Details
-
Epic
-
Resolution: Unresolved
-
Medium
-
None
-
Multi-tenant capable SDEWAN Hub in K8s cluster
Description
Current solution for multiple customers:
Say there are X number of customers
Say there are Y number of Hub locations
To address Multi tenancy, SDEWAN Hub expects X * Y number of public IP addresses.
Each site of a customer (uCPE) would use nearest Hub for making the tunnel.
Problem statement:
- Public IP addresses are expensive and not available.
Enhancement request:
- Ensure that only Y number of public IPs are used. That is number of IP addresses needed are based on number of PoP locations.
- All customers' sites that are near one hub will use the same public IP address as Hub Gateway.
In my view, following is needed:
- SDEWAN VPN Concentrator POD shall use host network in the K8s (root network namespace) or its own network namespace like any other POD. But there is no tenant specific SDEWAN POD. It is global across all tenants. Of course, scale-out of VPN Concentrator for load sharing though.
- Whenever VTI interface is created, based on the ID of the client, it shall assign that VTI interface to packet processing POD of the tenant.
- Packet processing POD is the one that does rest of the packet processing such as firewall/NAT/IPSEC to other Hubs.
It means that there shall be a controller which listens on new tunnel establishments (IPSEC tunnel is established by BO router or or by the VPN client in PCs). It needs to assign the new VTI interface created to tenant specific packet processing POD's namespace.
Do let me know if that can be made possible?
