When to use this:
When not to use this:
The following fields in the routing profile configuration provide fine-grained control over what crosses the boundary between the tenant VRF and the underlay.
leak_tenant_host_routes_to_underlayWhen true, the DPU leaks per-host routes from the tenant VRF into the underlay (default VRF).
This is required when the network must route return traffic directly to instances rather than
relying on an aggregate. Enable this when the network team cannot install a covering aggregate
for instance IPs.
tenant_leak_communities_acceptedWhen true, the DPU honors BGP community tags set by the host OS on routes it advertises to the
DPU. Routes carrying the accepted communities are leaked from the tenant VRF into the underlay.
This allows a sophisticated tenant application to selectively announce specific prefixes to the
fabric (for example, when running a gateway workload or BYOIP scenarios).
accepted_leaks_from_underlayAn explicit prefix list that controls which prefixes may be leaked from the underlay (default VRF)
into the tenant VRF. This is more granular than leak_default_route_from_underlay: the operator
lists specific prefixes (for example, management subnets or service VIPs) that the tenant VRF
needs, without opening the full underlay default route.
When the DPU advertises routes from a VPC into the fabric, it tags them with:
<datacenter_asn>:<vpc_vni>route_targets_on_exports for the VPC’s routing profileThe network device VRFs must import the route-targets present on VPC routes to see those routes and return traffic to instances. If they do not, the overlay routing table appears correct from the VPC side but external hosts cannot reach instances — the same symptom as no internet access.
This is the most common cause of one-way connectivity: the instance can send packets out, but responses are dropped because the network cannot route back.
Diagnostic question to ask the network team: Is the network VRF configured to import the
route-targets listed in route_targets_on_exports for this VPC’s routing profile?
See VPC Routing Profiles — Troubleshooting: No Internet Access for the full troubleshooting procedure.
When a VPC is created, the VNI pool is selected automatically based on the routing profile’s
internal flag:
internal = true → allocates from the vpc-vni poolinternal = false → allocates from the external-vpc-vni poolThe separation of pools allows operators to reserve distinct VNI ranges for internal and external VPCs, which can simplify route-target policy on network devices (for example, applying a blanket import for all external-VPC route-targets from a known VNI range).
See VNI Resource Pools for pool sizing and configuration.
Use this checklist when configuring VPC network virtualization for a new site. Complete each step in order and confirm with the network team before proceeding to the next.
datacenter_asn — the ASN used in route-target construction.vpc-vni pool) and external VPCs
(external-vpc-vni pool).lo-ip pool for DPU loopback IPs. One IP per DPU.vpc-dpu-lo pool for per-VPC DPU loopback IPs. One IP per DPU per VPC.fnn-asn pool for per-DPU BGP ASNs. One ASN per DPU.See IP Resource Pools for sizing guidance.
vpc-vni pool for internal VPCs.external-vpc-vni pool for external VPCs (if the site serves external tenants).See VNI Resource Pools for pool sizing guidance.
In the API server configuration file:
Replace placeholder values with site-specific values agreed with the network team. The route-target
numbers :50100, :50200, and :50500 are conventional; see
Networking Requirements for the full standard route-target table.
Have the network team confirm:
route_targets_on_exports).route_target_imports for each VPC profile that needs internet
access, or<datacenter_asn>:<vpc_vni> for each external VPC (native route-target injection), orleak_default_route_from_underlay).:50100 or equivalent).lo-ip pool are reachable from all other DPUs (full mesh or
aggregate).After site bring-up:
EXTERNAL routing profile.curl to an external address).For routing-profile-specific troubleshooting, see VPC Routing Profiles, which covers:
RoutingProfile not found errors during VPC creationCommon configuration mismatches to check first: