Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ Worker node pools with controlled isolation inside a Private Network have both p

| Isolation | Controlled isolation<br />(default) | Full isolation<br />(optional) | None<br />(deprecated) |
|-------------|-------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|----------------------------------------------|
| Description | Worker nodes are assigned both private IPs and public IPs.<br />All inbound traffic on the public interface is dropped by default using Security Groups. | The control plane and worker nodes are set without public IPs (100% private network).<br />A [Public Gateway](/public-gateways/how-to/configure-a-public-gateway/) is required. | Clusters without a Private Network attached.<br />Nodes have public-only endpoints. |
| Description | Worker nodes are assigned both private IPs and public IPs.<br />All inbound traffic on the public interface is dropped by default using security groups. | The worker nodes are set without public IPs (100% private network), with the control plane getting a public IP.<br />A [Public Gateway](/public-gateways/how-to/configure-a-public-gateway/) is required. | Clusters without a Private Network attached.<br />Nodes have public-only endpoints. |
| Benefits | 1. Strong security<br /> 2. Dynamic public IPs to reach out to external providers while avoiding rate limiting | 1. Maximum security <br />2. A stable egress IP for secure connection to external providers | n/a |
| Notice | Default choice for new clusters. Can be used in combination with pools using full isolation. | Requires a Public Gateway, which incurs additional costs. | Deprecated in October 2023. |

Expand All @@ -54,11 +54,11 @@ Worker node pools with controlled isolation inside a Private Network have both p

### Can I use a Public Gateway with my Private Network to exit all outgoing traffic from the nodes?

Yes, you are required to attach a Private Gateway when setting up a node pool with [full isolation](#what-is-the-difference-between-controlled-isolation-and-full-isolation). This allows Kapsule nodes with private IPs to route their outgoing traffic through the Public Gateway. For detailed steps on setting up a Public Gateway, refer to our [Public Gateway documentation](/public-gateways/how-to/configure-a-public-gateway/).
Yes, you are required to attach a Public Gateway when setting up a node pool with [full isolation](#what-is-the-difference-between-controlled-isolation-and-full-isolation). This allows Kapsule nodes with private IPs to route their outgoing traffic through the Public Gateway. For detailed steps on setting up a Public Gateway, refer to our [Public Gateway documentation](/public-gateways/how-to/configure-a-public-gateway/).
Keep in mind that removing or detaching the Public Gateway from the Private Network can cause a single point of failure in the cluster, preventing fully isolated node pools from accessing the control plane.

<Message type="note">
To use a Public Gateway with a Private Network on a Kapsule cluster, make sure that
To use a Public Gateway with a Private Network on a Kapsule cluster, make sure that:
* The Public Gateway is located in the same region as the Kapsule cluster.
* [Dynamic NAT must be activated](/public-gateways/concepts/#nat) (enabled by default).
* [Advertise DefaultRoute must be activated](/public-gateways/concepts/#default-route) (enabled by default).
Expand Down Expand Up @@ -102,7 +102,7 @@ curl --request POST \
</Message>

<Message type="important">
- This action adds a new endpoint. If you want to use it in your environment, you need to update the endpoint in your configuration.
This action adds a new endpoint. If you want to use it in your environment, you need to update the endpoint in your configuration.
</Message>

Refer to the [Managed Database for PostgreSQL and MySQL API documentation](https://www.scaleway.com/en/developers/api/managed-databases-for-postgresql-and-mysql/#path-endpoints-create-a-new-database-instance-endpoint) for further information.
Expand All @@ -111,7 +111,7 @@ Refer to the [Managed Database for PostgreSQL and MySQL API documentation](https

Managed Load Balancers support Private Networks with private backends and public frontends, meaning the traffic is forwarded to your worker nodes through your clusters' Private Network.

Additionally, [private Load Balancers](/load-balancer/concepts/#private-load-balancer) are supported. These Load Balancers have no public IPs in either their back or frontends.
Additionally, [private Load Balancers](/load-balancer/concepts/#private-load-balancer) are supported. These Load Balancers have no public IPs in either their back- or frontends.

<Message type="note">
If you have a trusted IP configured on your ingress controller, note that the request will come from a private IP.
Expand Down Expand Up @@ -199,9 +199,9 @@ You can find a Terraform/OpenTofu configuration example below:

## Is the control plane also located inside the Private Network?

The control plane and worker nodes are located in your cluster's Private Network. You can reach the control plane for nodes using [full isolation](#what-is-the-difference-between-controlled-isolation-and-full-isolation) by adding a [Public Gateway](/public-gateways/how-to/configure-a-public-gateway/) to the cluster.
The control plane and worker nodes are located in your Kubernetes Kapsule cluster's Private Network. You can reach the control plane for nodes using [full isolation](#what-is-the-difference-between-controlled-isolation-and-full-isolation) by adding a [Public Gateway](/public-gateways/how-to/configure-a-public-gateway/) to the cluster.

## Are there additional options for isolation?

- You can restrict and allow a range of IPs to control who can access the API server of your fully isolated clusters. [Learn how to manage allowed IPs](/kubernetes/how-to/manage-allowed-ips)
- You can restrict and allow a range of IPs to control who can access the API server of your fully isolated clusters. [Learn how to manage allowed IPs](/kubernetes/how-to/manage-allowed-ips).
- The CNI’s network policies will restrict/allow a range of IPs or ports to control who can access the API server.
Loading