Managing encryption exceptions
When enabling data-in-transit encryption for a network, you can add exceptions for particular IP addresses, prefixes, or ports to bypass the encryption. This is required for external communication of services that operate in the same subnet with cluster nodes. For example, if you use a custom port, instead of TCP 443, to connect your backup storage to an external S3 storage, you need to add this port to the encryption exceptions.
Prerequisites
- Data-in-transit encryption is enabled for an infrastructure network, as described in Enabling and disabling data-in-transit encryption.
To add exceptions for data-in-transit encryption
Use the following command:
vinfra cluster network encryption bypass add <subnet> <port>
<subnet>- Subnet range in CIDR notation or a single address
<port>- Port number
For example, to bypass encryption for the port 700, run:
vinfra cluster network encryption bypass add 0.0.0.0/24 700
To list all exceptions for data-in-transit encryption, use the vinfra cluster network encryption bypass list command:
# vinfra cluster network encryption bypass list +------------+------+ | subnet | port | +------------+------+ | 0.0.0.0/24 | 700 | +------------+------+
To remove exceptions for data-in-transit encryption
Use the following command:
vinfra cluster network encryption bypass delete <subnet> <port>
<subnet>- Subnet range in CIDR notation or a single address
<port>- Port number
For example, to enable encryption for the port 700, run:
vinfra cluster network encryption bypass delete 0.0.0.0/24 700
See also