Creating connection policies
Create connection policies in IBM Hybrid Cloud Mesh (Mesh) so that service requests can flow over your Red Hat® Service Interconnect gateways.
A connection policy defines which applications can use each service and enables connectivity between the applications and services that are referenced in the connection policy.
Applications and services in your Kubernetes namespace are discovered when the gateway is deployed. For service requests to be routed over the Service Interconnect edge network, create a connection policy that allows requests for the service within the network segment.
Prerequisites
If the application is exposed by a service, the service and service endpoint are automatically registered during Mesh discovery.
- Get the application
name:
palmctl get applications
- Create the service:
cat << EOM | palmctl create service --application-name <application-name> -f - name: <name.of.service> ports: - port_number: <port-number> protocol: tcp EOM
<name.of.service>
is the service name, for exampledashboard.myenterprise.acme.com
.<port-number>
is the port number for the application, for example8080
.
- Get the service
ID:
palmctl get services --application-name <application-name>
- Get the deployment
ID:
palmctl get deployments --application-name <application-name>
- Create the service
endpoint:
For example:cat << EOM | palmctl create service-endpoint --application-name <application-name> \ --deployment-id <deployment-id> -f - > local_service_ip_address: 127.0.0.1 > service_id: <service-id> > EOM
cat << EOM | palmctl create service-endpoint --application-name my-backend-app \ --deployment-id depl-95e74701-07aa-4d32-97c2-dfbf1eb5f6a7 -f - > local_service_ip_address: 127.0.0.1 > service_id: svc-aa431961-c0e4-4ed6-875a-6435ebaef962 > EOM
Create a connection policy
The connection policy references the network segment where the gateway is deployed, and the service whose requests you want to route. Before you create the connection policy, get the IDs of the service and the network segment.
Complete the following steps:
- Get the ID of the network
segment:
The ID of the network segment is shown in thepalmctl get networksegments
resource_id
field in the output. - Get the ID of the service:
- First get the details of the application that contains the
service:
palmctl get applications
The application name and the
resource_id
are shown in the output. - Get the ID of the
service:
palmctl get services --application-name <application-name>
The ID of the service is shown in the
resource_id
field in the output.
- First get the details of the application that contains the
service:
- Create the connection
policy:
cat << EOM | palmctl create policy -f - name: <policy-name> action: Allow network_segment_id: <network-segment-id> from: type: networkSegment network_segment: network_segment_id: <network-segment-id> to: type: service service: service_id: <service-id> application: <application-id> EOM
<policy-name>
must be unique.