You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/nw-egress-ips-about.adoc
+51Lines changed: 51 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -149,6 +149,57 @@ On Azure, the following capacity limits exist for IP address assignment:
149
149
150
150
For more information, see link:https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#networking-limits[Networking limits].
== Considerations for using an egress IP on additional network interfaces
154
+
155
+
:FeatureName: Using an egress IP on additional network interfaces
156
+
include::snippets/technology-preview.adoc[]
157
+
158
+
In {product-title}, egress IPs provide administrators a way to control network traffic. Egress IPs can be used with the `br-ex`, or primary, network interface, which is a Linux bridge interface associated with Open vSwitch, or they can be used with additional network interfaces.
159
+
160
+
You can inspect your network interface type by running the following command:
161
+
162
+
[source,terminal]
163
+
----
164
+
$ ip -details link show
165
+
----
166
+
167
+
The primary network interface is assigned a node IP address which also contains a subnet mask. Information for this node IP address can be retrieved from the Kubernetes node object for each node within your cluster by inspecting the `k8s.ovn.org/node-primary-ifaddr` annotation. In an IPv4 cluster, this annotation is similar to the following example: `"k8s.ovn.org/node-primary-ifaddr: {"ipv4":"192.168.111.23/24"}"`.
168
+
169
+
If the egress IP is not within the subnet of the primary network interface subnet, you can use an egress IP on another Linux network interface that is not of the primary network interface type. By doing so, {product-title} administrators are provided with a greater level of control over networking aspects such as routing, addressing, segmentation, and security policies. This feature provides users with the option to route workload traffic over specific network interfaces for purposes such as traffic segmentation or meeting specialized requirements.
170
+
171
+
If the egress IP is not within the subnet of the primary network interface, then the selection of another network interface for egress traffic might occur if they are present on a node.
172
+
173
+
You can determine which other network interfaces might support egress IPs by inspecting the `k8s.ovn.org/host-cidrs` Kubernetes node annotation. This annotation contains the addresses and subnet mask found for the primary network interface. It also contains additional network interface addresses and subnet mask information. These addresses and subnet masks are assigned to network interfaces that use the link:https://networklessons.com/cisco/ccna-200-301/longest-prefix-match-routing[longest prefix match routing] mechanism to determine which network interface supports the egress IP.
174
+
175
+
[NOTE]
176
+
====
177
+
OVN-Kubernetes provides a mechanism to control and direct outbound network traffic from specific namespaces and pods. This ensures that it exits the cluster through a particular network interface and with a specific egress IP address.
=== Requirements for assigning an egress IP to a network interface that is not the primary network interface
183
+
184
+
For users who want an egress IP and traffic to be routed over a particular interface that is not the primary network interface, the following conditions must be met:
185
+
186
+
* {product-title} is installed on a bare metal cluster. This feature is disabled within cloud or hypervisor environments.
187
+
188
+
* Your {product-title} pods are not configured as host-networked.
189
+
190
+
* If a network interface is removed or if the IP address and subnet mask which allows the egress IP to be hosted on the interface is removed, then the egress IP is reconfigured. Consequently, it could be assigned to another node and interface.
191
+
192
+
* The Egress IP must be IPv4. IPv6 is currently unsupported.
193
+
194
+
* IP forwarding must be enabled for the network interface. To enable IP forwarding, you can set `ipForwarding: Global` in your `config.yaml` file, for example:
0 commit comments