Creating connection policies

Create connection policies in IBM Hybrid Cloud Mesh (Mesh) so that service requests can flow over your Red Hat® Service Interconnect gateways.

A connection policy defines which applications can use each service and enables connectivity between the applications and services that are referenced in the connection policy.

Applications and services in your Kubernetes namespace are discovered when the gateway is deployed. For service requests to be routed over the Service Interconnect edge network, create a connection policy that allows requests for the service within the network segment.

Prerequisites

To create the connection policy, you need a service and a service endpoint. If the application is not exposed by a service, complete the following steps to register a service and a service endpoint.
Note:

If the application is exposed by a service, the service and service endpoint are automatically registered during Mesh discovery.

  1. Get the application name:
    palmctl get applications
  2. Create the service:
    cat << EOM | palmctl create service --application-name <application-name> -f -
    name: <name.of.service>
    ports:
      - port_number: <port-number>
        protocol: tcp
    EOM
    • <name.of.service> is the service name, for example dashboard.myenterprise.acme.com.
    • <port-number> is the port number for the application, for example 8080.
  3. Get the service ID:
    palmctl get services --application-name <application-name> 
  4. Get the deployment ID:
    palmctl get deployments --application-name <application-name>
  5. Create the service endpoint:
    cat << EOM | palmctl create service-endpoint --application-name <application-name> \ 
    --deployment-id <deployment-id> -f -
    > local_service_ip_address: 127.0.0.1
    > service_id: <service-id>
    > EOM
    For example:
    cat << EOM | palmctl create service-endpoint --application-name my-backend-app \ 
    --deployment-id depl-95e74701-07aa-4d32-97c2-dfbf1eb5f6a7 -f -
    > local_service_ip_address: 127.0.0.1
    > service_id: svc-aa431961-c0e4-4ed6-875a-6435ebaef962
    > EOM

Create a connection policy

The connection policy references the network segment where the gateway is deployed, and the service whose requests you want to route. Before you create the connection policy, get the IDs of the service and the network segment.

Complete the following steps:

  1. Get the ID of the network segment:
    palmctl get networksegments
    The ID of the network segment is shown in the resource_id field in the output.
  2. Get the ID of the service:
    1. First get the details of the application that contains the service:
      palmctl get applications

      The application name and the resource_id are shown in the output.

    2. Get the ID of the service:
      palmctl get services --application-name <application-name>

      The ID of the service is shown in the resource_id field in the output.

  3. Create the connection policy:
    cat << EOM | palmctl create policy -f -
    name: <policy-name>
    action: Allow
    network_segment_id: <network-segment-id>
    from:
      type: networkSegment
      network_segment:
        network_segment_id: <network-segment-id>
    to:
      type: service
      service:
        service_id: <service-id>
        application: <application-id>
    EOM
    <policy-name> must be unique.