-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
d3f19c1
commit b14b52d
Showing
2 changed files
with
47 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
--- | ||
title: Calico on Digital Ocean | ||
--- | ||
|
||
Calico is designed to provide high performance massively scalable virtual | ||
networking for containers in public cloud environments such as Digital Ocean. | ||
|
||
## How to Run Calico in Digital Ocean | ||
|
||
Digital Ocean offers two networking options for droplets. | ||
Calico can be launched on either: | ||
|
||
- Public Interface | ||
- Private Interface [Optional] | ||
|
||
We recommend running Calico on the private interface, as it enhances security by | ||
ensuring Calico services are not accessible from the wider internet. | ||
|
||
However, hosts in different Datacenter Regions will not have IP connectivity with one | ||
another on their private address, and therefore will not be able to establish | ||
BGP sessions with one another. For mluti-region digital ocean clusters, | ||
bind Calico to the public interface. | ||
|
||
###### Enable Encapsulation | ||
|
||
In Digital Ocean, cross-host container-to-container traffic will travel over an | ||
L3 hop. Since Digital Ocean does not allow peering to the L3 hop, it will | ||
not know how to route this container traffic, and will drop it. | ||
|
||
To remedy this, Calico can encapsulate container traffic with the IP so that the | ||
networking fabric never sees the container IPs, allowing standard routing to | ||
take over. Turn on traffic encapsulation in pool settings by enabling: | ||
|
||
- `ipip` for container-to-container traffic. | ||
- `nat-outgoing` for container-to-ec2-instance traffic. | ||
|
||
See [pool configuration]({{site.baseurl}}/{{page.version}}/reference/calicoctl/resources/ippool) for information on how to enable this for IP pools. | ||
|
||
###### Ensure Calico Chooses Correct IP | ||
|
||
Note that calicoctl's automatic IP detection will launch calico/node on the private | ||
address if the droplet is configured to have a private interface. | ||
|
||
Ensure you manually specify `--ip` when launching `calicoctl node run` if you | ||
want it to bind to the public interface. |