Safesprings network design is based on the Calico project. This adds stability and simplicity to the network configuration of the platform, albeit with some limitations. 
image

  1. The networking model does not provide any built in overlay network functionality. This prohibits the users from creating virtual networks or virtual routers themselves. 
  2. On the other hand this adds simplicity to the network set up for the instances. There are three networks available in the platform. Depending on the use-case the users assign the proper network to their instances.  
    1. public: This network will give you a public IPv4 address, public IPv6 address, dns setup and default gateway so it is reachable directly to/from Internet. This is used for instances that should be reached from the internet such as application frontends, publicly available servers or jump hosts (used for administration of other instances in the platform)
    2. default: This network will give you a private IPv4 on a RFC 1918 network, dns setup and default gateway with Network Address Translation (NAT) for outgoing traffic so instances can reach services on the Internet, in addtion to instances on other networks in Safespring Compute (provided it is allowed by means of security groups). This could for instance be used for backend servers that should not be reached from the internet. 
    3. private: This network will give you a private IPv4 on a RFC 1918 network that is routed to/from other Safespring networks (including public) but not anywhere else.
  3. Since these are the only networks provided, the user does not need to create any networks before launching an instance. The user simply picks the network that suits the application for the instance. 
  4. All these networks are part of the same routing domain, which means that an instance in the public network, with a public IP-address, can reach an instance in the default network, with a private IP-address, given that the security groups applied to the instances allow it. It is not needed to add two interfaces to the instance in the public network to be able to reach the instance in the default network.  This is stressed since adding more than one interface to an instance, even though allowed by the platform, is not recommended since it will confuse the instances with multiple way outs (default gateways)
  5. Since the networking model is pure IPtoIP layer-3, no layer 2 discovery protocols will work, and should be replaced with more modern layer-3 discovery methods.

Summary

  • Only use one interface per instance
  • Security groups are the firewall. Adapt your design to utilize this property of the platform, using automation tools like Terraform, for instance.
  • Open up only what you need with security groups.
  • Do not change the interface/network configuration in the instances away from using DHCP.
  • Use tunneling on top of our provided layer 3 network stack if you must have layer 2 connectivity between instances.
  • The Safespring «networks» is just a mechanism to allocate IP addresses from a CIDR. Each instance is routed separately (with /32 prefix) by the platform. The instance can only talk to the gateway over layer 2, so in practice, all traffic must go through the platform-provided gateway on layer 2.

  • No labels