Hi Kevin, Thanks for paying us a visit.
Calico is pretty flexible so it can be used with or with our peering to the datacenter fabric. Peering to the fabric is what brings most of the benefits of Calico. For example, your containers can be assigned their real, public IP addresses rather than relying on NAT. Calico then announces the public IP to the fabric of the datacenter and the packets for that IP address should just arrive at the host. You can certainly move an IP around between containers using Calico, which may help with your HA problem. However, we don¹t (yet) have any HA integration in place to automate that for you. You¹d have to decide when the container is down and tell Calico to move the IP. Calico would then advertise out the new location of the IP. We also have some support for anycast, where multiple containers have the same IP and the network routes to the ³closest² instance of that IP. If one of the hosts running a container goes down, the network will spot that the BGP connection has gone away and route to the other one. If you don¹t peer then you can use Calico for internal (private) connectivity between your containers but then you¹ll need to do NAT to get the packets to your containers. Our FAQ [1] explains how to set up NAT to/from containers with private IPs. The Calico approach to security is to enforce security through policy in iptables rather than by isolating public/private networks on different interfaces. It becomes pretty meaningless to do that isolation when you¹re already talking about virtualised networks. You can configure Calico to announce any IP that you choose. However, the datacenter should police that only you are announcing the IPs that you¹ve been assigned. They should have policy in place at their border router to only announce the IPs that they know belong to their customers. There¹s nothing new about announcing IPs with Calico. A hacking group could try to announce your IP from another datacenter already but they¹d need to get the datacenter and its peers to trust them to do so. Hope that helps! -Shaun [1] https://github.com/Metaswitch/calico-docker/blob/20adfd2b7640af9d85c4af7691 6e043286691452/docs/FAQ.md On 24/07/2015 15:00, "KT Walrus" <ke...@my.walr.us> wrote: >Just discovered Project Calico in my search for a Docker networking >plugin. I¹m working on deploying my first multi-server site. I want the >site to use 3 dedicated servers with NGINX for HTTPS using a HA VIP. My >cluster of 6 servers will have 3 of the servers accessible on Public IPs >with all servers on a private network for the backend Dockerized >micro-services. I will also be providing SMTP/IMAP access using another >HA VIP. > >In reading the documentation/blog about Calico networking, it is not >clear to me exactly what requirements I will need from the DC where my >dedicated servers reside. I think that Calico can support announcing >next-hop to the DC routers so these routers can do HA load balancing of >my HA VIPs with the routes being ³automatically² withdrawn if one or more >of the load balancing NGINX services fail. > >I am a newbie to all this networking stuff, so I could be just >misunderstanding how Calico works. > >What are the requirements on my ISP? Do they have to be cooperative in >setting up their routers to support my HA VIPs? I haven¹t chosen where to >rent my dedicated servers yet, but my current ISP only offers to do HTTPS >load balancing of a VIP for HA for a fee (but doesn¹t do SMTP/IMAP VIP >load balancing, I think). This hasn¹t been a problem in the past since my >websites all fit on one server and don¹t need HA. Also, the ISP charges >extra to put servers on a private network (physically separate from the >public network). Will I need my servers on a private physical network or >can Calico be used to have Public and Private networking on a single >ethernet interface so I don¹t have to pay extra for the Private network? > >Does getting the ISP to allow my servers to ³announce² routes for HA VIPs >(if that is how Calico works) introduce any security issues for me (like >letting a hacker group possibly divert real traffic to their own servers)? > >Anyway, it would be nice if you could blog or provide documentation on >exactly what the requirements are on the ISP to allow Calico SDN on >clusters of dedicated servers. I know if I used a Cloud ISP like Google >or Amazon, these issues would be handled by ³the cloud². But a guide on >what questions to ask the ISP before purchase to ensure that Calico can >be used for a cluster of dedicated servers running Docker containers >would be helpful. > >Maybe such a guide is already posted somewhere, but I didn't find it in >browsing the site today. > >Kevin > > >_______________________________________________ >calico-tech mailing list >calico-tech@lists.projectcalico.org >http://lists.projectcalico.org/mailman/listinfo/calico-tech_lists.projectc >alico.org _______________________________________________ calico-tech mailing list calico-tech@lists.projectcalico.org http://lists.projectcalico.org/mailman/listinfo/calico-tech_lists.projectcalico.org
