Add egw host ip docs#2602
Conversation
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
❌ Deploy Preview for tigera failed. Why did it fail? →Built without sensitive environment variables
|
There was a problem hiding this comment.
Pull request overview
Adds new documentation pages describing how to configure egress gateways to SNAT outbound traffic to the gateway node’s host IP, and exposes those pages in the Calico Enterprise and Calico Cloud navigation.
Changes:
- Added a new “egress gateway host IP” guide for Calico Enterprise.
- Added a corresponding “egress gateway host IP” guide for Calico Cloud.
- Updated both products’ sidebars to include the new page under Networking → Egress.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 11 comments.
| File | Description |
|---|---|
| sidebars-calico-enterprise.js | Adds the new host-IP egress gateway doc to the Enterprise egress section navigation. |
| sidebars-calico-cloud.js | Adds the new host-IP egress gateway doc to the Cloud egress section navigation. |
| calico-enterprise/networking/egress/egress-gateway-host-ip.mdx | New Enterprise guide explaining host-IP mode behavior and configuration steps. |
| calico-cloud/networking/egress/egress-gateway-host-ip.mdx | New Cloud guide explaining host-IP mode behavior and configuration steps. |
|
|
||
| #### Configure a namespace or pod to use an egress gateway (egress gateway policy method) | ||
|
|
||
| Creating an egress gateway policy allows gives you more control over how your egress gateways work. |
There was a problem hiding this comment.
The sentence “Creating an egress gateway policy allows gives you more control…” has an extra verb (“allows gives”). Reword to a grammatically correct sentence (e.g., “allows you to…”).
| Creating an egress gateway policy allows gives you more control over how your egress gateways work. | |
| Creating an egress gateway policy gives you more control over how your egress gateways work. |
|
|
||
| :::note | ||
|
|
||
| This setting is not specific to egress gateway. In some cases where nodes happen to be in the same subnet, setting the value to `Never`will work the same as `Always`. It all depends on the hop from the client node to the egress gateway node. For example, if the client nodes are in the same AWS subnet, and you are using `Always` because some of the nodes are in different subnets, then `Never` will work for the egress IP Pool when the client and gateway nodes are in the same subnet. |
There was a problem hiding this comment.
There is a missing space in “Neverwill”, which reads like a typo. Insert a space after the inline code so the sentence renders correctly.
|
|
||
| #### Configure a namespace or pod to use an egress gateway (egress gateway policy method) | ||
|
|
||
| Creating an egress gateway policy allows gives you more control over how your egress gateways work. |
There was a problem hiding this comment.
The sentence “Creating an egress gateway policy allows gives you more control…” has an extra verb (“allows gives”). Reword to a grammatically correct sentence (e.g., “allows you to…”).
| Creating an egress gateway policy allows gives you more control over how your egress gateways work. | |
| Creating an egress gateway policy gives you more control over how your egress gateways work. |
|
|
||
| :::note | ||
|
|
||
| This setting is not specific to egress gateway. In some cases where nodes happen to be in the same subnet, setting the value to `Never`will work the same as `Always`. It all depends on the hop from the client node to the egress gateway node. For example, if the client nodes are in the same AWS subnet, and you are using `Always` because some of the nodes are in different subnets, then `Never` will work for the egress IP Pool when the client and gateway nodes are in the same subnet. |
There was a problem hiding this comment.
There is a missing space in “Neverwill”, which reads like a typo. Insert a space after the inline code so the sentence renders correctly.
| name: my-client, | ||
| namespace: my-namespace, |
There was a problem hiding this comment.
This Pod manifest example includes trailing commas after name and namespace, which makes the YAML invalid for copy/paste. Remove the commas so the manifest can be applied as written.
| name: my-client, | |
| namespace: my-namespace, | |
| name: my-client | |
| namespace: my-namespace |
| name: my-client, | ||
| namespace: my-namespace, |
There was a problem hiding this comment.
This Pod manifest example includes trailing commas after name and namespace, which makes the YAML invalid for copy/paste. Remove the commas so the manifest can be applied as written.
| name: my-client, | |
| namespace: my-namespace, | |
| name: my-client | |
| namespace: my-namespace |
| name: my-client, | ||
| namespace: my-namespace, |
There was a problem hiding this comment.
