From b14b52d774b0a46123a4c54248e332db12eb1a23 Mon Sep 17 00:00:00 2001 From: Dan Osborne Date: Mon, 5 Dec 2016 13:22:20 -0800 Subject: [PATCH] Add digital ocean guide. --- _data/master/navbars/reference.yml | 2 + .../reference/public-cloud/digital-ocean.md | 45 +++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 master/reference/public-cloud/digital-ocean.md diff --git a/_data/master/navbars/reference.yml b/_data/master/navbars/reference.yml index 2f7afb8a683..53e90c9ec2d 100644 --- a/_data/master/navbars/reference.yml +++ b/_data/master/navbars/reference.yml @@ -87,6 +87,8 @@ toc: path: /reference/public-cloud/overview - title: AWS path: /reference/public-cloud/aws + - title: Digital Ocean + path: /reference/public-cloud/digital-ocean - title: Deploying on Private Cloud section: - title: Overview diff --git a/master/reference/public-cloud/digital-ocean.md b/master/reference/public-cloud/digital-ocean.md new file mode 100644 index 00000000000..22ebb9e92cf --- /dev/null +++ b/master/reference/public-cloud/digital-ocean.md @@ -0,0 +1,45 @@ +--- +title: Calico on Digital Ocean +--- + +Calico is designed to provide high performance massively scalable virtual +networking for containers in public cloud environments such as Digital Ocean. + +## How to Run Calico in Digital Ocean + +Digital Ocean offers two networking options for droplets. +Calico can be launched on either: + +- Public Interface +- Private Interface [Optional] + +We recommend running Calico on the private interface, as it enhances security by +ensuring Calico services are not accessible from the wider internet. + +However, hosts in different Datacenter Regions will not have IP connectivity with one +another on their private address, and therefore will not be able to establish +BGP sessions with one another. For mluti-region digital ocean clusters, +bind Calico to the public interface. + +###### Enable Encapsulation + +In Digital Ocean, cross-host container-to-container traffic will travel over an +L3 hop. Since Digital Ocean does not allow peering to the L3 hop, it will +not know how to route this container traffic, and will drop it. + +To remedy this, Calico can encapsulate container traffic with the IP so that the +networking fabric never sees the container IPs, allowing standard routing to +take over. Turn on traffic encapsulation in pool settings by enabling: + +- `ipip` for container-to-container traffic. +- `nat-outgoing` for container-to-ec2-instance traffic. + +See [pool configuration]({{site.baseurl}}/{{page.version}}/reference/calicoctl/resources/ippool) for information on how to enable this for IP pools. + +###### Ensure Calico Chooses Correct IP + +Note that calicoctl's automatic IP detection will launch calico/node on the private +address if the droplet is configured to have a private interface. + +Ensure you manually specify `--ip` when launching `calicoctl node run` if you +want it to bind to the public interface.