20230320 Azure Red Hat OpenShift Network Concepts

Azure Red Hat OpenShift
Network Concepts
Phil Huang
Sr. Cloud Solution Architect
2023/3/20
Ingress and Egress Network Traffic

View Slide

Ingress Traffic
ARO Network Concepts

View Slide

• Ingress Traffic 需要討論 2 個部分
1. API Server visibility
2. Ingress visibility
• Public 和 Private 的差異?
• Public: 服務有對 Internet
• Private: 服務沒有對 Internet
• 設定後，不能事後修改
設計初始就需決定 Ingress 的方向
了解 Ingress Traffic (Inbound Data Flow) 流
Ref:
API Server Visibility Ingress Visibility
Scenario
https://api. https://*.apps.
Case 1 Public Public 全部對外服務，包含 API Server
Case 2 Private Private 常見，全部都不能出外網
Case 3 Private Public 常見，API 在內網，但服務對外
Case 4 Public Private N/A

View Slide

API Server
Visibility
Ingress Visibility
Public Public

View Slide

API Server
Visibility
Ingress Visibility
Private Private

View Slide

API Server
Visibility
Ingress Visibility
Private Public

View Slide

Egress

View Slide

• Egress 需要分 2 個層次討論
• Pod Level
• Node Level
• 有否需要管控 Egress Traffic 的方向，如 Azure Firewall 或 NAT Gateway 搭 UDR
Egress 網路連線探討
ARO Network Settings
Ref:

View Slide

連線到外網
了解 Egress Traffic (Outbound Data Flow) 流
From Pod to Internet
The IP is from Pod CIDR of ARO
From Node to Internet
The IP is from VNet Subnet

View Slide

API Server
Visibility
Ingress Visibility
Public Public
Node: night9aro-vpvq9-worker-eastus1-vgkzx
Pod: ocp-debug-container

View Slide

API Server
Visibility
Ingress Visibility
Private Private
Node: night9aro-vpvq9-worker-eastus1-vgkzx
Pod: ocp-debug-container

View Slide

Restrict Egress Traffic

View Slide

Demo

View Slide

pichuang/debug-container
該 Container 包含常見的除錯工具
Ref: https://github.com/pichuang/debug-container

View Slide

Invent with purpose.

View Slide

20230320 Azure Red Hat OpenShift Network Concepts

20230320 Azure Red Hat OpenShift Network Concepts

Phil Huang

More Decks by Phil Huang

Other Decks in Technology

Featured

Transcript