Manage networks
A network is a VPC that LakeSail provisions inside one of your cloud accounts. It is the stable boundary that clusters run inside: clusters in the same network can talk to each other and to anything you peer the VPC with. This page covers creating a network, what's fixed once it exists, and tearing one down.
For a first-time walkthrough (cloud account → network → cluster) start with the Quickstart. This page is the standalone reference.
Prerequisites
- A connected cloud account in
activestatus. See Security & IAM for the trust model, or the Quickstart for the connection steps.
Why networks are their own layer
A network sits between the cloud account and the cluster on purpose. Putting the VPC in its own layer (rather than tying it directly to a cluster) means you can:
- Run multiple clusters in one network (for example dev and prod, or different sizes for different teams) without re-creating networking.
- Delete a cluster without tearing down the VPC, so the next cluster comes up faster.
- Keep a network as a stable peering target for your own VPCs.
One cloud account can host many networks. A network belongs to exactly one cloud account and one region.
Create a network
- Open Settings → Cloud Networks and click Create network.
- Fill in:
- Name — e.g.
production-network. - Cloud Account — the account the VPC is provisioned in.
- Region — where the VPC lives. Fixed for the life of the network; clusters inherit it.
- IPv4 CIDR Range — e.g.
10.0.0.0/16. Must not overlap the LakeSail platform VPC CIDR or any VPC you intend to peer with.
- Name — e.g.
- Click Create Network.
The network moves through pending → provisioning → active as LakeSail deploys the VPC, subnets across availability zones, and security groups. Provisioning typically takes a few minutes.
Pick a CIDR that won't collide
10.0.0.0/16, 10.100.0.0/16, or 172.20.0.0/16 are usually safe. Avoid 172.16.0.0/16 and 192.168.0.0/16 if you expect to peer with office networks that already use them. If provisioning rejects the CIDR, see Troubleshooting: CIDR overlap.
What you can and can't change
A network is deliberately stable. Most of what defines it is fixed once it's provisioned:
- The region is set at creation and can't change.
- The CIDR range is set at creation and can't change.
- The cloud account a network belongs to can't change.
If you need a different region or CIDR, create a new network and move clusters over.
Lifecycle reference
| Status | Meaning |
|---|---|
pending | Creation accepted, queued |
provisioning | The VPC, subnets, and security groups are being created |
active | Ready; clusters can be created inside it |
destroying | Teardown in progress |
destroyed | All resources released; record retained for audit |
Destroy a network
A network can only be destroyed once it has no clusters. Destroy or move the clusters inside it first, then:
- Open the network's detail page.
- Click Destroy.
- Confirm. The network moves
destroying → destroyed, releasing the VPC and its subnets.
Don't edit the VPC directly in AWS
The VPC, its subnets, route tables, and security groups are managed by LakeSail. Changing them directly in the AWS console can break cluster connectivity and surface as run failures. See Troubleshooting: "failed to create kubernetes client".
Troubleshooting
- "Failed to load regions." The cloud account's assume-role call failed — usually the trust policy changed or the role was deleted. See Troubleshooting.
- CIDR overlap on create. Pick a non-overlapping range. See Troubleshooting.
- Provisioning fails with a quota error. Your AWS account is out of VPCs (five per region by default) or related resources. See Limits & quotas.
API reference
- Networks: create, describe, and destroy networks, and list available regions.
- Cloud accounts: the required prerequisite.
- Clusters: what runs inside a network.