Anapaya appliance configuration
advanced object
The necessary configuration data for the advanced section of the Anapaya appliance.
service_customizations object[]
The list of service-customizations on the Anapaya appliance.
Whether the service customization should be disabled.
falseThe service type for which the customized template is provided.
Possible values: [CA_FRONTEND, CONTROL, CRON, DAEMON, DATAPLANE, DATAPLANE_CONTROL, DISPATCHER, FRR, FRR_EXPORTER, GATEWAY, MOLE, NODE_EXPORTER, PROMTAIL, ROUTER, TELEMETRY, SHUTTLE]
Whether the customized template should be skipped during configuration validation. This is particularly useful if the template is known to be valid, but the input data during validation is not sufficient.
falseThe actual customized template for the service.
bgp object
Top-level configuration and state for the BGP router.
global object
Global configuration for the BGP router
Local BGP autonomous system number of the router. Uses the 32-bit as-number type from the model in RFC 6991.
The list of network prefixes this BGP instance advertises.
Router id of the router - an unsigned 32-bit integer expressed in dotted quad notation.
Set the preferred source address when installing routes in the kernel.
neighbors object[]
Configuration for BGP neighbors
An MD5 authentication password for use with the neighboring device.
bfd object
BFD configuration parameters relating to the BGP neighbor
Minimum desired control packet transmission interval in milliseconds
Possible values: >= 10 and <= 60000
300Local session detection multiplier
Possible values: >= 2
3Enable BFD for the BGP neighbor
falseLocal address to use for BFD
For multihop sessions only: configure the minimum expected TTL for an incoming BFD control packet.
Possible values: >= 1 and <= 254
254Enable BFD multihop
falseMinimum required control packet receive interval in milliseconds
Possible values: >= 10 and <= 60000
300An optional textual description of the neighbor.
Specifying ebgp-multihop allows sessions with eBGP neighbors to establish when they are multiple hops away. When the neighbor is not directly connected and this setting is not enabled, the session will not establish.
Whether the BGP peer is enabled. In cases where the enabled leaf is set to false, the local system will not initiate connections to the neighbor, and will not respond to TCP connections attempts from the neighbor. If the BGP session is established at the time that this property is set to false, the session will be ceased.
trueThe local BGP autonomous system number that is to be used when establishing sessions with the remote peer or peer group, if this differs from the global BGP router autonomous system number.
Address of the BGP peer, either IPv4 or IPv6.
BGP autonomous system number of the peer.
timers object
Timers related to a BGP neighbor
Time interval in seconds between attempts to establish a session with the peer.
30Time interval in seconds that a BGP session will be considered active in the absence of keepalive or other messages from the peer. The hold-time is typically set to 3x the keepalive-interval.
30Time interval in seconds between transmission of keepalive messages to the neighbor. Typically set to 1/3 the hold-time.
10Minimum time in seconds which must elapse between subsequent UPDATE messages relating to a common set of NLRI being transmitted to a peer. This timer is referred to as MinRouteAdvertisementIntervalTimer by RFC 4721 and serves to reduce the number of UPDATE messages transmitted when a particular set of NLRI exhibit instability.
30transport object
Transport session parameters for the BGP neighbor
Set the local IPv4 address to be used for the session when sending BGP update messages. This may be expressed as either an IP address or the name of an interface.
BGP Time To Live (TTL) security check. Reference: RFC 5082: The Generalized TTL Security Mechanism (GTSM), RFC 7454: BGP Operations and Security.
cluster object
The configuration for the appliance cluster.
features object
The list of feature that are announced to the peers. Note that the actually announced value can depend on whether what features is locally enabled and configured.
Option to enable the announcement of support for the SCION RSS feature to the peers. If the local host does not support the SCION RSS feature, this option does not have any effect.
truepeers object[]
The list of peers in this cluster. This is used to configure the topology or the discovery of the topology of peer appliances in an organization.
Textual description for this peer.
features object
Configures the feature options of the peer. This field can not be set together with the synchronization field.
Option to statically enable the SCION RSS feature. If set to true, the local router enables UDP source port entropy on the underlay for SCION packets forwarded to the peer, such that the peer can leverage RSS for SCION traffic. This can greatly improve throughput performance. This must only be set to true if the peer supports the SCION RSS feature.
falseThe name of this peer used to identify the peer. This can be any string but must be unique among all peers.
scion object
The relevant SCION configuration of the peer. This can be used to define the relevant SCION components on the peer appliance so that paths via the peer appliance can also be used.
ases object[]
The list of SCION ASes on the peer.
control object
Configuration and state data for the control service in the peer.
