Versions Compared

Old Version 20

changes.mady.by.user Huifeng Le

Saved on

compared with

New Version 21

changes.mady.by.user Huifeng Le

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Web UI: a HTML5 based web UI to provide configuration of Application Cluster Registration, Hub Registration, Overlay, Application/Service Registration and Status tracking.
  • API Server: Exports Restful API for Application Cluster management, Hub management, Overlay management, Status monitoring management, logging.
  • Scheduler Manager: a daemon service which accepts request from API server (through RPC) then generates relevant K8s CRs of SD-EWAN CNFs of various hubs and edges to establish the tunnels.
  • SDEWAN Management DB: a database to store information such as edge clusters, hubs, overlays, ip addresses, application/services etc.


System Design

Working Flow

Assumption

IP

  • Central Cloud has public IP as CIP
  • Traffic Hub has public IP as HIP1 HIP2, ...
  • Edge Location (Device) may have public IP in one edge node as EIP1, ... or don't have public IP (behind a gateway as EGIP1, ...)

...

Restful API definition and Back-End flow

ResourceDescriptionURLFieldsBack-End flow
OverlayDefine a group of edge location clusters (devices) and hubs, a overlay is usually owned by one customer and full mesh connections are setup automacally between hub-hub and device-device (with public IPs)/scc/v1/overlays
  • name
  • description
  • caid
Registeration

Registration:

  • SCC requests a CA from cert-manager, the CA is used as root CA for this overlay
  • SCC save the caid in DB
ProposalDefine proposals which can be used for IPsec tunnel in this overlay/scc/v1/
/
overlays/{overlay-name}/proposals
  • name
  • description
  • encryption
  • hash
  • dhgroup

Registration:

  • SCC saves the proposals information in DB
HubDefine a traffic Hub in an overlay/scc/v1/overlays/{overlay-name)/hubs
  • name
  • description
  • publicIps
  • certificateId
  • kubeConfig

Registration:

  • SCC checks hub's k8s API server access with kubeConfig for each ip in publicIps
  • For each registered hub in this overlay
    • SCC requests cert-manager to generate a public/private key pair based on overlay CA
    • SCC generates the IPsec CR for new hub and registered hub then call rsync to deploy CR to setup route based host-host IPsec tunnel (with BGP/OSPF enabled):
      • All proposals in this Overlay will be used as candidate proposals for IPsec configuration
      • Use the public/privite key pair generated in previous step as IPsec cert
  • SCC saves hub information in DB
IPRangeDefine the overlay IPrange which will be used as OIP of devices/scc/v1/overlays/{overlay-name}/ipranges
  • name
  • description
  • subnet
  • minIp
  • maxIp

Registration:

  • SCC save ip range information in DB
DeviceDefine a edge location device information which may be a CNF, VNF or PNF/scc/v1/overlays/{overlay-name}/devices
  • name
  • description
  • publicIps
  • forceHubConnectivity
  • proxyHub
  • proxyHubPort
  • useHub4Internet
  • dedidatedSFC
  • certicatedId
  • kubeConfig

Registration:

  • If has publicIps and forceHubConnection==false:

    • SCC checks device's k8s API server access with kubeConfig for each ip in publicIps

    • For each registered device of this overlay:

      • SCC requests cert-manager to generate a public/private key pair based on overlay CA
      • SCC generates the IPsec CR for new device and registered device then call rsync to deploy CR to setup host-host IPsec tunnel:
        • All proposals in this Overlay will be used as candidate proposals for IPsec configuration
        • Use the public/privite key pair generated in previous step as IPsec cert
  • else
    • (Assumption) Kud configures device as Initiator to proxyHub
    • SCC find 1 available OIP from overlay's IPRange then configure

Register Hub:

  • Trigger: Admin add/update hub information in Web UI or Remote Client Call with below informations:
    • Name, Description
    • Public IP address list
    • Managed IP ( ? )
    • Shared flag (whether the hub can be shared cross overlays)
    • Overlay name
    • CertificateId
    • Kubeconfig
  • Steps:
    • Save in DB
    • Setup control plane host-host tunnel with Central Cloud (e.g. Add a new IPSec policy in Central Cloud CNF with: left: CIP, right: HIP, CertificateId)

...