Requirements (SaaS)
This page describes the network architecture and connectivity requirements when using the meltcloud SaaS (https://app.meltcloud.io).
In this setup, Nest (which hosts the control planes and the Foundry) is hosted as SaaS in the Internet and only the workers run locally. Thus, only connectivity from the workers to the SaaS is required.
Architecture
The following image depicts the involved components and their connectivity flows. To illustrate it with examples, we have chosen the 10.0.0.0/8 RFC1918 range as an example.
Customer-provided Services
As shown in the picture above, meltcloud requires the following services to be provided by the customer:
- DHCP-Server: to provide IP addresses, routes, DNS & NTP servers for all Machines. See Details below for the required fields.
- DNS: to resolve all internal and external destinations
- NTP-Server: to synchronize time of Machines. Strongly recommended to avoid issues with TLS client certificates. If none provided, Machines will fall back to
*.flatcar.pool.ntp.org. - Egress Internet Connectivity: Connectivity to
*.meltcloud.io. There is currently no support for HTTP proxies when using the SaaS.
Port Matrix
The following table shows all required connectivity according to the image above:
| ID | Source | Destination | Ports/Protocols | Reason | Required | Comment |
|---|---|---|---|---|---|---|
| 1 | Subnets Machines-* (10.0.2-3.0/24) | DHCP-Server (10.0.0.10) | 67/udp (DHCP) | To retrieve IPs, routes, DNS & NTP server | Yes | |
| 2 | Subnets Machines-* (10.0.2-3.0/24) | DNS-Server (10.0.0.11) | 53/udp/tcp (DNS) | To resolve hostnames | Yes | |
| 3 | Subnets Machines-* (10.0.2-3.0/24) | NTP-Server (10.0.0.12) | 123/udp (NTP) | To synchronize time | No | If unset, falls back to *.flatcar.pool.ntp.org |
| 4 | Subnets Machines-* (10.0.2-3.0/24) | CSI-compliant IP Storage (10.0.0.200/24) | NFS, iSCSI, ... | For persistent volumes | No | Depends on vendor/technology |
| 5 | Subnets Machines-* (10.0.2-3.0/24) | Foundry, agent.meltcloud.io and pkg-pub.meltcloud.io (149.202.23.131) | 443/tcp (HTTPS) | Agent <> Foundry interaction, downloading of packages | Yes | Uses TLS Client Certificates |
| 6 | Subnet Machines-prd (10.0.2.0/24) | Kubernetes Control Plane prd-1 (149.202.23.132) | 2000/tcp, 2001/tcp (HTTPS) | Kubelet -> kube-apiserver and konnectivity traffic | Yes | Uses TLS Client Certificates; check Web UI for assigned Ports |
| 7 | Subnet Machines-tst (10.0.3.0/24) | Kubernetes Control Plane tst-1 (149.202.23.132) | 2002/tcp, 2003/tcp (HTTPS) | Kubelet -> kube-apiserver and konnectivity traffic | Yes | Uses TLS Client Certificates; check Web UI for assigned Ports |
| 8 | Platform Engineer | Foundry, app.meltcloud.io (149.202.23.131) | 443/tcp (HTTPS) | Web (including Websockets) or API interaction | Yes | |
| 9 | Platform Engineer | Kubernetes Control Plane prd-1 (149.202.23.132) | 2000/tcp, 2001/tcp (HTTPS) | kubectl interaction | No | Give access to all Clusters as necessary; check Web UI for assigned Ports |
Machine Network Configuration via DHCP
Machines require DHCP to configure IP addresses and environment-specific settings like routes, DNS and NTP servers.
Through DHCP, the following parameters must be provided:
- IP address and subnet: primary network identity of the host
- Default gateway and static routes: customized routing for specific environments
- DNS servers and search domains: name resolution configuration
- NTP servers: time synchronization sources
Example Kea DHCP configuration
{
"Dhcp4": {
"subnet4": [
{
"subnet": "10.10.10.0/24",
"pools": [
{ "pool": "10.10.10.100 - 10.10.10.200" }
],
"option-data": [
{ "name": "routers", "data": "10.10.10.1" }, // sets default gw / route
{ "name": "domain-name", "data": "lab.example.com" }, // dns search domain
{ "name": "domain-name-servers", "data": "10.10.10.53, 10.10.10.54" }, // dns servers
{ "name": "ntp-servers", "data": "10.10.10.60" }, // ntp source
]
}
]
}
}