The address of the control service. The address must be specified as host:port.
192.168.1.1:30100ISD-AS number of the AS.
1-ff00:0:110neighbors object[]
The neighbors for the SCION AS in the peer.
interfaces object[]
The list of interfaces on the peer for this neighbor AS.
SCION interface identifier. It must be unique in the SCION AS.
Possible values: >= 1 and <= 0
Internal address of the peer router that owns the interface.
169.254.0.1:30100The maximum transmission unit in bytes for SCION packets. This represents the protocol data unit (PDU) of the SCION layer on this interface and is usually calculated as maximum Ethernet payload - IP Header - UDP Header.
14721472ISD-AS number of the neighbor AS.
2-ff00:0:210The relationship to the neighbor AS. If the local AS is core, this value must either be CORE or CHILD. If the local is non-core, this value must either be PARENT, CHILD or PEER.
Possible values: [CORE, CHILD, PARENT, PEER]
The shard ID of the peers in the AS.
scion_tunneling object
The relevant SCION tunneling configuration of the peer. This is used so that all appliances can announce the full list of SCION tunneling endpoints in the AS to other ASes.
endpoint object
The SCION tunneling endpoint on the peer appliance.
allowed_interfaces object[]
The SCION interfaces for each SCION AS that is configured on the peer, that are allowed to be used by this IP-in-SCION tunneling endpoint. This can be used to control incoming traffic, e.g., if a tunnel endpoint should only be reachable via SCION interfaces 1 and 2, allowed-interfaces should list them explicitly. Remote tunnel endpoints will then only choose paths entering the respective local AS via SCION interface 1 or 2. If the IP-in-SCION tunneling endpoint on the peer appliance should be reachable via a SCION interface of another appliance, the allowed-interfaces list must be configured with the respective SCION interfaces. By default the list is empty, in this case the appliance will automatically configure the SCION interfaces that are configured on the peer as allowed-interfaces. Automatic configuration can be disabled by setting disable_auto_allowed_interfaces.
List of allowed interfaces for this SCION AS
[2,3]The SCION AS where the list of allowed interfaces applies. Packets to this IP-in-SCION tunnel endpoint in this SCION AS will only arrive on the listed interfaces.
Port number for control traffic. The control address is constructed from the IP address and this control port. The control address is used to exchange IP routing information as part of SGRP. If not set, or zero, the control port will be dynamically allocated.
40201Port number for data traffic. The data address is constructed from the IP address and this control port. The data address is used for the IP-in-SCION encapsulated traffic stream. If not set, or zero, the data port will be dynamically allocated.
40200Whether the automatic configuration of allowed interfaces should be disabled. When disabled, the IP-in-SCION tunneling endpoint of the peer will be reached by remote endpoints on all SCION interfaces of the locally configured AS. When enabled (default), the peer IP-in-SCION tunneling endpoint will only be reached by remote endpoints on the SCION interfaces that are configured on the peer appliance.
IP address of the peer IP-in-SCION endpoint.
192.168.1.100Port number for probing traffic. The probe address is constructed from the IP address and this probe port. The probe address is used by remote tunnel endpoints in their health probing. If not set, or zero, the probe port will be dynamically allocated.
40202synchronization object
The synchronization configuration for this peer. This can be used to configure the automatic synchronization of topology information and supported features. Automatic synchronization of topology and supported features is not recommended for EDGE deployments. Instead static configuration is recommended. This field can not be set together with the scion, scion-tunneling, and features field.
The gRPC address of this peer, used for synchronization of appliance information
192.168.1.1:30100synchronization object
The configuration data necessary for the anapaya cluster synchronization. This determines how frequently this appliance synchronizes its local data with its peers, if synchronization is enabled.
The address where peers can fetch topology information. If this is not set, topology information is not exposed to peers and should be statically configured on the peers.
192.0.2.3:40000The interval between two consecutive topology synchronizations attempts to the cluster peers. Must only be set if dynamic topology discovery is enabled. It requires a unit suffix out of ['d', 'h', 'm', 's']. The encoding consists of a decimal number concatenated with a suffix; for example, '5s', '10m', '12h', and '1d'.
1mexperiments object
Section for experimental options.
features object[]
The list of features.
