nxsbi edited a comment on issue #4637: URL: https://github.com/apache/cloudstack/issues/4637#issuecomment-774253171
@ravening Let me explain a but further to provide context for anyone that reads this thread in the future -- My network setup uses a hardware firewall and router as the first device to internet connection. All VLANs used for Management and Public access are defined here, not Guest VLANs That connects to switches. In the Switches, all VLANs are defined and tagged. The switches then connect to the Virtualization Servers. The Management VLAN has the CS server, independently running in the virtualization server, on its own VLAN, which is defined in the Router and all switches. IF The Management server is running on Default VLAN (VLAN 1), you will not run into this issue. I tested it that way, and it works. But we have to use VLAN for management servers (per internal policy) Prior to Kubernetes, there was no reason for the Management VLAN to have direct access to any Public VLAN. Management server does all work by connecting to VR via the Virtualization Host Server using the Link Local IP. So in this case, the Management Server was trying to communicate to the Public IP of the Kubernetes cluster Network (that forwards the traffic to the Master node). In my case, the Public IP is just another VLAN and not an Internet accessible IP (not true public). So in my case this is inter VLAN traffic, and that went to the Router to get routed from one VLAN to another, This is what was getting blocked. I did see entries in the firewall log after resolving this issue. So my change was: Allow Traffic from the IP of the Cloudstack Server to Any VLAN on Port 6443. The Reverse traffic is blocked. So no VR can directly reach the cloudstack server. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
