Networking Configuration
Configure IPv4 address space for internal addressing
Each site needs IPv4 address blocks available for allocation on various
overlay and internal networks within the site such as the site encrypted
overlay network, and multiple
gateway networks and
application networks. The default address
space the Edge Enforcer uses for this purpose is 172.16.0.0/12 block. If
this address space is already allocated for other purposes, the address space
may be overridden per site.
The address space must be configured before the site initialization and cannot
be changed without recreating the site from scratch. In order to configure
available the available address blocks add the ipv4-address-blocks
configuration into supd.conf before the site is initialized. The value for
ipv4-address-blocks must be the same in supd.conf on all hosts within the
site. For example:
host-id: 4b8bb093-33b9-404d-9aec-29d97664c571
initial-site-config:
network:
ipv4-address-blocks:
- 10.0.20.0/15
- 10.0.32.0/12
The /12 block size is recommended to be configured for the Edge Enforcer
needs. Note that this address space does not need to be routable or unique as
it is only used for internal addressing needs and never appears outside the
hosts constituting the site. However, it is good to keep in mind that if these
addresses are reused elsewhere in the network, then they would be unreachable
by the applications running on the site.
The configured address blocks are used for the following needs:
- a single
/16prefix for an overlay network - a single
/16prefix for the application network address space (reused by each application network) - a
/24prefix is allocated per application
Configure pool of ingress IP addresses
When all hosts within a site are part of the same subnetwork, i.e. same layer-3 network segment, it may be appropriate to configure a single pool of available IP addresses to be used by all hosts within the site.
name: stockholm-sergel
type: edge
ingress-allocation-method: pool
ingress-ipv4-address-ranges:
- range: 192.0.2.20-192.0.2.254
network-prefix-length: 24
hosts:
- host-id: 94d4f410-1ef7-4f01-a296-c4ce4f23bf0e
- host-id: af909c45-47ce-4198-a38e-6ced4ec121f6
- host-id: 3cac9e07-8560-48ad-876f-db62d2258d6c
In other cases, for example when different hosts belong to different subnetworks, it is possible to configure a pool of available ingress IP addresses per network interface per host.
name: stockholm-sergel
type: edge
ingress-allocation-method: pool
hosts:
- host-id: 94d4f410-1ef7-4f01-a296-c4ce4f23bf0e
network-interfaces:
- name: default
host-interface-by-default-route: true
ingress-ipv4-address-ranges:
- range: 192.0.2.20-192.0.2.254
network-prefix-length: 24
- host-id: af909c45-47ce-4198-a38e-6ced4ec121f6
network-interfaces:
- name: default
host-interface-by-default-route: true
ingress-ipv4-address-ranges:
- range: 198.51.100.20-198.51.100.254
network-prefix-length: 24
- host-id: 3cac9e07-8560-48ad-876f-db62d2258d6c
network-interfaces:
- name: default
host-interface-by-default-route: true
ingress-ipv4-address-ranges:
- range: 203.0.113.20-203.0.113.254
network-prefix-length: 24
Predictable ingress IP addresses
The above example demonstrates a simple configuration where an ingress address is allocated from the corresponding pool in a random fashion and all subtenants have access to all ingress addresses by default. In some cases it may be desirable to have more control over which addresses should be available to which tenants or to be able to choose a specific IP address for a specific service. This is possible to achieve by assigning labels to different ranges within both site-wide and per-interface pools, as follows:
name: stockholm-sergel
type: edge
ingress-allocation-method: pool
ingress-ipv4-address-ranges:
- range: 192.0.2.200-192.0.2.254
network-prefix-length: 24
labels:
tenant:
- acme
- edge
scope: local
- range: 198.51.100.250-198.51.100.253
network-prefix-length: 24
labels:
tenant: acme
scope: global
- range: 198.51.100.254
network-prefix-length: 24
labels:
tenant: edge
dedicated: yes
hosts:
- host-id: 94d4f410-1ef7-4f01-a296-c4ce4f23bf0e
- host-id: af909c45-47ce-4198-a38e-6ced4ec121f6
- host-id: 3cac9e07-8560-48ad-876f-db62d2258d6c
The labels may be used directly in the application specification . The site provider has access to all configured ranges with any labels.
By default the subtenants only have access to ranges with empty label set.
Access to a different set of ranges may be granted by a site provider using a
tenant-specific resource profile. For example, the following resource profile
grants the subtenant access to both ingress IP ranges with label tenant with
value acme and to ranges with no labels assigned.
name: t-acme
ingress-ipv4-ranges:
allowed: "tenant = acme or {}"
With the above resource profile in place the subtenant will have a possibility to specify an expression selecting a set of ingress address ranges to allocate an ingress address from in the application specification.
If an application specification does not indicate a specific set of ranges to allocate an ingress address from, then an address is allocated from the set of ranges with no labels assigned. In order to change this behaviour, a site provider may configure an expression selecting the default set of ranges to allocate an ingress address from, as in the following example.
name: t-acme
ingress-ipv4-ranges:
allowed: tenant = acme
default: tenant = acme
Note that in both cases the resource profile t-acme must be assigned to the
relevant subtenant in order for the configuration to take effect.
Configure DHCP-based ingress
An alternative way of allocating ingress addresses is to query a site provider-operated DHCP server. This functionality is enabled in the site configuration.
name: stockholm-sergel
type: edge
ingress-allocation-method: dhcp
The DHCP server must support DHCP Client Identifier functionality. Requests for different ingress addresses on a corresponding host will be initiated from the same network interface with the same Layer-2 (MAC) address, but different DHCP Client Identifiers.
Configure port forwarding ingress method
The supply of routable IP-addresses on a site may be limited. In such case it may be desirable to share the host's IP address with the services running on this host, forwarding a set of ports into one or several services. In order to enable this ingress mode use the following site configuration:
name: stockholm-sergel
type: edge
ingress-allocation-method: port-forward
In port-forward ingress mode the primary IP address for the selected
interface is used as ingress. This address may be shared by multiple services
running on the same host as long as they request disjoint sets of ports to be
forwarded. A subset of ports used by the Avassa software may not be forwarded
(see reference documentation
for the specific list of ports).
An additional requirement for using this functionality is Linux kernel
version of at least 5.6. A host running an older Linux kernel will give a
runtime error when trying to start a service requiring an ingress when the
ingress-allocation-method is configured to port-forward.
Multiple host interfaces
Multiple host interfaces may be exposed by site provider in order for
applications to be able to request ingress address bound to different
interfaces. The application owner will only see the site provider-assigned
interface name (default and internal in the example below), not the
operating system-specific name. Labels are configured by the site provider
and used in match-expressions by applications to select the required interface.
Order of network interfaces in site configuration matters, because if the
application does not specify a match-interface-labels expression for an
ingress address, or multiple interfaces match the specified expression, then
the matching interface that has higher position on this list is selected.
name: stockholm-sergel
type: edge
hosts:
- host-id: 94d4f410-1ef7-4f01-a296-c4ce4f23bf0e
network-interfaces:
- name: default
host-interface-by-default-route: true
labels:
- type: wan
- name: internal
host-interface-by-destination: 203.0.113.12
labels:
- type: internal
- host-id: af909c45-47ce-4198-a38e-6ced4ec121f6
- host-id: 3cac9e07-8560-48ad-876f-db62d2258d6c