Resource Connectivity Management

This document describes the management functions necessary for configuring resource connectivity policy with the BWCTL-API command-line tool or via a web interface.

To set up a connectivity policy for the processor and workload nodes, all you need to do is put nodes in security zones and connect zones when needed.

The steps below will guide you through the creation of zones and links between them.

Declare Location

A group of workloads is assigned to a security zone via a workload location. It allows the workloads to automatically build links with the processors assigned to the same zone.

The fabric manager automatically assigns a workload to a location at the workload configuration step.

Note

By default, the fabric manager uses the prefix of the workload VPC name as its location name, for example: vpc-name: azr2-vpc-myfab5 ==> location-name: azr2

After configuration, the workload registers with the orchestrator. A workload always provides its location to the orchestrator during the registration step. The orchestrator automatically adds a newly received location name to its resource database.

To set up a zone policy before your workloads are registered, you need to declare a location.

Using Web Interface

To declare a location, click Add Location in the Admin > Locations section.

Add New Location

Fig. 130 Add New Location

Fill out the fields on the New Location page:

location name
desired location name;
description
add description for location;
zone
select zone for location–leave None to make decision later.

Submit the new location configuration. You should see the location appear in the list on the Admin > Locations page.

List of Locations

Fig. 131 List of Locations

Using BWCTL-API

To declare a location, run this command with the desired location name–in this example azr3 –as an argument:

]$ bwctl-api create location azr3

You should see output similar to this:

[2019-10-17 22:48:34.362]  Location 'azr3' created successfully

Note

When options are not specified on the command line, BWCTL-API applies default configuration settings. See BWCTL-API CLI Manual for specific details.

To check the location configuration, run this command with the location name–in this example azr3 –as an argument:

]$ bwctl-api show location azr3

You should see a new location specification:

---
apiVersion: policy.bayware.io/v1
kind: Location
metadata:
  description: azr3
  name: azr3
spec: {}

Create Zone

Once you have deployed resources–in this example a VPC with one processor and three workload nodes–open the resource graph page and verify that the workload nodes are not connected to the processor node.

You need to set up a resource policy that permits the workload nodes to connect to the processor.

Resource Graph before Policy Setup

Fig. 132 Resource Graph before Policy Setup

Note

To set up a resource policy for workloads, you need to create a zone and assign the location with workload nodes and at least one processor to this zone.

Set Up Zone

Using Web Interface

To add a new zone, click Add Zone in the Admin > Zones section.

Add New Zone

Fig. 133 Add New Zone

Fill out the fields on the New Zone page:

zone name
desired zone name;
description
add description for zone.

Submit the new zone configuration. You should see the zone appear in the list on the Admin > Zones page.

List of Zones

Fig. 134 List of Zones

Using BWCTL-API

To create a new zone, run this command with a desired zone name (any string without spaces)–in this example azure-eastus –as an argument:

]$ bwctl-api create zone azure-eastus

You should see output similar to this:

[2019-10-17 22:58:33.609]  Zone 'azure-eastus' created successfully

Note

When options are not specified on the command line, BWCTL-API applies default configuration settings. See BWCTL-API CLI Manual for specific details.

Check a new zone configuration by running this command with the zone name–in this example azure-eastus –as an argument:

]$ bwctl-api show zone azure-eastus

You should see a new zone specification:

---
apiVersion: policy.bayware.io/v1
kind: Zone
metadata:
  description: azure-eastus
  name: azure-eastus
spec:
  locations: []
  processors: []

Add Processor to Zone

Using Web Interface

To add a processor to the zone, click on the zone name in the Admin > Zones section–in this example azure-eastus. On the zone page, click Add Processor.

Add Processor to Zone

Fig. 135 Add Processor to Zone

Fill out the fields on the New Processor page:

processor name
name of the processor that will secure workloads in the zone;
tunnel IPs
type of IP addresses– Private or Public –the processor will use to communicate with workloads in the zone;
IPseс
to encrypt communication– yes or no –between the processor and workloads in the zone;
priority
processor usage priority– High or Low –for workloads in the zone.

Submit the configuration. You should see the processor appear in the list of zone processors on the Admin > Zones > azure-eastus page.

List of Zone Processors

Fig. 136 List of Zone Processors

Using BWCTL-API

To assign a processor to the zone, run this command with the processor name–in this example azr2-p01-myfab5 –as an argument:

]$ bwctl-api update zone azure-eastus -a azr2-p01-myfab5

You should see output similar to this:

[2019-10-17 23:05:25.307]  Processor 'azr2-p01-myfab5' assigned to zone 'azure-eastus'
[2019-10-17 23:05:25.307]  Zone 'azure-eastus' updated successfully

Note

When options are not specified on the command line, BWCTL-API applies default configuration settings. See BWCTL-API CLI Manual for specific details.

Check a new zone configuration by running this command with the zone name–in this example azure-eastus –as an argument:

]$ bwctl-api show zone azure-eastus

You should see that the zone specification now includes the processor:

---
apiVersion: policy.bayware.io/v1
kind: Zone
metadata:
  description: azure-eastus
  name: azure-eastus
spec:
  locations: []
  processors:
  - ipsec_enable: true
    name: azr2-p01-myfab5
    tunnel_ip_type: private

Add Workload to Zone

Using Web Interface

You will use a location to add a workload to a zone.

