出口IP地址选择 [英] Egress IP address selection
问题描述
我们正在运行一个SaaS服务,我们希望将其迁移到Kubernetes,最好迁移到超标量之一。我还没有找到一个明确的解决方案,那就是需要从应用程序中选择出口IP地址。
We are running a SaaS service that we are looking to migrate to Kubernetes, preferably at one of the hyperscalars. One specific issue I have not yet found a clean solution for is the need for Egress IP address selection from within the application.
我们与大量的上游提供商进行了交易,具有基于源IP地址的访问控制和速率限制。此外,我们的一部分客户正在使用他们自己的一些上游提供商的帐户。要在其帐户的上下文中访问上游提供商,我们需要从应用程序内部控制用于连接的源IP。
We deal with a large amount of upstream providers that have access control and rate limiting based on source IP adres. Also a partition of our customers are using their own accounts with some of the upstream providers. To access the upstream providers in the context of their account we need to control the source IP used for the connection from within the application.
我们当前在DMZ位于负载平衡器之后,因此直接选择网络接口已经是不可能的。我们在负载均衡器/网关上使用一些iptables规则,以根据映射的端口号进行地址选择。 (例如,到端口1081的出口连接映射到源地址B和目标端口80,端口1082映射到源地址C端口80)
We are running currently our services in a DMZ behind a load balancer, so direct network interface selection is already impossible. We use some iptables rules on our load balancers/gateways to do address selection based on mapped port numbers. (e.g. egress connections to port 1081 are mapped to source address B and target port 80, port 1082 to source address C port 80)
但这是一个非常脆弱的设置,在尝试迁移到更标准化的* aaS产品时,映射也不太理想。
This however is quite a fragile setup that also does not map nicely when trying to migrate to more standardized *aaS offerings.
正在寻找更好的设置建议。
Looking for suggestions for a better setup.
推荐答案
其中之一可以帮助您解决问题的是Istio Egress Gateway,因此建议您研究一下。
One of the things that could help you solve it is Istio Egress Gateway so I suggest you look into it.
否则,它仍然取决于特定的平台和部署群集的方式。例如,在AWS上,通过使用分配了弹性IP的实例来转发您的流量(无论是常规EC2还是AWS NAT网关),可以确保您的出口流量始终来自预定义的已知IP组。即使具有上述Egress,您仍需要某种方法来为此定义一个固定IP,因此必须使用AWS ElasticIP(或等效方法)。
Otherwise, it is still dependent on particular platform and way to deploy your cluster. For example on AWS you can make sure your egress traffic always leaves from predefined, known set of IPs by using instances with Elastic IPs assigned to forward your traffic (be it regular EC2s or AWS NAT Gateways). Even with Egress above, you need some way to define a fixed IP for this, so AWS ElasticIP (or equivalent) is a must.
这篇关于出口IP地址选择的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
