Azure Red Hat OpenShift Network Concepts Phil Huang Sr. Cloud Solution Architect 2023/3/20 Ingress and Egress Network Traffic

Ingress Traffic ARO Network Concepts

• Ingress Traffic 需要討論 2 個部分 1. API Server visibility 2. Ingress visibility • Public 和 Private 的差異? • Public: 服務有對 Internet • Private: 服務沒有對 Internet • 設定後，不能事後修改 設計初始就需決定 Ingress 的方向 了解 Ingress Traffic (Inbound Data Flow) 流 Ref: API Server Visibility Ingress Visibility Scenario https://api. https://*.apps. Case 1 Public Public 全部對外服務，包含 API Server Case 2 Private Private 常見，全部都不能出外網 Case 3 Private Public 常見，API 在內網，但服務對外 Case 4 Public Private N/A

API Server Visibility Ingress Visibility Public Public

API Server Visibility Ingress Visibility Private Private

API Server Visibility Ingress Visibility Private Public

Egress ARO Network Concepts

• Egress 需要分 2 個層次討論 • Pod Level • Node Level • 有否需要管控 Egress Traffic 的方向，如 Azure Firewall 或 NAT Gateway 搭 UDR Egress 網路連線探討 ARO Network Settings Ref:

連線到外網 了解 Egress Traffic (Outbound Data Flow) 流 From Pod to Internet The IP is from Pod CIDR of ARO From Node to Internet The IP is from VNet Subnet

API Server Visibility Ingress Visibility Public Public Node: night9aro-vpvq9-worker-eastus1-vgkzx Pod: ocp-debug-container

API Server Visibility Ingress Visibility Private Private Node: night9aro-vpvq9-worker-eastus1-vgkzx Pod: ocp-debug-container

Restrict Egress Traffic

Demo ARO Network Concepts

pichuang/debug-container 該 Container 包含常見的除錯工具 Ref: https://github.com/pichuang/debug-container

Invent with purpose.