Test in Air Gap Environments (Beta)
This topic describes how to change the network policy of a virtual machine (VM) or a VM-based cluster with Replicated Compatibility Matrix (CMX), and how to collect and analyze network events to understand your application's behavior in air-gapped environments.
Set Network Policy to airgap
VMs and VM-based clusters created with CMX can use one of the following network policies:
| Network Policy | Description |
|---|---|
open | No restrictions on network traffic. |
airgap | Restrict all network traffic. |
By default, all VMs and clusters are created with an open network policy. You can change the network policy to airgap to simulate an air-gapped environment with no outbound internet access. This airgap network policy is particularly useful for previewing how your application will perform in air-gapped end customer environments.
Network policies are configured at the network level and apply to all VMs and VM-based clusters within the network.
For VM-Based Clusters
To set the network policy of a VM-based cluster:
-
Create a cluster:
replicated cluster create --distribution VM_BASED_DISTRIBUTIONWhere
VM_BASED_DISTRIBUTIONis the target VM-based cluster distribution. For a list of supported distributions, see VM Clusters. -
Watch until the cluster status is
running:replicated cluster ls --watch -
Access the cluster in a shell:
replicated cluster shell CLUSTER_IDWhere
CLUSTER_IDis the ID of the cluster that you created from the output of thecluster lscommand. -
Change the network policy to
airgap:replicated network update NETWORK_ID --policy airgapWhere
NETWORK_IDis the ID of the network from the output of thecluster lscommand. -
Verify that the cluster's policy is
airgapand the status isrunning:replicated cluster lsID NAME STATUS CREATED EXPIRES POLICY HAS REPORT
bdeb3515 gifted_antonelli running 2025-01-28 18:45 PST 2025-01-28 19:45 PST airgap offThe air gap network is enabled when the status is
running. -
(Optional) To verify that there is no outbound connectivity from the cluster, enable network reporting and view network events. See Collect and View Network Reports.
-
(Optional) Test an air gap installation of your application in the cluster. See Install and Update with Helm in Air Gap Environments.
For VMs
To set the network policy of a VM:
-
Create a VM:
replicated vm create --distribution ubuntu -
Wait until the VM status is running:
replicated vm ls -
SSH onto the VM:
ssh VM_ID@replicatedvm.comWhere
VM_IDis the ID of the VM from the output of thevm lscommand.For more information and additional options, see Connect to a VM.
-
Set the network policy to
airgap:replicated network update NETWORK_ID --policy airgapWhere
NETWORK_IDis the ID of the network from the output of thevm lscommand.Example:
replicated network update 85eb50a8 --policy airgapID NAME STATUS CREATED EXPIRES POLICY HAS REPORT
85eb50a8 silly_rosalind updating 2025-01-28 16:16 PST 2025-01-28 17:18 PST airgap off -
(Optional) To verify that there is no outbound connectivity from the VM, enable network reporting and view network events. See Collect and View Network Reports.
Collect and View Network Reports
CMX network reporting helps you understand your application's network activity. To provide flexibility in testing, you can enable network reporting to capture all network activity, whether the network policy is set to open or airgap. Even when the network policy is set to airgap and network egress is blocked, all connection attempts and DNS queries are still captured in the report. This helps you identify unexpected network calls before deploying to an air-gapped environment.
Network reporting is not enabled by default. For information about how to collect and view reports through the Vendor Portal or the Replicated CLI, see the sections below.
There are two types of network reports:
| Report Type | Contents |
|---|---|
| Running Report See all network events captured in near real-time |
|
| Report Summary Aggregated analysis of captured network events |
|
Vendor Portal
To set the network policy and collect and view reports in the Vendor Portal:
-
Go to Compatibility Matrix > Network Policy.
-
To collect a network report, toggle on the switch under Reporting.
-
(Optional) Toggle from
opentoairgapunder Policy Type to block all network egress. -
Where available, click "View report" under Report to see the reporting table. You can also click "Export JSON" to download the raw report data.
noteWhen reporting is ON for an active network, all network events display in a Running Report. Once the network is terminated, the Report Summary is automatically generated.
Running Report
View a larger version of this image
Report Summary
CLI
To collect and view a network report from the CLI:
-
Turn on network reporting:
replicated network update NETWORK_ID --collect-reportWhere
NETWORK_IDis the ID of the network. You can get the network ID by runningreplicated network ls. -
(Optional) Confirm that reporting is ON for the network:
replicated network lsExample output:
ID NAME STATUS CREATED EXPIRES POLICY HAS REPORT
a1b2c3d4 example_network_1 running 2025-01-28 16:04 PST 2025-01-28 18:06 PST open off
e5f6g7h8 example_network_2 running 2025-01-28 12:10 PST 2025-01-28 20:11 PST airgap on -
View the network report:
See network event summary that aggregates all unique domains and destination IPs, with connection counts and other details (JSON format):
replicated network report NETWORK_ID --summarySee all network events (JSON format):
replicated network report NETWORK_IDWatch as new network events occur (JSON format):
replicated network report NETWORK_ID --watchnoteNetwork events are batched for display in the report, so appear with a short delay.