Skip to Main Content
Skip to Navigation
Accessibility Statement
Home Technology Cloud Private cloud Internal resources OCP 4 platform network topology

OCP 4 platform network topology

Review the network structure implemented within the 4th version of the Open Compute Project platform.

Last updated on

Silver

OCP 4 is in the SDN Compartment, which is separate from the legacy Zone model. All traffic from the SDN Compartment to zones is treated as DMZ traffic.

The firewall between the public internet and the SDN compartment only allows ports 80, 443 and the API port 6443. All other traffic is blocked. However, there’s no firewall between SPAN-BC and the SDN Compartment.

Ingress

All routes created in OCP will be directed to the VIP http(s)://*.apps.silver.devops.gov.bc.ca - 142.34.194.118

Use this IP or the object name MCS-SILVER-APP for requesting firewall changes to allow traffic from an endpoint in the DMZ or Zone B to a web app or app API hosted on OpenShift Silver.

We’re working on methods to expose non-http traffic on separate IPs in the subnet via automating the F5 BIG-IP with the Container Ingress Service CRDs.

Egress

Egress from the cluster is via a NAT pool on the F5 BIG-IP on the IPs 142.34.194.121 142.34.194.122 142.34.194.123 142.34.194.124

Use the network group object name MCS-SILVER-NAT-POOL for requesting firewall changes to allow traffic from OpenShift Silver to an endpoint in the DMZ or Zone B.

Kube API

The Kube API is available at https://api.silver.devops.gov.bc.ca - 142.34.194.119

Use this IP or the object name MCS-SILVER-API for requesting firewall changes to allow traffic from an endpoint in the DMZ or Zone B to A, the Kubernetes API for OpenShift Silver.

Web console

Silver cluster network topology

Gold

Ingress

All routes created in OCP will be directed to the VIP http(s)://*.apps.gold.devops.gov.bc.ca - 142.34.229.4

Use this IP or the object name MCS-GOLD-APP for requesting firewall changes to allow traffic from an endpoint in the DMZ or Zone B to a web app or app API hosted on OpenShift Gold.

Egress

Egress from the cluster is via a NAT pool on the F5 BIG-IP on the IPs 142.34.229.6 142.34.229.7 142.34.229.8 142.34.229.9

Use the network group object name MCS-GOLD-NAT-POOL for requesting firewall changes to allow traffic from OpenShift Gold to an endpoint in the DMZ or Zone B.

Kube API

The Kube API is available at https://api.gold.devops.gov.bc.ca - 142.34.229.5

Use this IP or the object name MCS-GOLD-API for requesting firewall changes to allow traffic from an endpoint in the DMZ or Zone B to the Kubernetes API for OpenShift Gold.

Web Console

Go to the Web Console.

Gold DR

Ingress

All routes created in OCP will be directed to the VIP http(s)://*.apps.golddr.devops.gov.bc.ca - 142.34.64.4

Use this IP or the object name MCS-GOLDDR-APP for requesting firewall changes to allow traffic from an endpoint in the DMZ or Zone B to a web app or app API hosted on OpenShift Gold.

Egress

Egress from the cluster is via a NAT pool on the F5 BIG-IP on the IPs 142.34.64.6 142.34.64.7 142.34.64.8 142.34.64.9

Use the network group object name MCS-GOLDDR-NAT-POOL for requesting firewall changes to allow traffic from OpenShift Gold DR to an endpoint in the DMZ or Zone B.

Kube API

The Kube API is available at https://api.golddr.devops.gov.bc.ca - 142.34.64.5

Use this IP or the object name MCS-GOLDDR-API for requesting firewall changes to allow traffic from an endpoint in the DMZ or Zone B to the Kubernetes API for OpenShift Gold DR.

Web Console

Go to the Web Console.

Emerald

Ingress

Routes will be assigned an IP from the pool for their DataClass at random. Inspect the Route object to see which IP specifically is assigned to your route. Firewall rules should use only the specific IP assigned and not the pool of IPs.

  • Public 142.34.207.0/28
  • Low 10.99.10.64/26
  • Medium 10.99.10.0/26
  • High 10.99.9.208/28

Routes using the default http(s)://*.apps.emerald.devops.gov.bc.ca hostname cannot be resolved by the public internet, even if they use a Public DataClass. You must use a vanity domain name for public routes.

Egress

Each namespace is granted its own dedicated /26 private, routed IP range for its pods. There is no NAT between those IPs and the rest of the datacenter. That range should be used in other firewall rules to allow access for just your namespace to other resources in the DMZ, Zone B, or Zone A.

Egress to the public internet must flow through the forward proxy.

Kube API

The Kube API is available at the DataClass Low endpoint https://api.emerald.devops.gov.bc.ca – 10.99.10.75

Use this IP for requesting firewall changes to allow traffic from an endpoint in the DMZ or Zone B to the Kubernetes API for OpenShift Emerald.

The API is not available on the public internet.

Web Console

Go to the Web Console.