Hello all,
We are currently evaluating using Proxmox for our development environment, and possibly homolgation and production if it all goes well.
Right now I have a cluster with 6 servers, connected to our servers VLAN. Since we have several separated development teams, some using containers, some wanting to have a "private" network for their Kubernetes clusters, and some using old plain products (Apache, Tomcat etc) on plain VMs, we have a basic requirement to provide separate networks ( /24 segments are more than enough for each team), that may or may not need to see each other, and all of them must see the basic shared services (Oracle, mail server, file server) that run on physical servers on the servers VLAN (the same VLAN of the Proxmox servers).
To make it simple, I tought the easiest way would be implementing Vxlans using Proxmox SDN. I would implement a new Vxlan, assign a network range to it, and assign the network interfaces of the VMs to those vxlans as needed, using cloud-init and shell scripts to automate the deployment of these VMs.
Since the VMs can be spread among all the Hosts, there must be a way to make the VMs on a given segment see each other (which is implemented with the vxlans), but also all of the Vms of a single segment must have a common gateway IP, regardless of on which host they are. For this, I thought of creating a small VM on each host, and using the keealived daemon implement a software VRRP. Each of these 'VRRP' VMs would have a distinct IP on its interfaces (one for the external network, one for each vxlan), and they are grouped into a single virtual IP (by means of the keepalived daemon/VRRP), which would be the default gateway for the VMs.
I hope this diagram explains it:
I'd like to ask if this topology is good, or overkill, or wrong etc, for the goal of segmenting the internal networks. In my tests everything works, but maybe something may be missing (UDP packets? broadcasts?) and I still haven't discovered it.
Any suggestions will be appreciated.
PS: All the IP/ranges are made up, don't worry, they're not our real internal ranges
Thank you!
We are currently evaluating using Proxmox for our development environment, and possibly homolgation and production if it all goes well.
Right now I have a cluster with 6 servers, connected to our servers VLAN. Since we have several separated development teams, some using containers, some wanting to have a "private" network for their Kubernetes clusters, and some using old plain products (Apache, Tomcat etc) on plain VMs, we have a basic requirement to provide separate networks ( /24 segments are more than enough for each team), that may or may not need to see each other, and all of them must see the basic shared services (Oracle, mail server, file server) that run on physical servers on the servers VLAN (the same VLAN of the Proxmox servers).
To make it simple, I tought the easiest way would be implementing Vxlans using Proxmox SDN. I would implement a new Vxlan, assign a network range to it, and assign the network interfaces of the VMs to those vxlans as needed, using cloud-init and shell scripts to automate the deployment of these VMs.
Since the VMs can be spread among all the Hosts, there must be a way to make the VMs on a given segment see each other (which is implemented with the vxlans), but also all of the Vms of a single segment must have a common gateway IP, regardless of on which host they are. For this, I thought of creating a small VM on each host, and using the keealived daemon implement a software VRRP. Each of these 'VRRP' VMs would have a distinct IP on its interfaces (one for the external network, one for each vxlan), and they are grouped into a single virtual IP (by means of the keepalived daemon/VRRP), which would be the default gateway for the VMs.
I hope this diagram explains it:
I'd like to ask if this topology is good, or overkill, or wrong etc, for the goal of segmenting the internal networks. In my tests everything works, but maybe something may be missing (UDP packets? broadcasts?) and I still haven't discovered it.
Any suggestions will be appreciated.
PS: All the IP/ranges are made up, don't worry, they're not our real internal ranges
Thank you!