Layer 2 VPC (L2VPC)
Learn about CoreWeave's Layer 2 VPC (L2VPC).
CoreWeave's Layer 2 VPC (L2VPC) is vastly different from the CoreWeave Cloud Native Networking (CCNN) fabric. Most notably, many of the extended networking features built in to CCNN - such as network policies and Kubernetes loadbalancing - are not present in an L2VPC, in order to provide more control to the user.
The L2VPC is enabled on a workload by workload basis. A workload (a Pod or Virtual Server) can have multiple interfaces - it can maintain a CCNN interface as well as one or multiple VPC interfaces, or it can attach to L2VPC exclusively.
Multiple VPCs can also be allocated to simulate the multiple VLANs (network segments) found in a traditional on-premise network.
Layer 2 VPC is not available for these GPU types:
- NVIDIA A40
- NVIDIA RTX A5000
- NVIDIA RTX A6000
Use cases
CoreWeave Cloud Native Networking (CCNN) is designed to be the preferred choice for most use-cases. L2VPC should only be considered if one or multiple of the following criteria is fulfilled:
- A Site to Site connection is needed to an on-premise environment, and that on-premise environment is a private network with custom private IP addressing.
- There are specific firewall or routing requirements that can not be achieved any other way, such as via a Web-filtering proxy or Network Policies.
- There are specific high-performance storage or communication requirements inside the Virtual Servers where a high MTU hardware NIC will provide concrete benefits.
L2VPC Features
🌐 Locations
CoreWeave currently offers L2VPC at our LGA1 data center. A single workload can attach up to ten (10) L2VPCs at the same time, in addition to the regular CCNN network.
📍 IP Addressing
In L2VPC, IP addressing happens either by using traditional Static IPs, or by using DHCP.
CoreWeave provides an out-of-the-box DHCP server managed via CoreWeave Apps (dhcp-server) that allows for dynamic and static IP allocation via Workflow labels. Alternatively, IP addressing can be controlled without any CoreWeave tools and provided by a customer managed virtual firewall.
Review our documentation on DHCP in VPCs for more information.
🗺 Routing
Each L2VPC is a flat, non-blocking Layer 2 network. There is no built-in routing capability. If the user desires to have routing between Layer 2 VPCs, or routing between Layer 2 VPCs and the Internet or CCNN, a virtual router (firewall) will need to be deployed by the user.
A virtual router (firewall) will act as a choke point by adding an extra hop to the networking path. When possible, it is recommended to keep a CCNN interface on the workload to use for Internet access instead of routing via a virtual router. This ensures the lowest possible latency and highest Internet throughput.
🔥 Network Policies (Firewalls)
In L2VPC, the fabric-based firewall that exists around every workload in CCNN is bypassed.
Users are encouraged to setup firewall rules inside Virtual Servers so as to adhere to a zero-trust security policy. Virtual routers (firewalls) can be leveraged to provide firewalls between L2VPCs, and between L2VPCs and the Internet if the L2VPC is used as the only egress.
💪 Performance
L2VPC is implemented using SR-IOV inside Virtual Machines and Kubernetes Pods. This provides full bare-metal performance with no additional software layers in the path. The L2VPC supports a MTU up to 9000, which can be beneficial for storage intensive applications.
🔌 Site-to-Site Connectivity
A common use case involves connecting between a private on-premise network and CoreWeave Cloud. CoreWeave offers two primary methods to achieve this goal.
For production applications, especially where latency and bandwidth is a concern, we always recommend a physical Direct Connect. CoreWeave's data centers and Cloud on-ramps are centrally located and well connected, making it easy to establish direct connections to on-premise environments.
Site-to-Site VPN
Site-to-Site VPNs are provided by instantiating a Virtual VPN in an L2VPC.
Learn more about Site-to-Site VPNs in our Site-to-Site VPN guide.
Direct Connect
Direct Connect is available by working with your connectivity provider to bring a physical connection to one of our data centers or Cloud on-ramps.
A direct connection can also be established instantly via Megaport. We support Direct Connects with bandwidth between 1Gbps and 100Gbps.
The default configuration for a Direct Connect is a Layer 3 connection into a Layer 2 VPC, however the Layer 2 VPC can be extended over the Direct Connect to create a flat Layer 2 connection all the way to the customer premises.
Please contact support for more information and to enable L2VPC in your namespace.