Thanks Dan for info. Are you saying we need to block VXLAN port using traditional subnet firewall between Internal <-> External Nodes?
Is it block 4789 port between subnets ? Any impact blocking 4789 port apart from blocking Internal <—> External communication? -- Srinivas Kotaru On 1/14/16, 9:03 AM, "Dan Winship" <[email protected]> wrote: >On 01/13/2016 05:02 PM, Srinivas Naga Kotaru (skotaru) wrote: >> Dan >> >> Thanks for responding. Are you saying we need to install separate >> cluster installations for internal & External or use single >> cluster but achieve isolation using VXID approach? > >No, neither of those. I'm saying you can just deploy a single cluster, >without adding any new firewall rules, and it will work the way you >want. (Internal pods will be able to talk to other internal pods, and >external pods will be able to talk to other external pods, but internal >and external won't be able to talk to each other.) > >OpenShift itself will still consider it to be a single VXLAN network, >but if a pod on an internal node tries to talk to a pod on an external >node, that would require that the internal node send a VXLAN packet to >the external node, and your existing firewall will block that, so the >attempt will fail. Likewise for external-to-internal. So although >OpenShift is unaware of it, your VXLAN is effectively partitioned. > >-- Dan > _______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
