Skip to content

Cross-Cloud Mesh Networking

Connecting global heterogeneous data centers is not just a connectivity challenge; it is a security challenge. Cyberun Cloud builds a Software-Defined Wide Area Network (SD-WAN), establishing an encrypted, carrier-grade private backbone on top of the public internet.

Zero-Trust Edge Architecture

graph TB
    %% Style Definitions: High Contrast
    classDef internet fill:#f5f5f5,stroke:#616161,stroke-width:2px,color:#000;
    classDef gateway fill:#e0f2f1,stroke:#00695c,stroke-width:2px,color:#000;
    classDef internal fill:#eceff1,stroke:#455a64,stroke-width:2px,stroke-dasharray: 5 5,color:#000;

    Internet((Public Internet)):::internet

    subgraph RegionA [Region A - Tokyo]
        LB1[HAProxy Gateway]:::gateway
        Node1[Internal K8s Node]:::internal
    end

    subgraph RegionB [Region B - New York]
        LB2[HAProxy Gateway]:::gateway
        Node2[Internal K8s Node]:::internal
    end

    %% Public Traffic
    Internet -->|TCP 443| LB1
    Internet -->|TCP 443| LB2

    %% Encrypted Tunnel (Thick line)
    LB1 ===|WireGuard Tunnel| LB2

    %% Internal Traffic (Dotted)
    LB1 -.->|Plain Traffic| Node1
    LB2 -.->|Plain Traffic| Node2

Our network design follows the "Default Deny" principle, adopting a "Fortress" security topology.

1. Edge Gateway Matrix

  • Full-Mesh Interconnection: Edge gateways (Load Balancers) in each region establish persistent Full-Mesh encrypted tunnels via WireGuard.
  • VIP Failover Mechanism: Utilizing the Keepalived (VRRP) protocol, gateway nodes operate in Master/Backup mode. If the Master node fails, the Virtual IP (VIP) automatically floats to the Backup node within milliseconds, ensuring uninterrupted ingress traffic.
  • Protocol Encapsulation: GRE encapsulation runs inside the encrypted tunnels, supporting dynamic routing protocols like BGP/OSPF and multicast traffic, enabling enterprise-grade networking capabilities.

2. Dark Network Isolation

  • Stealth: All business Worker Nodes are deployed in strictly isolated internal networks, holding no public IPs, and exposing no public inbound ports.
  • Minimized Attack Surface: Attackers cannot directly address or scan database and application servers; the only entry point is the strictly filtered edge gateway.

Multi-Cluster Services (MCS)

Cyberun implements the Kubernetes-native MCS API standard, breaking down network boundaries between clusters.

  • Flattened Addressing: With Cilium ClusterMesh and eBPF native routing, Pods in the New York cluster can directly access Pod IPs in the Nuremberg cluster without NAT translation, resulting in near-zero performance overhead.
  • Global Service Discovery: Applications simply access the service.global domain, and the system automatically routes requests to the nearest healthy endpoint based on Topology-Aware Routing.

Global IPAM Strategy

To achieve flattened Pod-to-Pod communication, we implement a strict Non-Overlapping CIDR Plan. This eliminates complex NAT (Network Address Translation) rules during cross-cluster communication, significantly reducing debugging complexity.

Region Cluster Role Node CIDR Pod CIDR Service CIDR
Tokyo Carrier (Control) 10.10.0.0/20 10.100.0.0/16 10.96.0.0/16
New York Destroyer (Compute) 10.20.0.0/20 10.101.0.0/16 10.97.0.0/16
Nuremberg Aegis (AI GPU) 10.30.0.0/20 10.102.0.0/16 10.98.0.0/16
  • Route Propagation: When a new Pod starts in New York (10.101.x.x), Cilium automatically announces its route via BGP to Tokyo and Nuremberg, achieving millisecond-level network convergence.

Traffic Engineering

  • BGP Route Optimization: We utilize the BGP protocol to dynamically monitor global link quality. When direct links experience congestion or high packet loss, traffic automatically detours to healthier relay nodes.
  • L7 Intelligent Routing: HAProxy at the ingress layer works in tandem with Cilium Ingress within the cluster to identify HTTP/gRPC headers, enabling precise traffic splitting for Canary releases and Blue/Green deployments.