20230320 Azure Red Hat OpenShift Network Concepts

Transcript

1. Azure Red Hat OpenShift Network Concepts Phil Huang <[email protected]> Sr.

   Cloud Solution Architect 2023/3/20 Ingress and Egress Network Traffic

2. Ingress Traffic ARO Network Concepts

3. • Ingress Traffic 需要討論 2 個部分 1. API Server visibility

   2. Ingress visibility • Public 和 Private 的差異? • Public: 服務有對 Internet • Private: 服務沒有對 Internet • 設定後，不能事後修改 設計初始就需決定 Ingress 的方向 了解 Ingress Traffic (Inbound Data Flow) 流 Ref: API Server Visibility Ingress Visibility Scenario https://api.<FQDN> https://*.apps.<FQDN> Case 1 Public Public 全部對外服務，包含 API Server Case 2 Private Private 常見，全部都不能出外網 Case 3 Private Public 常見，API 在內網，但服務對外 Case 4 Public Private N/A

4. API Server Visibility Ingress Visibility Public Public

5. API Server Visibility Ingress Visibility Private Private

6. API Server Visibility Ingress Visibility Private Public

7. Egress ARO Network Concepts

8. • Egress 需要分 2 個層次討論 • Pod Level • Node

   Level • 有否需要管控 Egress Traffic 的方向，如 Azure Firewall 或 NAT Gateway 搭 UDR Egress 網路連線探討 ARO Network Settings Ref:

9. 連線到外網 了解 Egress Traffic (Outbound Data Flow) 流 From Pod

   to Internet The IP is from Pod CIDR of ARO From Node to Internet The IP is from VNet Subnet

10. API Server Visibility Ingress Visibility Public Public Node: night9aro-vpvq9-worker-eastus1-vgkzx Pod:

    ocp-debug-container

11. API Server Visibility Ingress Visibility Private Private Node: night9aro-vpvq9-worker-eastus1-vgkzx Pod:

    ocp-debug-container

12. Restrict Egress Traffic

13. Demo ARO Network Concepts

14. pichuang/debug-container 該 Container 包含常見的除錯工具 Ref: https://github.com/pichuang/debug-container

15. Invent with purpose.