Feature - Egress network IP allocation per Org (and maybe Space)

[laidbackware]

Context

People who run CF are generally large regulated enterprises. They generally have large complex network topologies with firewalls in multiple places. Whilst you can control traffic out of CF is a security group, this traffic could need to pass through more external firewalls and it is normal for security departments to want to be able to identify traffic based on IP address. This is possible per Org SNAT translation on Tanzu Application Service with the NSX-T container plugin and on Kubernetes CNIs such as Antrea.

Using Antrea as the example, this feature is implemented via iptables.

Feature

I would like the ability to have Silk automatically assign a SNAT IP address per Org and maybe space, so that all traffic egresses through these IP addresses. This would give Silk feature parity with the NSX container plugin.

The simplest implementation could be via dedicated egress nodes that have an interface inside the network to be used for egress. A more advanced implementation could involved dedicated egress nodes having a BGP relationship with an upstream router, to allow for dynamic networking and growth over time.

[MarcPaquette]

Hi @laidbackware,

We're bringing this feature up with product management (@ssisil ) for discussion.

Thanks for your patience so far!