The name of the feature
The value of the feature
firewall object
The necessary configuration data for firewalling the Anapaya appliance.
The firewall mode declares how the appliance handles firewall rules. Depending on the mode, the appliance either generates a default set of rules, prepends some custom rules, or uses only the specified custom rules.
Possible values: [AUTO, PREPEND, CUSTOM, UNMANAGED]
tables object[]
The list of nftables tables on the Anapaya appliance. The usage of the list depends on the firewall mode.
chains object[]
Chains defined within the nftables table.
The type and usage of the chain. This must be set for base chains and unset for regular chains.
Possible values: [FILTER, ROUTE, NAT]
The packet processing step during which the chain should be executed. This must be set for base chains and unset for regular chains. For more information on the chain hooks, please refer to https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_hooks.
Possible values: [PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING]
The name of the chain.
The default policy that will be applied to packets that reach the end of the chain. For more information on chain policies, please refer to https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_policy.
Possible values: [ACCEPT, DROP]
The priority of the chain. This must be set for base chains and unset for regular chains.
rules object[]
Rules defined as part of a chain within a firewall table.
Description, or comment, for the firewall rule.
The rule definition consists of expressions and statements in string format. The expressions are evaluated from left to right and if the packet matches the expressions the statement is executed. For information on the supported syntax for expressions and statements, please refer to https://wiki.nftables.org/wiki-nftables/index.php/Main_Page#Expressions:_Matching_packets and https://wiki.nftables.org/wiki-nftables/index.php/Main_Page#Statements:_Acting_on_packet_matches.
The sequence ID determines the order in which sequence the firewall rules are applied. The sequence ID must be unique for each entry. Target devices apply the rules in order of ascending sequence ID (low to high).
1counters object[]
Optional named counters defined within the nftables table.
The name of the counter.
The family type of the nftables. For more information on table families, please refer to https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families.
Possible values: [IP, IP6, INET]
Name of the nftables table.
interfaces object
Top-level configuration and state for interfaces.
bonds object[]
Top-level configuration and state for the bond interfaces.
Whether to accept the route advertisements for the corresponding interface. (This is currently supported only for the interfaces that are using the Linux driver.)
falseThe addresses configured on this interface. Each address must be a valid IP prefix in CIDR notation.
gateway object
The gateway for the network interface.
The gateway address for the IPv4 networking stack. Note that there must only be one IPv4 gateway configured across all the interfaces.
The gateway address for the IPv6 networking stack. Note that there must only be one IPv6 gateway configured across all the interfaces.
The list of interfaces that are part of this bond.
Possible values: >= 1
The MAC address to use on this interface.
It is of the form XX:XX:XX:XX:XX:XX.
The MTU (Maximum Transmission Unit) to be used on this interface.
15001472The name of the network interface.
neighbors object[]
The static neighbors configured on this network interface.
The IP address.
An optional human-readable string to comment on this neighbor.
The MAC address corresponding to the address.
It is of the form XX:XX:XX:XX:XX:XX.
The sequence id determines the order of the neighbor entries.
3routes object[]
The routes which are configured on this network interface.
An optional human-readable string to comment on this route.
The source IP address for traffic going through the route.
The metric for the route. The lower its value, the higher its priority.
10The sequence id determines the order of the route entries.
3The destination prefix in CIDR notation of this route.
The next hop address which should be used for the prefix.
The number of descriptors in the receive queue. (This option is currently supported only for VPP interfaces.)
10242048The number of descriptors in the transmit queue. (This is currently supported only for VPP interfaces.)
10242048vrrp object[]
The VRRP (Virtual Router Redundancy Protocol) configurations for this interface.
The list of virtual IP addresses. It must contain at least one IP address. Each sequence entry is in CIDR notation.
Possible values: >= 1
If set to true, the preempt mode is disabled. This means that the router will not preempt the master even if it has a higher priority than the current master. If set to false, the router will preempt the master if it has a higher priority than the current master.
falseOptional list of IP addresses of the VRRP peers. If the list is empty, the router will send VRRP packets to the multicast address. If the list is not empty, the router will send VRRP packets to the unicast addresses specified in the list.
Possible values: >= 1
The priority value to be used by this VRRP router. Higher means higher priority and it ranges between 1 and 255 (decimal).
117The virtual router identifier, which ranges between 1 and 255 (decimal).
3ethernets object[]
Top-level configuration and state for ethernet interfaces.
