Network Service Mesh is capable of composing together many Endpoints to work together to provide the desired Network Service. In the vpn example, the user wants secure-intranet-connectivity with the traffic from the App Pod Client passing through first a firewall, and then two other passthrough security appliances before finally getting to a VPN Gateway.
Utilize the Run instructions to install the NSM infrastructure, and then type:
make helm-install-vpnThis will install Deployments for:
| Name | Advertises Network Service | Labels | Description |
|---|---|---|---|
| vpn-gateway-nsc | The Client | ||
| vppagent-firewall-nse | secure-intranet-connectivity | app=firewall | A passthrough firewall Endpoint |
| vppagent-passthrough-nse-1 | secure-intranet-connectivity | app=passthrough-1 | A generic passthrough Endpoint |
| vppagent-passthrough-nse-2 | secure-intranet-connectivity | app=passthrough-2 | A generic passthrough Endpoint |
| vpn-gateway-nse | secure-intranet-connectivity | app=vpn-gateway | A simulated VPN Gateway |
And also a Network Service:
apiVersion: networkservicemesh.io/v1alpha1
kind: NetworkService
metadata:
name: secure-intranet-connectivity
spec:
payload: IP
matches:
- match:
sourceSelector:
app: "firewall"
route:
- destination:
destinationSelector:
app: "passthrough-1"
- match:
sourceSelector:
app: "passthrough-1"
route:
- destination:
destinationSelector:
app: "passthrough-2"
- match:
sourceSelector:
app: "passthrough-2"
route:
- destination:
destinationSelector:
app: "vpn-gateway"
- match:
route:
- destination:
destinationSelector:
app: "firewall"
That describes how to compose together the various providers of Network Service secure-intranet-connectivity.
When the Client requests Network Service 'secure-intranet-connectivity with no labels:
it falls all the way through the secure-intranet-connectivity matches to:
- match:
route:
- destination:
destinationSelector:
app: "firewall"And is connected to the Firewall Endpoint:
The Firewall Endpoint then requests secure-intranet-connectivity with labels app=firewall
and matches to:
- match:
sourceSelector:
app: firewall
route:
- destination:
destinationSelector:
app: "passthrough-1"And gets wired to the Passthrough-1 Endpoint:
Which requests secure-intranet-connectivity with labels app=passthrough-1:
and matches to:
- match:
sourceSelector:
app: "passthrough-1"
route:
- destination:
destinationSelector:
app: "passthrough-2"
Which requests secure-intranet-connectivity with labels app=passthrough-2:
and matches to:
- match:
sourceSelector:
app: "passthrough-2"
route:
- destination:
destinationSelector:
app: "vpn-gateway"
First verify that the vpn example Pods are all up and running:
kubectl get podsTo see the vpn example in action, you can run:
curl -s https://raw.githubusercontent.com/networkservicemesh/networkservicemesh/master/scripts/verify_vpn_gateway.sh | bash