Skip to content

Networking Layer

Scope

The networking layer documents pod networking, ingress, service exposure, edge tunneling, DNS paths, and access-control boundaries.

Components that belong here

  • calico for cluster networking and network policy
  • metallb for service load-balancer address allocation
  • traefik for ingress and HTTP or TCP routing
  • cloudflared for tunnel-based external exposure
  • authelia and crowdsec-lapi when they act as edge protection or access-control dependencies

Mandatory topics

  • Ingress topology and north-south traffic path
  • East-west networking assumptions and network-policy enforcement
  • External exposure model for LAN, VPN, and internet-facing services
  • TLS termination point and certificate ownership
  • Load-balancer IP pools, advertised ranges, and failure domains
  • Authentication or edge filtering dependencies for protected apps

Required artifacts

  • Edge request flow diagram from client to pod
  • Service exposure matrix with internal and external URLs
  • TLS and certificate ownership notes
  • Network-policy ownership guidance
  • Troubleshooting entry points for DNS, ingress, or tunnel failures

Operator outcomes

An operator reading this layer page should be able to answer:

  • Why a service is reachable or not reachable from a given network path
  • Which component owns routing, authentication, and TLS for that path
  • Which runbooks to open during a traffic outage or authentication failure