Simple Multi-cloud deployment - Routers Configuration

The SANs you want is completely up to you, but I can provide guidance.

On every system, you have localhost, 127.0.0.1, and an external IP. Conditionally you can have additional IP addresses (say for an internal and external network) and 0 or more domain names.

Adding all permutations to the edge routers certificate is up to you and is based on how you want to address them. At the minimum, I would aim for 127.0.0.1, localhost, and whatever IP address is exposed on the open internet. Additionally, ensuring that whatever your advertise values are for your listeners (for link and edge) is important as that is how external systems (SDKs and routers) will connect.

If you know you will always be able to use the same DNS names for a router, those do provide agility over IP addresses should you need to move routers/controllers. If you know you will always be able to provide the same DNS names/maintain them sticking only to DNS names can be preferable. If you don’t care about the IP/DNS names of routers changing, you can always re-enroll new ones. I only mention this portion because we have some new features coming out where having a public DNS names that is from a public CA may be useful.

All other IP/DNS values are for your agility/future design decisions. Also, the certificate, when renewed, can obtain new SANs if configured to do so. If necessary, it would be possible for us to add a command to force early renewal.

1 Like