Virtual Private Cloud Configuration with KubeOVN

Building isolated network environments in Kubernetes has become essential for multi-tenant deployments. KubeOVN, a powerful software-defined networking solution, enables the creation of Virtual Private Clouds (VPCs) with advanced features like network isolation, security groups, and VPC peering. In this comprehensive guide, we explore how to configure and deploy VPCs in a Harvester HCI environment.

Why KubeOVN for VPC Management?

Traditional Kubernetes networking solutions provide basic pod-to-pod communication, but they often lack the advanced network isolation and security features required for enterprise deployments. KubeOVN bridges this gap by bringing cloud-provider-level networking capabilities to on-premises Kubernetes clusters.

Key Features

Network Isolation: Complete Layer 2 and Layer 3 isolation between VPCs
Security Groups: Stateful firewall rules at the subnet level
VPC Peering: Controlled communication between isolated VPCs
Custom Subnets: Flexible CIDR allocation and IP address management
Static Routing: Policy-based routing for complex topologies

Three-Tier Architecture Pattern

Our implementation demonstrates a classic three-tier architecture commonly used in enterprise applications:

Web Tier (DMZ)

The web tier sits at the edge, accepting traffic from the internet. Security groups allow HTTP (port 80) and HTTPS (port 443) from any source, while restricting outbound traffic to only the application tier.

Subnet: 192.168.10.0/24
Gateway: 192.168.10.1
Ingress: 0.0.0.0/0 → TCP 80, 443
Egress: → 192.168.20.0/24 (App tier)

Application Tier

The application tier hosts business logic and microservices. It accepts connections only from the web tier on port 8080 and can initiate connections to the database tier on port 3306.

Subnet: 192.168.20.0/24
Gateway: 192.168.20.1
Ingress: 192.168.10.0/24 → TCP 8080
Egress: → 192.168.30.0/24:3306 (DB tier)

Database Tier (Private)

The database tier provides maximum isolation. It accepts connections only from the application tier and has no outbound connectivity at all, preventing data exfiltration.

Subnet: 192.168.30.0/24 (Private)
Gateway: 192.168.30.1
Ingress: 192.168.20.0/24 → TCP 3306
Egress: NONE

Security Groups Implementation

KubeOVN security groups operate similarly to AWS security groups or Azure NSGs. They are stateful, meaning return traffic is automatically allowed for established connections.

Defense in Depth

Our implementation follows defense-in-depth principles:

VPC Isolation: Different VPCs cannot communicate without explicit peering
Subnet Segmentation: Each tier has its own subnet with dedicated security groups
Least Privilege: Each tier can only access what it needs, nothing more
Private Subnets: Database tier marked as private for additional protection

VPC Peering for Kubernetes Integration

One of the most powerful features is VPC peering to the default Kubernetes cluster network. This allows VMs in custom VPCs to communicate with Kubernetes pods while maintaining isolation from other VPCs.

# VPC Peering Configuration
vpcPeerings:
  - remoteVpc: "ovn-cluster"
    localConnectIP: "192.168.100.0/24"

staticRoutes:
  - policy: "policyDst"
    cidr: "10.54.0.0/16"      # K8s pod network
    nextHopIP: "192.168.100.1"

Practical Use Cases

Multi-Tenant Environments

Each tenant gets their own isolated VPC with complete network separation. Tenants cannot see or access each other's resources, but all can access shared Kubernetes services through VPC peering.

Development and Testing

Create identical network topologies for dev, staging, and production environments. Each environment is completely isolated, preventing cross-environment contamination.

Compliance and Security

Meet regulatory requirements for network segmentation and access control. The database tier's complete isolation satisfies strict data protection requirements.

Performance Considerations

KubeOVN uses Geneve tunneling for overlay networking. While this adds minimal overhead, there are considerations for high-performance workloads:

MTU Settings: Account for encapsulation overhead (typically 50 bytes)
Hardware Offloading: Use NICs with tunnel offload support for better performance
OVN Flow Cache: Properly sized flow caches reduce lookup latency

Monitoring and Troubleshooting

KubeOVN provides several tools for visibility:

kubectl ko nbctl - Query OVN northbound database
kubectl ko sbctl - Query OVN southbound database
OVN flow tracing for packet-level debugging
Prometheus metrics for monitoring

Conclusion

KubeOVN brings enterprise-grade networking capabilities to Kubernetes, enabling complex multi-tenant architectures with strong isolation guarantees. By combining VPCs, security groups, and VPC peering, you can build secure, scalable network topologies that meet the most demanding requirements.

Whether you're running a multi-tenant SaaS platform, building separate environments for dev/staging/prod, or implementing compliance-driven network segmentation, KubeOVN provides the tools you need.

Kubernetes KubeOVN Networking VPC Security SDN Harvester

← Back to Blog