-
Improvement
-
Resolution: Done
-
Medium
-
None
-
None
In Contiv/VPP to allow access of services from themselves, we would need to SNAT traffic that would otherwise have the same source IP as the destination IP, and thus the responses would be delivered locally in the destination pod instead of through VPP (and hiting address mismatch).
For example, with service 10.96.0.10:80 and its single backend 10.1.1.3:8080, accessing the service from 10.1.1.3 results in the following packet flow:
request in pod: 10.1.1.3:XXX -> 10.96.0.10:80
request in VPP after DNAT: 10.1.1.3:YYY -> 10.1.1.3:8080
response in pod: 10.1.1.3:8080 -> 10.1.1.3:YYY (delivered locally and dropped due to address, port mismatch)
We cannot source NAT all traffic destinated to services. The reason is that for policies to be applied correctly we need to maintain the source adresses (and apply DNAT to run ACLs against local dest. IPs).