Network architecture for CAPA/CAPV hybrid MC

[anvddriesch]

some resources:
https://rutgerblom.com/2020/01/07/site-to-site-vpn-between-nsx-t-tier-1-and-aws-vpc/
https://intranet.giantswarm.io/docs/product/providers/capz/multi-provider/

Our MC is on CAPA. It is capable of provisioning CAPV and CAPA workload clusters.|
CAPA MC is private with proxy
CAPA MC is able to access the vSphere API.
CAPA MC is able to access all CAPV WCs.
CAPV WCs are able to access endpoints (k8s API and ingresses) of the MC.

Tasks

Beta Give feedback

1. IONOS - GS VPN
2. IONOS - AWS
3. AWS - GS VPN
4. AWS - IONOS
5. extend noproxy

[anvddriesch]

We set up the VPNs on IONOS and AWS sides modeled based on our Azure environment.
Thanks to Simon and Xavier we finally got it working and Vsphere nodes are now reachable from goat mc nodes.

[anvddriesch]

CAPA MC is private with proxy ✅
CAPA MC is able to access all CAPV WCs. ✅
CAPV WCs are able to access endpoints (k8s API and ingresses) of the MC. ✅
CAPA MC is able to access the vSphere API. ⛔

For some odd reason we can not make the connection from AWS through GS VPN to the vcenter work. We tried on a different installation and had the same problem so it does not seem to be specific to the private environment but related to aws.

[glitchcrab]

i don't want to lose this - we need to add vcenter-rhr3c72bx1.ionoscloud.tools to goat's NO_PROXY vars