[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpensShift SDN



Thanks Dan for info. Are you saying we need to block VXLAN port using traditional subnet firewall between Internal <-> External Nodes?


Is it block 4789 port between subnets ? Any impact blocking 4789 port apart from blocking Internal <—> External communication?


-- 
Srinivas Kotaru






On 1/14/16, 9:03 AM, "Dan Winship" <danw redhat com> wrote:

>On 01/13/2016 05:02 PM, Srinivas Naga Kotaru (skotaru) wrote:
>> Dan
>> 
>> Thanks for responding. Are you saying we need to install separate
>> cluster installations for internal & External or use single
>> cluster but achieve isolation using VXID approach?
>
>No, neither of those. I'm saying you can just deploy a single cluster,
>without adding any new firewall rules, and it will work the way you
>want. (Internal pods will be able to talk to other internal pods, and
>external pods will be able to talk to other external pods, but internal
>and external won't be able to talk to each other.)
>
>OpenShift itself will still consider it to be a single VXLAN network,
>but if a pod on an internal node tries to talk to a pod on an external
>node, that would require that the internal node send a VXLAN packet to
>the external node, and your existing firewall will block that, so the
>attempt will fail. Likewise for external-to-internal. So although
>OpenShift is unaware of it, your VXLAN is effectively partitioned.
>
>-- Dan
>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]