Consumer connectivity to workload resources
Consumers of the workloads and services that are deployed to your Satellite location might need access to one or more of the following resources:
- Applications and microservices that are deployed on your Red Hat OpenShift on IBM Cloud cluster
- Red Hat OpenShift on IBM Cloud Link cloud endpoints providing access to IBM Cloud services.
Configure your network infrastructure so that access to workloads and services that are not related to security or management functions is provided through an edge plane that runs outside of your Satellite location or some other facility that can control network flows to your Satellite hosts. Make sure that services and workloads related to security and management activities can be accessed only from the management plane that runs outside of your Satellite location.
Edge plane with web application firewall
The edge plane should be used to enhance boundary protection for the workloads and services that are deployed in the Satellite location and the Satellite control plane. The workload consumer connectivity to the edge plane is your responsibility and depends on the requirements for the workload consumers and the existing connectivity options for your network infrastructure.
We recommend that you use a Web Application Firewall (WAF) in your edge plane for any service or workload that uses the HTTP protocol (including REST APIs). A WAF filters and monitors consumer traffic and can prevent attacks that exploit the vulnerabilities of web applications and services.
Exposing your Red Hat OpenShift on IBM Cloud workloads
Red Hat OpenShift on IBM Cloud provides several options for enabling external access to applications deployed on a cluster:
- Ingress controller
- Load balancer service
- External IP
- NodePort
For more information, see Exposing apps in Satellite clusters and Ingress traffic configuration.