Skip to content

docs(network): add network segmentation and policy boundaries article#296

Open
Sven-Ric wants to merge 2 commits into
mainfrom
doc/network-segmentation
Open

docs(network): add network segmentation and policy boundaries article#296
Sven-Ric wants to merge 2 commits into
mainfrom
doc/network-segmentation

Conversation

@Sven-Ric

Copy link
Copy Markdown
Contributor

Description

Standalone article on network segmentation in metal-stack. Standalone for now, I would like to connect my articles in a more meaningful way, once more has been written / refactored.

Used AI-Tools ✨

research supported by claude

@metal-robot metal-robot Bot added the area: documentation Affects the documentation area. label Jun 18, 2026
@netlify

netlify Bot commented Jun 18, 2026

Copy link
Copy Markdown

Deploy Preview for metal-stack-io ready!

Name Link
🔨 Latest commit fa21219
🔍 Latest deploy log https://app.netlify.com/projects/metal-stack-io/deploys/6a454b7d9a1e0d0008df5e27
😎 Deploy Preview https://deploy-preview-296--metal-stack-io.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@Sven-Ric Sven-Ric marked this pull request as ready for review June 23, 2026 15:23
@Sven-Ric Sven-Ric requested a review from a team as a code owner June 23, 2026 15:23

## Segmentation Model

A tenant owns one or more projects, and a project owns one or more private networks. Every [private network](./04-inventory-management.md#logical-inventory) is allocated its own VRF, which maps 1:1 to a VNI in the EVPN/VXLAN overlay. Because each network routes in its own VRF (see [VRF](./01-theory.md#vrf)), no two networks share a routing table, which isolates projects and tenants from one another and lets the same IP ranges be reused across networks without colliding. [Picture 6](./01-theory.md#physical-wiring) illustrates this separation and the VRF termination that happens on the firewall.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

every private network is allocated its own VRF sounds a bit off

Comment on lines +28 to +31
## Defense in Depth

A packet from a tenant machine crosses several independent enforcement layers before it can reach anything, and because each layer is rendered from the same metal-api state they cannot drift out of agreement. Any one of them is sufficient to deny the traffic.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


### Routing Isolation (VRFs)

VRFs provide hard layer-3 isolation. A packet in `vrf5417` has no route to a destination in another VRF. Route-leaking between VRFs happens only where it is explicitly configured, and even then it is constrained. On a tenant firewall, `import vrf` installs routes from a foreign VRF, but an `import vrf route-map` plus a prefix-list decide exactly which prefixes may cross (see [Tenant Firewalls](./01-theory.md#tenant-firewalls-evpn-to-the-host) and Listing 9). The default posture is no reachability, and every leak is a named, prefix-scoped exception.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
VRFs provide hard layer-3 isolation. A packet in `vrf5417` has no route to a destination in another VRF. Route-leaking between VRFs happens only where it is explicitly configured, and even then it is constrained. On a tenant firewall, `import vrf` installs routes from a foreign VRF, but an `import vrf route-map` plus a prefix-list decide exactly which prefixes may cross (see [Tenant Firewalls](./01-theory.md#tenant-firewalls-evpn-to-the-host) and Listing 9). The default posture is no reachability, and every leak is a named, prefix-scoped exception.
VRFs provide hard layer-3 isolation. Packets in `vrf5417` have no route to a destination in another VRF. Route-leaking between VRFs happens only where it is explicitly configured, and even then it is constrained. On a tenant firewall, `import vrf` installs routes from a foreign VRF, but an `import vrf route-map` plus a prefix-list decide exactly which prefixes may cross (see [Tenant Firewalls](./01-theory.md#tenant-firewalls-evpn-to-the-host) and Listing 9). The default posture is no reachability, and every leak is a named, prefix-scoped exception.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I will rework the entire sentence. Writing from the perspective of a single packet is pretty standard in literature, but saying that it has a route is a bit weird.

Comment thread docs/05-Concepts/03-Network/05-network-segmentation.md Outdated
Co-authored-by: Valentin Knabel <dev@vknabel.com>
@mwindower

Copy link
Copy Markdown

Thanks for this contribution! With the requested changes of Valentin this would be good to go from my side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: documentation Affects the documentation area.

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

3 participants