To add a location with your workload nodes to the zone, click on the location name in the Admin > Locations section–in this example azr2. On the location page, click on the dropdown menu titled Zone.

Add Location to Zone

Fig. 137 Add Location to Zone

Select the zone–in this example azure-eastus –and submit the configuration.

To verify, go to the Admin > Zones > azure-eastus page and find the location name in the list of zone locations.

List of Zone Locations

Fig. 138 List of Zone Locations

Using BWCTL-API

To assign a location with your workload nodes to the zone, run this command with the location name–in this example azr2 –as an argument:

]$ bwctl-api update location azr2 -z azure-eastus

You should see output similar to this:

[2019-10-17 23:32:54.982]  Location 'azr2' updated successfully

Check the zone configuration by running this command:

]$ bwctl-api show zone azure-eastus

You should see that the zone specification now includes the location:

---
apiVersion: policy.bayware.io/v1
kind: Zone
metadata:
  description: azure-eastus
  name: azure-eastus
spec:
  locations:
  - name: azr2
  processors:
  - ipsec_enable: true
    name: azr2-p01-myfab5
    tunnel_ip_type: private

At this point, you can open the resource graph page and see that the workloads now are connected to the processor.

Resource Graph after Zone Configured

Fig. 139 Resource Graph after Zone Configured

Connect Zones

Declare Processor

To connect two zones, you need to set up a link between the processors serving these zones.

You can describe a link between existing processors or processors you are planning to spin up, but haven’t yet created. If a processor doesn’t exist yet, you need to declare it before configuring the link.

Using Web Interface

To declare a processor, click Add Resource in the Admin > Resources section.

Add New Resource

Fig. 140 Add New Resource

Fill out the fields on the New Resource page:

node name
desired name of node;
node type
type of node– processor or workload;
location
expected node location.

Submit the configuration. You should see the processor appear on the Admin > Resources page with the status Init.

List of Resources

Fig. 141 List of Resources

Using BWCTL-API

To declare a processor, run this command with the expected node name and its location–in this example gcp1-p01-myfab2 and azr3 respectively–as arguments:

]$ bwctl-api create resource azr3-p01-myfab5 -type processor -l azr3

You should see output similar to this:

[2019-10-18 17:03:00.261]  Resource 'gcp1-p01-myfab2' created successfully

Check the resource configuration by running this command:

]$ bwctl-api show resource azr3-p01-myfab5

You should see that the zone specification now includes the location:

---
apiVersion: policy.bayware.io/v1
kind: Resource
metadata:
  name: azr3-p01-myfab5
spec:
  location: azr3
  type: processor
  status: Init

Working with Batches

To set up a resource policy, you can also use batch files.

Export the resource policy from an existing zone and replace the existing entity names with the names allocated for the new zone.

Export the existing zone policy by running this command with the zone and output file names–in this example azr2 and new-resource-policy respectively–as arguments:

]$ bwctl-api show zone azure-eastus > new-resource-policy.yml

Open the file in your favorite editor, e.g. nano:

]$ nano new-resource-policy.yml

Add location, resource, and link specifications to the new zone specification.

Note

While editing, you need to provide new zone, location, and processor names.

After editing, your file should have content similar to:

---
apiVersion: policy.bayware.io/v1
kind: Batch
metadata:
  name: New Resource Policy
spec:
- kind: Location
  metadata:
    description: azr3
    name: azr3
  spec:
    count_resources: 0
- kind: Resource
  metadata:
    name: azr3-p01-myfab5
  spec:
    location: azr3
    type: processor
    status: Init
- kind: Zone
  metadata:
    description: azure-westus
    name: azure-westus
  spec:
    locations:
    - name: azr3
    processors:
    - ipsec_enable: true
      name: azr3-p01-myfab5
      tunnel_ip_type: private
- kind: Link
  metadata:
    name: azr2-p01-myfab5_azr3-p01-myfab5
  spec:
    admin_status: true
    cost: 1
    ipsec_enable: true
    source_node: azr2-p01-myfab5
    status: active
    target_node: azr3-p01-myfab5
    tunnel_ip_type: public

Now, run the policy deployment using the batch file name–in this example new-resource-policy.yml –as an argument:

]$ bwctl-api create batch new-resource-policy.yml

You should see output similar to:

[2019-10-18 19:18:13.212]  Location 'azr3' created successfully
[2019-10-18 19:18:13.405]  Resource 'azr3-p01-myfab5' created successfully
[2019-10-18 19:18:13.745]  Zone 'azure-westus' created successfully
[2019-10-18 19:18:13.745]  Location 'azr3' updated in zone 'azure-westus'
[2019-10-18 19:18:13.745]  Processor 'azr3-p01-myfab5' assigned to zone 'azure-westus'
[2019-10-18 19:18:14.076]  Link from  'azr2-p01-myfab5' to 'azr3-p01-myfab5' created successfully

Note

At this point, you can deploy resources in the new zone. Each workload will automatically connect to a zone processor. Also, the new processor will automatically build a link with the existing processor.