...
- Central Cloud has public IP as CIP
- Traffic Hub has public IP as HIP1 HIP2, ...
- Edge Location (Device) may have public IP in one edge node as EIP1, ... or don't have public IP (behind a gateway as EGIP1, ...)\
Connection for control plane (e.g. central cloud to k8s API server):
...
- Edge to Edge: Host to host
- Edge to Hub: Host (edge) to Site (Hub, using edge's subnet as rightsubnet)
- Hub to Hub: Host to Host
Opens:
...
Environment Setup (Pre-condition)
...
- K8s cluster is setup (by Kud)
- Web UI, API Server, SDEWAN controller, DB service are deployed (through EMCO)Central SDEWAN Config Agent and CNF are deployed (through EMCO) with initial configuration (e.g. as Responder for Edge location without public IP, left: CIP, leftsubnet: from IP Address manager?, rightsourceip: from IP Address manager?)
Traffic Hub:
- K8s cluster is setup (by Kud)
- Hub SDEWAN Config Agent and CNF are deployed (through EMCO) with initial configuration (e.g. as Responder for Edge location without public IP, left: HIP, leftsubnet: from IP Address manager?, rightsourceip: from IP Address manager?enable DNAT for k8s API service and Istio Ingress service).
Edge Location (Public IP):
- K8s cluster is setup (by Kud)
- Edge SDEWAN Config Agent and CNF are deployed (through EMCO) with initial configuration (e.g. enable DNAT for k8s API service and Istio Ingress service).
Edge Location (Private IP):
- K8s cluster is setup (by Kud)
- Edge SDEWAN Config Agent and CNF are deployed (through EMCO) with initial configuration (e.g. As enable DNAT for k8s API service and Istio Ingress service, IPSec: as Initiator for Control plane - left: %any, leftsourceip:%config, right: CIPOwned Hub's HIP, rightsubnet:0.0.0.0/0). Note: at this stage, an OIP is assigned to the CNF and the Hub-Edge tunnel is set up (to be confirmed)
Opens:
- During current test, IPsec tunnel for Initiator to Responder requires Responder to be run before Initiatior, that means the SDEWAN CNF in Hub need to be run as Responder before a edge location (with private IP) setup, and the OIP Address range need to be configured first (read from IP address manager?) and can not be updated at run time, does this be expected behavior?
- Need to check how to get the assigned OIP after the tunnel between Hub and Edge Location (with private ip) setup (through strongswan command?), this is required for Ip address manager and cluster register process.
- Solution: Central Hub controller's IP address manager assign one OIP, then set Hub's responder's IPsec configuration with IP range to include only 1 IP (OIP) - Does this make sense?
- The registration of edge location information should be done by Admin manually or triggled automatically by EMCO's edge location registration process (assume similiar information shared)?
- Suppose edge location's OIP is assigned after setup and all following operation (e.g. overlay configuration) will reuse this OIP, right?
- Suppose the answer is "No", and multiple OIP maybe assigned with edge location for different Hubs during overlay configuration, right?
...