This use case demonstrates how to configure a local network instance to implement complex network connectivity requirements for edge nodes with multiple network connections.
The example scenario
In this scenario, we’ll use an edge node with four ethernet ports: eth0, eth1, eth2, eth3
Using a local network instance, we’ll implement multi-path routing with failover and port-forwarding restrictions.
More specifically, we’ll implement the following requirements:
- Connect to the Internet with failover between multiple ports.
- Connectivity to the local network of each port.
- SSH access into the application instance through eth0, eth1, and eth3, but not eth2
- Connectivity to a remote HTTP server, with failover.
The following diagram shows our edge node with four ports, each connected to its own subnet.
To complete our solution, we’ll assign labels to groups of our edge node’s ports, create a network instance, and configure an inbound route rule.
Prerequisites
- You must have at least the SysManage role in your ZEDEDA Cloud enterprise.
- You must have an edge node onboarded.
- Your edge node must be running EVE-OS version 13.3.0 or greater.
- You must have an edge application created in the marketplace.
Step 1: Add adapter labels to your edge node
In this step, you’ll use adapter labels to group your edge node’s ports together so you can assign behaviors to each set.
On the following ports of your edge node, add the indicated labels:
- eth0: internet, portfwd
- eth1: internet, httpsrv, portfwd
- eth2: all
- Eth3: httpsrv, portfwd
Step 2: Create your local network instance
In this step, we will configure a local network instance to implement connectivity to an HTTP server and to the Internet with failover.
When you create your network instance, be sure that you select the edge node that you added adapter labels to in the previous step.
Select “All” for the port. Our network instance needs to have access to all of our edge node’s ports. We will build rules around these ports later.
Specify static routes and select ports
To implement connectivity to an HTTP server and Internet, configure the following static routes:
IP Prefix | IP Gateway Address | Output port |
0.0.0.0/0 | unspecified | internet |
10.88.88.0/24 | unspecified | httpsrv |
CALLOUT: Don't save your changes yet.
Without an IP gateway specified, EVE-OS automatically sets the next-hop IP of the selected output port as the gateway for the route. It learns this from the DHCP lease or from the static IP configuration of the port.
Using an adapter label as the output port allows you to select multiple ports and create a multi-path route. EVE-OS will perform periodic probing of all network ports with the label assigned to determine the connectivity status and select the best port to use at a given time. EVE-OS will automatically failover to another port when the currently used one loses connectivity. Load balancing is not supported and only failover capability is provided.
Consider the behavior of the default route (0.0.0.0/0 for IPv4 or ::/0 for IPv6). By default, when the Network Instance has multiple ports, EVE will probe all of them that have the gateway IP defined (all except for eth2 in the example) to select one with working connectivity to be used for the default route. You can create your own static default route to change this behavior (such as in this example to select only ports with the "internet" label).
Configure probing
To implement failover, configure the following probing rules.
For the static route to the Internet:
- Enable Prefer Lower Adapter Cost
- Enable Gateway Ping.
For the static route to the HTTP server:
- Enable Prefer Lower Adapter Cost.
- Enable Custom User Probe.
- For Probing Method, select TCP Handshake.
- For Custom probing Address, enter 10.88.88.70 (the HTTP Server IP address)
- For TCP Port, choose 80.
Save your changes.
Step 3: Set up port forwarding
In this step, you’ll configure your edge application to accept SSH requests through all ports except for eth2.
You might want to do this if eth2 is connected to a subnet that you don’t consider to be a secure source for SSH access.
Follow these steps:
- Navigate to your Marketplace and select the edge application that you want to run on your edge node. Note that imported applications cannot be edited.
- Edit your edge application.
- Under Environment, add (or edit an existing) an inbound rule.
- Configure the inbound rule to enable ssh access to your edge application. Edge node port 2222 forwards to edge app port 22 (TCP).
The result
The following diagram depicts your edge node with all of the previous configurations.