Open yxh4n opened 8 months ago
@yxh4n will the two NICs be connected to different external Ethernet networks? If not, do you have a drawing showing the intended IP addresses and communication paths? (Need to understand whether you might accidentally create a L2 loop resulting in broadcast storms, or you intent to have use link aggregation, or something else for those two NICs.)
For the simpler case of one NIC connected to an external Ethernet network (or two NICs connected to two separate external Ethernet network), you define a switch network instance (or two if two NICs), and then for the app instances which use this you define IP-level ACLs. If you want all traffic to pass you specify an ACL for 0.0.0.0/0. But you can also specify different IP ranges and TCP/UDP ports to allow.
RE: will the two NICs be connected to different external Ethernet networks? Yes.
RE: If you want all traffic to pass you specify an ACL for 0.0.0.0/0 Yes. It took me a while to figure out how to do this using Zededa web UI. What made it difficult to discover was that we started with no ACL for App-Shared. Most solutions I have used so far does not have ACLs for virtual switch (Hyper-V and VMware). Azure VMs/networking is a different story.
When we did add ACE and update the instance - it was erroring out. It took us very long time to realize that if we have the ACE already defined in ECI (EVE Container Instance?) in the Outbound - then deploy works.
I was not expecting to do the ACE in the Outbond in Zededa web UI (because I was thinking inbound/outbond rules).
Anyway, I am wondering if there is a way to do it via cli?
I have an edge node with 3 NICs. I would like to have the 2 NICs connected to a "switch" configuration so that it can talk to an external flat network.
How can I do this?
The documentation (https://github.com/lf-edge/eve/blob/master/docs/NETWORK-ACLS.md#allow-all-ipv4-traffic) seems to indicate that I have to have ACL even for layer 2. But can't figure out how to do this. I have spent too much time researching this - any help is greatly appreciated.