docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added commentary around Azure NSGs for UCP (#9612) 

* Added commentary around Azure NSGs

* Added reference to Pod CIDR

* Adjusted for Peer Review
This commit is contained in:
Olly P 2019-10-11 18:42:20 +01:00 committed by GitHub
parent ac814e0344
commit 92759efdda
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
ee/ucp/admin/install/cloudproviders/install-on-azure.md
View File

@ -56,6 +56,19 @@ You must meet the following infrastructure prerequisites to successfully deploy
needed as part of the UCP prerequisites. If you are using a separate Resource
Group for the networking components, the same Service Principal will need
`Network Contributor` access to this Resource Group.
- Kubernetes pods integrate into the underlying Azure networking stack, from
an IPAM and routing perspective with the Azure CNI IPAM module. Therefore
Azure Network Security Groups (NSG) impact pod to pod communication. End users
may expose containerized services on a range of underlying ports, resulting in
a manual process to open an NSG port every time a new containerized service is
deployed on to the platform. This would only affect workloads deployed on to
the Kubernetes orchestrator. It is advisable to have an "open" NSG between
all IPs on the Azure Subnet passed into UCP at [install time](#install-ucp).
To limit exposure, this Azure subnet should be locked down to only be used
for Container Host VMs and Kubernetes Pods. Additionally, end users can
leverage [Kubernetes Network
Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
to provide micro segmentation for containerized applications and services.
UCP requires the following information for the installation:

9
ee/ucp/admin/install/system-requirements.md
View File

@ -59,6 +59,15 @@ indicated as the "Scope" of that port. The three scopes are:
- Internal: Traffic arrives from other hosts in the same cluster.
- Self: Traffic arrives to that port only from processes on the same host.
> Note
>
> When installing UCP on Microsoft Azure, an overlay network is not used for
> Kubernetes; therefore, any containerized service deployed onto Kubernetes and
> exposed as a Kubernetes Service may need its corresponding port to be opened
> on the underlying Azure Network Security Group. For more information see
> [Installing on
> Azure](/ee/ucp/admin/install/cloudproviders/install-on-azure/#azure-prerequisites).
Make sure the following ports are open for incoming traffic on the respective
host types: