Planning the Anzo and OpenShift Network Architecture

This topic describes the network architecture that supports the Graph Studio and OpenShift integration.

When you deploy the K8s infrastructure, Altair strongly recommends that you create the OpenShift cluster in the same VPC network as Graph Studio. If you create the OpenShift cluster in a new VPC, you must configure the new VPC to be routable from the Graph Studio VPC.

When an OpenShift cluster is integrated with Graph Studio, most of the network resources are automatically deployed (and the appropriate routing is configured) according to the values that you supply in the cluster and node pool .conf files in the gcloud package on the workstation.

There are two components that you must deploy before configuring and creating the K8s resources:

  • Anzo: Since the Graph Studio server is typically deployed before the K8s components, you must specify the Graph Studio network when creating the OpenShift cluster, ensuring that Graph Studio and all of theOpenShift cluster components are in the same network and can talk to each other. Also, make sure that Graph Studio has access to the GCP and OpenShift APIs.
  • NFS: You are required to create a network file system (NFS). However, Graph Studio automatically mounts the NFS to the nodes when Graph Lakehouse, Graph Studio Unstructured, and Elasticsearch pods are deployed so that all of the applications can share files. See Platform Shared File Storage Requirements for more information. The NFS does not need to have its own subnet but it can.

The rest of the components are automatically provisioned, depending on your specifications, when the OpenShift cluster and node pools are created. The GCloud scripts can be used to create a NAT gateway and subnet for outbound internet access, such as for pulling container images from the target repository. In addition, the scripts create a subnet for the K8s services and node pools and configure the routing so that Graph Studio can communicate with the K8s services and the services can talk to the pods that are deployed in the node pools.

When considering the network requirements of your organization and planning how to integrate the new K8s infrastructure in accordance with those requirements, it may help to consider the use case for which OpenShift deployment is applicable: deploying a private OpenShift cluster in an existing network.

In this use case, the OpenShift cluster is deployed in a private subnet in your existing network, and a new (or existing, if you have one) NAT gateway is used to enable outbound access to services that are outside of the network. The control plane (master) is configured to allow access only from certain CIDRs.

Altair supplies sample cluster configuration files for this use case.

To get started on creating the OpenShift infrastructure, see IAM Prerequisites for instructions on creating the IAM roles that are needed for assigning permissions to create and use the OpenShift cluster.