-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
fe5d3e6
commit 69d51c9
Showing
2 changed files
with
52 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| --- | ||
| title: Calico on Digital Ocean | ||
| --- | ||
|
|
||
| Calico is designed to provide high performance massively scalable virtual | ||
| networking for containers in public cloud environments such as Digital Ocean. | ||
|
|
||
| Since Digital Ocean does not allow for BGP peering with the networking fabric, | ||
| it must always be run with ipip enabled. | ||
|
|
||
| ## Why Use Calico with Digital Ocean | ||
|
|
||
| Calico implements fine-grain policy for containers which dynamically applies to | ||
| containers as they are launched. | ||
|
|
||
| ## How to Run Calico in Digital Ocean | ||
|
|
||
| Digital Ocean offers two networking options for droplets: | ||
|
|
||
| - Public Interface | ||
| - Private Interface [Optional] | ||
|
|
||
| Calico can be launched on either. We recommend running Calico on the optional | ||
| private interface, as it improves security by ensuring | ||
| calico services are not accessible by the wider internet. However, nodes in | ||
| different Datacenter Regions will not have IP connectivity using their private | ||
| address, and therefore will not be able to establish BGP sessions with one another. | ||
|
|
||
| If you can run your entire Calico cluster in one Datacenter Region, launch | ||
| calico on the Private Interface. | ||
|
|
||
| If you cannot, set up a publicly accessible route reflector in each zone, | ||
| or launch calico on the Public Interface. | ||
|
|
||
| ###### Enable Encapsulation | ||
|
|
||
| On Digital Ocean, cross-host container-to-container traffic will travel over an | ||
| L3 nexthop. Since Digital Ocean does not allow peering to the L3 hop, it will | ||
| not know how to route this container traffic, and it will be dropped. | ||
|
|
||
| To remedy this, enable [ipip encapsulation on the pool](#). This will wrap container | ||
| traffic in the host's IP. | ||
|
|
||
| ###### Ensure Calico Chooses Correct IP | ||
|
|
||
| Note that calicoctl's automatic ip detection will launch calico/node on the private | ||
| address if the droplet is configured to have a private interface. | ||
|
|
||
| If intend to launch Calico on the public interface, ensure you manually specify | ||
| `--ip` when launching `calicoctl node run`. |