Managing encryption exceptions

When enabling data-in-transit encryption for a network, you can add exceptions for particular IP addresses, prefixes, or ports to bypass the encryption. This is required for external communication of services that operate in the same subnet with cluster nodes. For example, if you use a custom port, instead of TCP 443, to connect your backup storage to an external S3 storage, you need to add this port to the encryption exceptions.

Prerequisites

To add exceptions for data-in-transit encryption

Use the following command:

vinfra cluster network encryption bypass add <subnet> <port>
<subnet>
Subnet range in CIDR notation or a single address
<port>
Port number

For example, to bypass encryption for the port 700, run:

vinfra cluster network encryption bypass add 0.0.0.0/24 700

To list all exceptions for data-in-transit encryption, use the vinfra cluster network encryption bypass list command:

# vinfra cluster network encryption bypass list
+------------+------+
| subnet     | port |
+------------+------+
| 0.0.0.0/24 | 700  |
+------------+------+

To remove exceptions for data-in-transit encryption

Use the following command:

vinfra cluster network encryption bypass delete <subnet> <port>
<subnet>
Subnet range in CIDR notation or a single address
<port>
Port number

For example, to enable encryption for the port 700, run:

vinfra cluster network encryption bypass delete 0.0.0.0/24 700