SDEWAN central controller provides central control of SDEWAN overlay networks by automatically configuring the SDEWAN CNFs located in edge location clusters and hub clusters:
- To create secure overlays where each overlay connects application and hub clusters together.
- To allow application connectivity with external entities and entities of other clusters.
System Architecture
SDEWAN central controller includes the following components as showed in below diagram:
- Web UI: a HTML5 based web UI to provide configuration of Application Cluster Registration, Hub Registration, Overlay, Application/Service Registration and Status tracking.
- API Server: Exports Restful API for Application Cluster management, Hub management, Overlay management, Status monitoring management, logging.
- Scheduler Manager: a daemon service which accepts request from API server (through RPC) then generates relevant K8s CRs of SD-EWAN CNFs of various hubs and edges to establish the tunnels.
- SDEWAN Management DB: a database to store information such as edge clusters, hubs, overlays, ip addresses, application/services etc.
System Design
Working Flow
Assumption
IP
- Central Cloud has public IP as CIP
- Traffic Hub has public IP as HIP1 HIP2, ...
- Edge Location may have public IP in one edge node as EIP1, ... or don't have public IP (behind a gateway as EGIP1, ...)\
IPSec Tunnel mode for control plane (e.g. central cloud to k8s API server)
- Central Cloud to Traffic Hub: Host to Host
- Central Cloud to Edge Location:
- Edge location has public IP: Host to Host
- Edge location does not have public IP: Initiator (edge) to Responder (Central cloud)
IPSec Tunnel mode for data plane (for data traffic)
- Edge to Edge: Host to host
- Edge to Hub: Host (edge) to Site (Hub, using edge's subnet as rightsubnet)
- Hub to Hub: Host to Host
Open:
- Control plane and data plane share the same interfaces in Hub? Edge Location?
- Control plane IPSec tunnel between Central Cloud with Hub is setup during Hub registeration in Central Cloud
- Control plane IPSec tunnel between Central Cloud with Edge location (with public IP) is setup during edge location registeration in Central Cloud
- Control plane IPSec tunnel between Central Cloud with Edge location (with private IP) is setup during edge location setup (depedency to check: IPsec tunnel for Initiator to Responder requires Responder to be run first)
Environment Setup (Pre-condition)
Central Cloud (assume pubic ip is CIP)
- K8s cluster is setup (by Kud)
- Web UI, API Server, SDEWAN controller, DB service are deployed (through EMCO)
- Central SDEWAN Config Agent and CNF are deployed (through EMCO) with initial configuration (e.g. as Responder)
Edge Hub (assume public ip is HIP1, …)
- K8s cluster is setup (by Kud)
- Hub SDEWAN Config Agent and CNF are deployed (through EMCO) with initial configuration (use its public IP as left)