This Pod manifest example includes trailing commas after name and namespace, which makes the YAML invalid for copy/paste. Remove the commas so the manifest can be applied as written.
| name: my-client, | |
| namespace: my-namespace, | |
| name: my-client | |
| namespace: my-namespace |
| link: { type: 'doc', id: 'networking/egress/index' }, | ||
| items: [ | ||
| 'networking/egress/egress-gateway-on-prem', | ||
| 'networking/egress/egress-gateway-host-ip', |
There was a problem hiding this comment.
PR description lists “Calico Enterprise 3.23”, but this sidebar change only adds the new page to the unversioned (next/master) Enterprise docs. If the intent is to document the feature for the 3.23 docs set, the corresponding versioned sidebar (e.g. calico-enterprise_versioned_sidebars/version-3.23-1-sidebars.json) and versioned docs content should also be updated, or the PR metadata should be adjusted to reflect that this is for next/master only.
| to the egress gateway. In eBPF mode, the probe traffic can be blocked by policy, so you must ensure that this traffic allowed; this should be fixed in an upcoming | ||
| patch release. |
There was a problem hiding this comment.
In the eBPF-mode note, the sentence “ensure that this traffic allowed” is missing “is”, which makes it grammatically incorrect and a bit hard to parse. Add the missing word (and consider splitting the long sentence) so the requirement is unambiguous.
| to the egress gateway. In eBPF mode, the probe traffic can be blocked by policy, so you must ensure that this traffic allowed; this should be fixed in an upcoming | |
| patch release. | |
| to the egress gateway. In eBPF mode, the probe traffic can be blocked by policy, so you must ensure that this traffic is | |
| allowed by your network policy. This limitation should be fixed in an upcoming patch release. |
| name: my-client, | ||
| namespace: my-namespace, |
There was a problem hiding this comment.
This Pod manifest example includes trailing commas after name and namespace, which makes the YAML invalid for copy/paste. Remove the commas so the manifest can be applied as written.
| name: my-client, | |
| namespace: my-namespace, | |
| name: my-client | |
| namespace: my-namespace |
| ## Big picture | ||
|
|
||
| Configure specific application traffic to exit the cluster through an egress gateway, using the | ||
| gateway's **host (node) IP** as the source address for traffic leaving the cluster. |
There was a problem hiding this comment.
using host and node seems redundant. Maybe we should just use host address
| within the cluster. | ||
|
|
||
| In this mode, outbound traffic passing through an egress gateway is source-NATed (SNAT) to the | ||
| **node IP of the host** where the egress gateway pod is running, rather than the gateway's own pod |
There was a problem hiding this comment.
| **node IP of the host** where the egress gateway pod is running, rather than the gateway's own pod | |
| **host address** where the egress gateway pod is running, rather than the gateway's own pod |
| In this mode, outbound traffic passing through an egress gateway is source-NATed (SNAT) to the | ||
| **node IP of the host** where the egress gateway pod is running, rather than the gateway's own pod | ||
| IP. This is useful when external firewalls or services need to allowlist traffic based on a | ||
| stable set of known node IPs, or when pod IPs are not routable outside the cluster. |
There was a problem hiding this comment.
| stable set of known node IPs, or when pod IPs are not routable outside the cluster. | |
| stable set of known host addresses, or when pod IPs are not routable outside the cluster. |
| The Tigera Operator configures egress gateways to use the same iptables backend as `calico-node`. | ||
| To modify the iptables backend for egress gateways, you must change the `iptablesBackend` field in the [Felix configuration](../../reference/resources/felixconfig.mdx). | ||
|
|
||
| ### Configure IP autodetection for dual-ToR clusters. |
There was a problem hiding this comment.
We should no include dual ToR or basically any other details related to BGP or on-prem in this page.
| The Tigera Operator configures egress gateways to use the same iptables backend as `calico-node`. | ||
| To modify the iptables backend for egress gateways, you must change the `iptablesBackend` field in the [Felix configuration](../../reference/resources/felixconfig.mdx). | ||
|
|
||
| ### Configure IP autodetection for dual-ToR clusters. |
There was a problem hiding this comment.
We should no include dual ToR or basically any other details related to BGP or on-prem in this page. (same in the other file)
Product Version(s):
Calico Cloud, Calico Enterprise 3.23
Issue:
Link to docs preview:
SME review:
DOCS review:
Additional information:
Merge checklist: