Networking Configuration
Assign IPv4 address blocks available for overlay addressing
Each site needs IPv4 address blocks available for allocation on various
overlay networks within the site such as the site encrypted overlay network and
multiple application networks. Configure
available address blocks in supd.conf
. The value for ipv4-address-blocks
must be the same in supd.conf
on all hosts within the site. Blocks configured
on the Control Tower are propagated and reused on edge sites.
host-id: 4b8bb093-33b9-404d-9aec-29d97664c571
initial-site-config:
network:
ipv4-address-blocks:
- 10.0.20.0/15
- 10.0.32.0/12
Configuration may be overridden on an edge site by providing a different value
for ipv4-address-blocks
in supd.conf on all hosts within this site.
Configure pool of ingress IP addresses
When all hosts within a site are part of the same subnetwork, i.e. same layer-3 network segment, it may be appropriate to configure a single pool of available IP addresses to be used by all hosts within the site.
name: stockholm-sergel
type: edge
ingress-allocation-method: pool
ingress-ipv4-address-ranges:
- range: 192.0.2.20-192.0.2.254
network-prefix-length: 24
hosts:
- host-id: 94d4f410-1ef7-4f01-a296-c4ce4f23bf0e
- host-id: af909c45-47ce-4198-a38e-6ced4ec121f6
- host-id: 3cac9e07-8560-48ad-876f-db62d2258d6c
In other cases, for example when different hosts belong to different subnetworks, it is possible to configure a pool of available ingress IP addresses per network interface per host.
name: stockholm-sergel
type: edge
ingress-allocation-method: pool
hosts:
- host-id: 94d4f410-1ef7-4f01-a296-c4ce4f23bf0e
network-interfaces:
- name: default
host-interface-by-default-route: true
ingress-ipv4-address-ranges:
- range: 192.0.2.20-192.0.2.254
network-prefix-length: 24
- host-id: af909c45-47ce-4198-a38e-6ced4ec121f6
network-interfaces:
- name: default
host-interface-by-default-route: true
ingress-ipv4-address-ranges:
- range: 198.51.100.20-198.51.100.254
network-prefix-length: 24
- host-id: 3cac9e07-8560-48ad-876f-db62d2258d6c
network-interfaces:
- name: default
host-interface-by-default-route: true
ingress-ipv4-address-ranges:
- range: 203.0.113.20-203.0.113.254
network-prefix-length: 24
Predictable ingress IP addresses
The above example demonstrates a simple configuration where an ingress address is allocated from the corresponding pool in a random fashion and all subtenants have access to all ingress addresses by default. In some cases it may be desirable to have more control over which addresses should be available to which tenants or to be able to choose a specific IP address for a specific service. This is possible to achieve by assigning labels to different ranges within both site-wide and per-interface pools, as follows:
name: stockholm-sergel
type: edge
ingress-allocation-method: pool
ingress-ipv4-address-ranges:
- range: 192.0.2.200-192.0.2.254
network-prefix-length: 24
labels:
tenant:
- acme
- edge
scope: local
- range: 198.51.100.250-198.51.100.253
network-prefix-length: 24
labels:
tenant: acme
scope: global
- range: 198.51.100.254
network-prefix-length: 24
labels:
tenant: edge
dedicated: yes
hosts:
- host-id: 94d4f410-1ef7-4f01-a296-c4ce4f23bf0e
- host-id: af909c45-47ce-4198-a38e-6ced4ec121f6
- host-id: 3cac9e07-8560-48ad-876f-db62d2258d6c
The labels may be used directly in the application specification . The site provider has access to all configured ranges with any labels.
By default the subtenants only have access to ranges with empty label set.
Access to a different set of ranges may be granted by a site provider using a
tenant-specific resource profile. For example, the following resource profile
grants the subtenant access to both ingress IP ranges with label tenant
with
value acme
and to ranges with no labels assigned.
name: t-acme
ingress-ipv4-ranges:
allowed: "tenant = acme or {}"
With the above resource profile in place the subtenant will have a possibility to specify an expression selecting a set of ingress address ranges to allocate an ingress address from in the application specification.
If an application specification does not indicate a specific set of ranges to allocate an ingress address from, then an address is allocated from the set of ranges with no labels assigned. In order to change this behaviour, a site provider may configure an expression selecting the default set of ranges to allocate an ingress address from, as in the following example.
name: t-acme
ingress-ipv4-ranges:
allowed: tenant = acme
default: tenant = acme
Note that in both cases the resource profile t-acme
must be assigned to the
relevant subtenant in order for the configuration to take effect.
Configure DHCP-based ingress
An alternative way of allocating ingress addresses is to query a site provider-operated DHCP server. This functionality is enabled in the site configuration.
name: stockholm-sergel
type: edge
ingress-allocation-method: dhcp
The DHCP server must support DHCP Client Identifier functionality. Requests for different ingress addresses on a corresponding host will be initiated from the same network interface with the same Layer-2 (MAC) address, but different DHCP Client Identifiers.
Configure port forwarding ingress method
The supply of routable IP-addresses on a site may be limited. In such case it may be desirable to share the host's IP address with the services running on this host, forwarding a set of ports into one or several services. In order to enable this ingress mode use the following site configuration:
name: stockholm-sergel
type: edge
ingress-allocation-method: port-forward
In port-forward
ingress mode the primary IP address for the selected
interface is used as ingress. This address may be shared by multiple services
running on the same host as long as they request disjoint sets of ports to be
forwarded. A subset of ports used by the Avassa software may not be forwarded
(see reference documentation
for the specific list of ports).
An additional requirement for using this functionality is Linux kernel
version of at least 5.6. A host running an older Linux kernel will give a
runtime error when trying to start a service requiring an ingress when the
ingress-allocation-method
is configured to port-forward
.
Multiple host interfaces
Multiple host interfaces may be exposed by site provider in order for
applications to be able to request ingress address bound to different
interfaces. The application owner will only see the site provider-assigned
interface name (default
and internal
in the example below), not the
operating system-specific name. Labels are configured by the site provider
and used in match-expressions by applications to select the required interface.
Order of network interfaces in site configuration matters, because if the
application does not specify a match-interface-labels
expression for an
ingress address, or multiple interfaces match the specified expression, then
the matching interface that has higher position on this list is selected.
name: stockholm-sergel
type: edge
hosts:
- host-id: 94d4f410-1ef7-4f01-a296-c4ce4f23bf0e
network-interfaces:
- name: default
host-interface-by-default-route: true
labels:
- type: wan
- name: internal
host-interface-by-destination: 203.0.113.12
labels:
- type: internal
- host-id: af909c45-47ce-4198-a38e-6ced4ec121f6
- host-id: 3cac9e07-8560-48ad-876f-db62d2258d6c