Slide 1

Slide 1 text

Azure Red Hat OpenShift Network Concepts Phil Huang Sr. Cloud Solution Architect 2023/3/20 Ingress and Egress Network Traffic

Slide 2

Slide 2 text

Ingress Traffic ARO Network Concepts

Slide 3

Slide 3 text

• Ingress Traffic 需要討論 2 個部分 1. API Server visibility 2. Ingress visibility • Public 和 Private 的差異? • Public: 服務有對 Internet • Private: 服務沒有對 Internet • 設定後,不能事後修改 設計初始就需決定 Ingress 的方向 了解 Ingress Traffic (Inbound Data Flow) 流 Ref: API Server Visibility Ingress Visibility Scenario https://api. https://*.apps. Case 1 Public Public 全部對外服務,包含 API Server Case 2 Private Private 常見,全部都不能出外網 Case 3 Private Public 常見,API 在內網,但服務對外 Case 4 Public Private N/A

Slide 4

Slide 4 text

API Server Visibility Ingress Visibility Public Public

Slide 5

Slide 5 text

API Server Visibility Ingress Visibility Private Private

Slide 6

Slide 6 text

API Server Visibility Ingress Visibility Private Public

Slide 7

Slide 7 text

Egress ARO Network Concepts

Slide 8

Slide 8 text

• Egress 需要分 2 個層次討論 • Pod Level • Node Level • 有否需要管控 Egress Traffic 的方向,如 Azure Firewall 或 NAT Gateway 搭 UDR Egress 網路連線探討 ARO Network Settings Ref:

Slide 9

Slide 9 text

連線到外網 了解 Egress Traffic (Outbound Data Flow) 流 From Pod to Internet The IP is from Pod CIDR of ARO From Node to Internet The IP is from VNet Subnet

Slide 10

Slide 10 text

API Server Visibility Ingress Visibility Public Public Node: night9aro-vpvq9-worker-eastus1-vgkzx Pod: ocp-debug-container

Slide 11

Slide 11 text

API Server Visibility Ingress Visibility Private Private Node: night9aro-vpvq9-worker-eastus1-vgkzx Pod: ocp-debug-container

Slide 12

Slide 12 text

Restrict Egress Traffic

Slide 13

Slide 13 text

Demo ARO Network Concepts

Slide 14

Slide 14 text

pichuang/debug-container 該 Container 包含常見的除錯工具 Ref: https://github.com/pichuang/debug-container

Slide 15

Slide 15 text

Invent with purpose.