From my understanding that Rancher’s Managed Network can only be connected through 500 - 4500 UDP ports.
In my case I need to have TCP connections between my containers. Does that mean it’s not possible for me to use managed network? Currently I always receive 10.42.XX.XX Connection Refused error, which indicates the connection was blocked by the firewall.
The IPSec managed network only works on UDP. To clarify, it is ports 500 and 4500 (2 ports), not 500 through 4500 (4001 ports). And each host needs to be able to talk to the public IP addresses of the other hosts (as displayed on each host in the UI) to set it up.
10.42.x.y addresses are assigned to containers for communication inside the managed network and can only be used from inside managed network containers. And those can be used to communicate with containers with TCP or UDP.
From inside a container if the overlay network isn’t working opening a TCP connection would just timeout, not be actively refused. So it sounds like you’re trying to hit the 10.42.x.y address on the host directly? That is never going to work and since that’a non-routable address space would often be actively blocked by firewalls.
Hi vincent, really appreciate your reply!
Actually what i did is I’m dialing the hostname from a container within the managed network to another container in the same managed network. (like this, containter A: dial “CONTAINER_B:4000” through TCP ) . Container A successfully process the hostname to the 10.42.x.y:4000 IP address assigned by rancher, which indicates that they are indeed within the same managed network. However container_B just actively refuse the connection to be established through port 4000.
Hmmm… solved by changing from “link server by hostname method” to “directly use<container_name><service_name><stack_name> format dns method”.
Still thx for the reply!
Just to clarify for potential future readers/Google searchers etc.
The managed network between Rancher Hosts is provided by IPSec tunnels which are established using UDP ports 500 and 4500.
The tunnels themselves permit all/any IP, TCP or UDP traffic to utilise them as long as the source and destination IP addresses are part of the managed network (i.e. addresses assigned to containers using the managed network). That or routing is configured such that they will be used as part of the path to an external or unmanaged host (a outbound proxy for instance).
The actual protocols and ports you might use across them are clearly specific to the applications and services you are using. Just because port 80 TCP is allowed between two containers doesn’t mean things will work if the destination isn’t listening on port 80 - as would be the case with any network transport.