|
| 1 | +# Proposed API |
| 2 | + |
| 3 | +All connections between VPCs is done via `Peering` object. |
| 4 | + |
| 5 | +2 VPCs can only have a single `Peering` object between them. |
| 6 | + |
| 7 | +External connections are modeled as VPCs where we can separately configure |
| 8 | +how we map incoming traffic to thhe VPC (VNI, VLAN, QinQ, MPLS, etc.) |
| 9 | + |
| 10 | +## Duplicate/Ambiguous routes |
| 11 | + |
| 12 | +Here, there are no duplicate IP restrictions, if there is multipath you just get |
| 13 | +ECMP. We can warn the user. The policy is based on whatever route we pick. However, |
| 14 | +there are route metrics to prefer one path to the other. |
| 15 | + |
| 16 | +This helps with the multiple external cases where one VPC is routing to 2 externals |
| 17 | +and we want to use route metrics advertised via BGP to choose routes. |
| 18 | + |
| 19 | +## Questions |
| 20 | + |
| 21 | +Is this implementable? |
| 22 | + |
| 23 | +frostman and mvachhar believe so, others should check |
| 24 | + |
| 25 | +Do we need explict NAT for use cases that don't involve fabric? |
| 26 | + |
| 27 | +Is all round trip routing stateless, or can we specify directional stateful routing? |
| 28 | + |
| 29 | +frostman and mvachhar think that if the expose is not stateless, return routing can |
| 30 | +be based on flow state. How does this interact with other configuration? |
| 31 | + |
| 32 | +## Use Cases |
| 33 | + |
| 34 | +```yaml |
| 35 | +# Static NAT, VPC 1 -> VPC 2 and vice versa |
| 36 | +# VPC 2 exposes http port 80 on its private subnet 10.2.1.1/32 |
| 37 | +# Any IP from VPC 1 can connect to VPC 2 on 10.2.1.1/32 |
| 38 | +# All static, no dynamic/stateful |
| 39 | +kind: Peering |
| 40 | +metadata: |
| 41 | + name: foo |
| 42 | +spec: |
| 43 | + vpc1: |
| 44 | + ips: |
| 45 | + - cidr: 10.1.1.0/24 |
| 46 | + as: # Means static Src/Dst NAT for vpc1 |
| 47 | + - 192.168.1.0/24 |
| 48 | + ingress: |
| 49 | + - allow: |
| 50 | + stateless: true # it's the only options supported in the first release |
| 51 | + tcp: |
| 52 | + dst_port: 443 |
| 53 | + vpc2: |
| 54 | + ips: |
| 55 | + - cidr: 10.2.1.0/24 |
| 56 | + ingress: |
| 57 | + - allow: |
| 58 | + stateless: true |
| 59 | + tcp: |
| 60 | + src_port: 443 |
| 61 | +``` |
| 62 | +
|
| 63 | +```yaml |
| 64 | +# vpc-e1 is external 1 and vpc-e2 is external 2 |
| 65 | +# Both advertise a dynamic set of routes, up to and including the whole internet |
| 66 | +kind: gateway/Peering |
| 67 | +metadata |
| 68 | + name: e1-e2 |
| 69 | +spec: |
| 70 | + vpc-e1: |
| 71 | + ips: |
| 72 | + - cidr: 0.0.0.0/0 |
| 73 | + - not: 10.0.0.0/8 |
| 74 | + - not: 192.168.0.0/16 |
| 75 | + - not: 1.2.3.0/24 |
| 76 | + vpc-e2: |
| 77 | + ips: |
| 78 | + - cidr: 0.0.0.0/0 |
| 79 | + - not: 10.0.0.0/8 |
| 80 | + - not: 192.168.0.0/16 |
| 81 | + - not: 3.2.1.0/30 |
| 82 | +``` |
| 83 | +
|
| 84 | +```yaml |
| 85 | +# internet access from vpc-1 using external vpc-e1 |
| 86 | +spec: |
| 87 | + vpc-1: |
| 88 | + ips: |
| 89 | + - cidr: 10.1.1.0/24 |
| 90 | + vpc-e1: |
| 91 | + ips: |
| 92 | + - cidr: 0.0.0.0/0 |
| 93 | + - not: 10.0.0.0/8 |
| 94 | + - not: 192.168.0.0/16 |
| 95 | + - not: 3.2.1.0/30 |
| 96 | + as: # Is this dynamic NAT since there are too few addresses here? |
| 97 | + # which direction is the NAT here? |
| 98 | + # or should this be on vpc-1 |
| 99 | + - 192.168.1.0/30 |
| 100 | +``` |
| 101 | +
|
| 102 | +```yaml |
| 103 | +# vpc-1 connects to internet using vpc-e1 or vpc-e2 based on cost |
| 104 | +spec: |
| 105 | + vpc-1: |
| 106 | + ips: |
| 107 | + - cidr: 10.1.1.0/24 |
| 108 | + as: |
| 109 | + - 192.168.1.0/30 |
| 110 | + natType: stateful |
| 111 | + vpc-e1: |
| 112 | + metric: 0 # add 0 to the advertised route metrics |
| 113 | + # At what point do we not advertise these routes to the switch, how do we decide? |
| 114 | + ips: |
| 115 | + - cidr: 0.0.0.0/0 |
| 116 | + - not: 10.0.0.0/8 |
| 117 | + - not: 192.168.0.0/16 |
| 118 | + - not: 1.2.3.0/30 |
| 119 | +--- |
| 120 | +spec: |
| 121 | + vpc-1: |
| 122 | + ips: |
| 123 | + - cidr: 10.1.1.0/24 |
| 124 | + as: |
| 125 | + - 192.168.1.0/30 |
| 126 | + natType: stateful |
| 127 | + vpc-e2: |
| 128 | + metric: 10 # add 10 to the route metric advertised externally |
| 129 | + # At what point do we not advertise these routes to the switch, how do we decide? |
| 130 | + ips: |
| 131 | + - cidr: 0.0.0.0/0 |
| 132 | + - not: 10.0.0.0/8 |
| 133 | + - not: 192.168.0.0/16 |
| 134 | + - not: 3.2.1.0/30 |
| 135 | +``` |
| 136 | +
|
| 137 | +```yaml |
| 138 | +# vpc-1 <> vpc-1 with overlapping subnets |
| 139 | +spec: |
| 140 | + vpc-1: |
| 141 | + ips: |
| 142 | + - cidr: 10.1.1.0/24 |
| 143 | + - not: 10.1.1.42/32 |
| 144 | + as: |
| 145 | + - 192.168.1.0/24 |
| 146 | + vpc-2: |
| 147 | + ips: |
| 148 | + - cidr: 10.1.1.0/24 |
| 149 | + as: |
| 150 | + - 192.168.2.0/24 |
| 151 | + |
| 152 | +# { src: vpc-1,10.1.1.0/24 ; dst: 192.168.2.0/24 } |
| 153 | +# { src: vpc-2,10.1.1.0/24 ; dst: 192.168.1.0/24 } |
| 154 | +``` |
0 commit comments