MarcPaquette
commented
1 month ago Hi @laidbackware,
We're bringing this feature up with product management (@ssisil ) for discussion.
Thanks for your patience so far!
Open laidbackware opened 10 months ago
MarcPaquette
commented
1 month ago Hi @laidbackware,
We're bringing this feature up with product management (@ssisil ) for discussion.
Thanks for your patience so far!
Context
People who run CF are generally large regulated enterprises. They generally have large complex network topologies with firewalls in multiple places. Whilst you can control traffic out of CF is a security group, this traffic could need to pass through more external firewalls and it is normal for security departments to want to be able to identify traffic based on IP address. This is possible per Org SNAT translation on Tanzu Application Service with the NSX-T container plugin and on Kubernetes CNIs such as Antrea.
Using Antrea as the example, this feature is implemented via iptables.
Feature
I would like the ability to have Silk automatically assign a SNAT IP address per Org and maybe space, so that all traffic egresses through these IP addresses. This would give Silk feature parity with the NSX container plugin.
The simplest implementation could be via dedicated egress nodes that have an interface inside the network to be used for egress. A more advanced implementation could involved dedicated egress nodes having a BGP relationship with an upstream router, to allow for dynamic networking and growth over time.