Comments (9)
Hey Bill, thanks for filing the issue.
It's essentially an air gapped management network
This by itself shouldn't be an issue.
two additional "isolated" Workload networks.
Can you elaborate a bit what you mean by isolated here. Is it that these networks are not routable to each other, but they are routable to the primary WL network? We only support a configuration in which workload networks are L3 routable to each other. Apologies if that is the case here and I'm simply misinterpreting your comment.
Do you mind sharing which routes you added as workarounds and why this was sufficient for your needs?
Could you also clarify a bit more what you are asking? Is it support for such a network topology in general or automation around the route configuration?
from vmware-haproxy.
The workload networks are routable to each other.
from vmware-haproxy.
Its more or less the section in the VMware documentation on Tanzu with vSphere Networking Topologies document called "Topology with Multiple Isolated Workload Networks":
And the HA Proxy 3 NIC configuration
from vmware-haproxy.
Thank you for the excellent diagram. It is very helpful in understanding what you're accomplishing.
We have two options.
- Make the workload network the default gateway instead of the management network. This means that anything that is routable via the management network will no longer be accessible. At present this is only expected to be vCenter, but if that changes in the future there could be an issue. At present though it's not an issue.
- Add logic to issue a NIC per workload network. This is useful because it's clear how workload networks would be routed and would not change existing behavior. However, it comes with downside as the user must enter all of these into the configuration screen. If a user has a large number of workload networks, they could make mistakes. Terminology would also likely have to change which could cause some confusion for users.
@souhradab I want to get your opinion whether you prefer one option or another. Thanks!
from vmware-haproxy.
@daniel-corbett we would welcome your advice if you're interested as well.
from vmware-haproxy.
Regarding (1), without binding your options maybe just giving the option for custom (static) routes will help solve this for people with special setups like mine. You could even till give the option of setting any interface as default GW.
Regarding (2), NIC per workload network will likely run into VM virtual NIC limits in larger environments.
from vmware-haproxy.
Regarding (1), without binding your options maybe just giving the option for custom (static) routes will help solve this for people with special setups like mine. You could even till give the option of setting any interface as default GW.
This is true, but we also want to keep things simple. By default, workload networks must be routable to each other, which means defaulting to the workload gateway would be good enough for the majority of users. Allowing users to add specific routes by default may also encourage complex configurations which may increase the cost to debug for both users and VMware/HAProxy.
For more complex configurations, users are free to make edits to route configurations as they wish once the appliance is stood up. In this setup, they are the owners of the appliance. It's unclear if adding passthrough code for routes as a tradeoff for an even more complex configuration is a net benefit over a default gateway.
I agree with your point on NIC limits. If we expect a large number of networks for some users, this is probably not a viable option if we want to trouble that user segment.
from vmware-haproxy.
After more thought, making workload the default gateway may make it harder for some users to manage the appliance over something like SSH. Routes, as you suggested, might be the way to go here.
from vmware-haproxy.
maybe some sort of menu item: default GW on management or workload network? And then, based on the choice: static routes needed, if necessary, on the interface that is NOT the default GW assigned interface.
from vmware-haproxy.
Related Issues (20)
- Ensure link-scoped routes are deleted when route-tables.service is shut down
- A route rule is added for each line in route-tables.cfg
- Management Network IP Subnet mask ignored HOT 1
- Security Issue CVE-2021-40346 HOT 1
- Support for custom NTP during deployment
- Support for SSH keys as login method at deployment
- vmware-haproxy for Tanzu Kubernets Grid1.4 HOT 2
- Request to add Traceroute packaged on the HAProxy by default
- Enable Identity management in vsphere with tanzu
- Clear Text Credentials stored on VM post Install
- Help with install HOT 3
- Dataplane API 2.x and newer versions
- Tool for collecting diagnostics information HOT 1
- some post ova deployment issues
- Can't SSH to get generated certificate to paste in vcenter
- terraform deployment HOT 1
- Add ability to override DataPlaneAPI build consumed
- anyip-routes and route-tables services should be resilient to failures
- When will next release ova be available? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vmware-haproxy.