Skip to main content

Networking Configuration

Assign IPv4 address blocks available for overlay addressing

Each site needs IPv4 address blocks available for allocation on various overlay networks within the site such as the site encrypted overlay network and multiple application networks. Configure available address blocks in supd.conf. The value for ipv4-address-blocks must be the same in supd.conf on all hosts within the site. Blocks configured on the Control Tower are propagated and reused on edge sites.

supd.conf
host-id: 4b8bb093-33b9-404d-9aec-29d97664c571
initial-site-config:
network:
ipv4-address-blocks:
- 10.0.20.0/15
- 10.0.32.0/12

Configuration may be overridden on an edge site by providing a different value for ipv4-address-blocks in supd.conf on all hosts within this site.

Configure pool of ingress IP addresses

When all hosts within a site are part of the same subnetwork, i.e. same layer-3 network segment, it may be appropriate to configure a single pool of available IP addresses to be used by all hosts within the site.

Site configuration
name: stockholm-sergel
type: edge
ingress-allocation-method: pool
ingress-ipv4-address-ranges:
- range: 192.0.2.20-192.0.2.254
network-prefix-length: 24
hosts:
- host-id: 94d4f410-1ef7-4f01-a296-c4ce4f23bf0e
- host-id: af909c45-47ce-4198-a38e-6ced4ec121f6
- host-id: 3cac9e07-8560-48ad-876f-db62d2258d6c

In other cases, for example when different hosts belong to different subnetworks, it is possible to configure a pool of available ingress IP addresses per network interface per host.

Site configuration
name: stockholm-sergel
type: edge
ingress-allocation-method: pool
hosts:
- host-id: 94d4f410-1ef7-4f01-a296-c4ce4f23bf0e
network-interfaces:
- name: default
host-interface-by-default-route: true
ingress-ipv4-address-ranges:
- range: 192.0.2.20-192.0.2.254
network-prefix-length: 24
- host-id: af909c45-47ce-4198-a38e-6ced4ec121f6
network-interfaces:
- name: default
host-interface-by-default-route: true
ingress-ipv4-address-ranges:
- range: 198.51.100.20-198.51.100.254
network-prefix-length: 24
- host-id: 3cac9e07-8560-48ad-876f-db62d2258d6c
network-interfaces:
- name: default
host-interface-by-default-route: true
ingress-ipv4-address-ranges:
- range: 203.0.113.20-203.0.113.254
network-prefix-length: 24

Predictable ingress IP addresses

The above example demonstrates a simple configuration where an ingress address is allocated from the corresponding pool in a random fashion and all subtenants have access to all ingress addresses by default. In some cases it may be desirable to have more control over which addresses should be available to which tenants or to be able to choose a specific IP address for a specific service. This is possible to achieve by assigning labels to different ranges within both site-wide and per-interface pools, as follows:

Site configuration
name: stockholm-sergel
type: edge
ingress-allocation-method: pool
ingress-ipv4-address-ranges:
- range: 192.0.2.200-192.0.2.254
network-prefix-length: 24
labels:
tenant:
- acme
- edge
scope: local
- range: 198.51.100.250-198.51.100.253
network-prefix-length: 24
labels:
tenant: acme
scope: global
- range: 198.51.100.254
network-prefix-length: 24
labels:
tenant: edge
dedicated: yes
hosts:
- host-id: 94d4f410-1ef7-4f01-a296-c4ce4f23bf0e
- host-id: af909c45-47ce-4198-a38e-6ced4ec121f6
- host-id: 3cac9e07-8560-48ad-876f-db62d2258d6c

The labels may be used directly in the application specification . The site provider has access to all configured ranges with any labels.

By default the subtenants only have access to ranges with empty label set. Access to a different set of ranges may be granted by a site provider using a tenant-specific resource profile. For example, the following resource profile grants the subtenant access to both ingress IP ranges with label tenant with value acme and to ranges with no labels assigned.

Resource profile
name: t-acme
ingress-ipv4-ranges:
allowed: "tenant = acme or {}"

With the above resource profile in place the subtenant will have a possibility to specify an expression selecting a set of ingress address ranges to allocate an ingress address from in the application specification.

If an application specification does not indicate a specific set of ranges to allocate an ingress address from, then an address is allocated from the set of ranges with no labels assigned. In order to change this behaviour, a site provider may configure an expression selecting the default set of ranges to allocate an ingress address from, as in the following example.

Resource profile
name: t-acme
ingress-ipv4-ranges:
allowed: tenant = acme
default: tenant = acme

Note that in both cases the resource profile t-acme must be assigned to the relevant subtenant in order for the configuration to take effect.

Configure DHCP-based ingress

An alternative way of allocating ingress addresses is to query a site provider-operated DHCP server. This functionality is enabled in the site configuration.

Site configuration
name: stockholm-sergel
type: edge
ingress-allocation-method: dhcp

The DHCP server must support DHCP Client Identifier functionality. Requests for different ingress addresses on a corresponding host will be initiated from the same network interface with the same Layer-2 (MAC) address, but different DHCP Client Identifiers.

Configure port forwarding ingress method

The supply of routable IP-addresses on a site may be limited. In such case it may be desirable to share the host's IP address with the services running on this host, forwarding a set of ports into one or several services. In order to enable this ingress mode use the following site configuration:

Site configuration
name: stockholm-sergel
type: edge
ingress-allocation-method: port-forward

In port-forward ingress mode the primary IP address for the selected interface is used as ingress. This address may be shared by multiple services running on the same host as long as they request disjoint sets of ports to be forwarded. A subset of ports used by the Avassa software may not be forwarded (see reference documentation for the specific list of ports).

An additional requirement for using this functionality is Linux kernel version of at least 5.6. A host running an older Linux kernel will give a runtime error when trying to start a service requiring an ingress when the ingress-allocation-method is configured to port-forward.

Multiple host interfaces

Multiple host interfaces may be exposed by site provider in order for applications to be able to request ingress address bound to different interfaces. The application owner will only see the site provider-assigned interface name (default and internal in the example below), not the operating system-specific name. Labels are configured by the site provider and used in match-expressions by applications to select the required interface. Order of network interfaces in site configuration matters, because if the application does not specify a match-interface-labels expression for an ingress address, or multiple interfaces match the specified expression, then the matching interface that has higher position on this list is selected.

Site configuration
name: stockholm-sergel
type: edge
hosts:
- host-id: 94d4f410-1ef7-4f01-a296-c4ce4f23bf0e
network-interfaces:
- name: default
host-interface-by-default-route: true
labels:
- type: wan
- name: internal
host-interface-by-destination: 203.0.113.12
labels:
- type: internal
- host-id: af909c45-47ce-4198-a38e-6ced4ec121f6
- host-id: 3cac9e07-8560-48ad-876f-db62d2258d6c