17. No IP, SecGrp A
Task 0
SecGrp Y,Z
Task 1 Task 2 Task 3
Titus EC2 Host VMeth1
ENI1
SecGrp=A
eth2
ENI2
SecGrp=X
eth3
ENI3
SecGrp=Y,Z
IP 1
IP 2
IP 3
pod root
veth<id>
app
SecGrp X
pod root
veth<id>
app
SecGrp X
pod root
veth<id>
appapp
veth<id>
Linux Policy Based
Routing + Traffic Control
Titus
EC2
Metadata
Proxy
169.254.169.254
IPTables NAT (*)
* **
169.254.169.254
Non-routable IP
*
20. ● Container IP: 100.66.23.19
● Container Device: vethA
● Eni IP: 100.66.30.31/20
● Eni GW: 100.66.16.1
● Eni Device: eth1
● Routing tables:
○ tocontainer, fromcontainer
20
21. # ip addr show eth0
eth0: … mtu 1500 qdisc tbf state UP group default
inet 100.66.23.19/32 ...
# ip route show
default via 100.66.30.31 dev eth0
100.66.30.31 dev eth0 scope link
21
22. # ip route show | grep eth1
100.66.16.0/20 dev eth1 proto kernel scope link src 100.66.30.31
# ip rule show | grep 100.66.23.19
from all to 100.66.23.19 iif eth1 lookup tocontainer
from 100.66.23.19 iif vethA lookup fromcontainer
# ip route show table tocontainer | grep 100.66.23.19
100.66.23.19 dev vethA scope link
# ip route show table fromcontainer
default via 100.66.16.1 dev eth1
22