Whether to accept the route advertisements for the corresponding interface. (This is currently supported only for the interfaces that are using the Linux driver.)
falseThe addresses configured on this interface. Each address must be a valid IP prefix in CIDR notation.
The driver which should be used for the interface.
Possible values: [LINUX, VPP, VPP_DPDK, VPP_VMXNET3, VPP_MEMIF, VPP_RDMA]
gateway object
The gateway for the network interface.
The gateway address for the IPv4 networking stack. Note that there must only be one IPv4 gateway configured across all the interfaces.
The gateway address for the IPv6 networking stack. Note that there must only be one IPv6 gateway configured across all the interfaces.
The MAC address to use on this interface.
It is of the form XX:XX:XX:XX:XX:XX.
The MTU (Maximum Transmission Unit) to be used on this interface.
15001472The name of the network interface.
neighbors object[]
The static neighbors configured on this network interface.
The IP address.
An optional human-readable string to comment on this neighbor.
The MAC address corresponding to the address.
It is of the form XX:XX:XX:XX:XX:XX.
The sequence id determines the order of the neighbor entries.
3routes object[]
The routes which are configured on this network interface.
An optional human-readable string to comment on this route.
The source IP address for traffic going through the route.
The metric for the route. The lower its value, the higher its priority.
10The sequence id determines the order of the route entries.
3The destination prefix in CIDR notation of this route.
The next hop address which should be used for the prefix.
The number of descriptors in the receive queue. (This option is currently supported only for VPP interfaces.)
10242048The number of descriptors in the transmit queue. (This is currently supported only for VPP interfaces.)
10242048vpp object
The VPP driver specific configuration.
Whether vlan-strip-offload on should be added to the interface
configuration of the VPP dataplane.
falsevrrp object[]
The VRRP (Virtual Router Redundancy Protocol) configurations for this interface.
The list of virtual IP addresses. It must contain at least one IP address. Each sequence entry is in CIDR notation.
Possible values: >= 1
If set to true, the preempt mode is disabled. This means that the router will not preempt the master even if it has a higher priority than the current master. If set to false, the router will preempt the master if it has a higher priority than the current master.
falseOptional list of IP addresses of the VRRP peers. If the list is empty, the router will send VRRP packets to the multicast address. If the list is not empty, the router will send VRRP packets to the unicast addresses specified in the list.
Possible values: >= 1
The priority value to be used by this VRRP router. Higher means higher priority and it ranges between 1 and 255 (decimal).
117The virtual router identifier, which ranges between 1 and 255 (decimal).
3loopbacks object[]
Top-level configuration and state for loopback interfaces.
The list of addresses configured on the loopback interface.
The name of the loopback interface, which must have a 'loop' prefix.
virtual_functions object[]
Top-level configuration and state for VF interfaces.
Whether to accept the route advertisements for the corresponding interface. (This is currently supported only for the interfaces that are using the Linux driver.)
falseThe addresses configured on this interface. Each address must be a valid IP prefix in CIDR notation.
gateway object
The gateway for the network interface.
The gateway address for the IPv4 networking stack. Note that there must only be one IPv4 gateway configured across all the interfaces.
The gateway address for the IPv6 networking stack. Note that there must only be one IPv6 gateway configured across all the interfaces.
The name of the network interface that is used as the parent on which the virtual function will be created.
The MAC address to use on this interface.
It is of the form XX:XX:XX:XX:XX:XX.
The MTU (Maximum Transmission Unit) to be used on this interface.
15001472The name of the network interface.
neighbors object[]
The static neighbors configured on this network interface.
The IP address.
An optional human-readable string to comment on this neighbor.
The MAC address corresponding to the address.
It is of the form XX:XX:XX:XX:XX:XX.
The sequence id determines the order of the neighbor entries.
3routes object[]
The routes which are configured on this network interface.
An optional human-readable string to comment on this route.
The source IP address for traffic going through the route.
The metric for the route. The lower its value, the higher its priority.
10The sequence id determines the order of the route entries.
3The destination prefix in CIDR notation of this route.
The next hop address which should be used for the prefix.
The number of descriptors in the receive queue. (This option is currently supported only for VPP interfaces.)
10242048The number of descriptors in the transmit queue. (This is currently supported only for VPP interfaces.)
10242048vrrp object[]
The VRRP (Virtual Router Redundancy Protocol) configurations for this interface.
The list of virtual IP addresses. It must contain at least one IP address. Each sequence entry is in CIDR notation.
Possible values: >= 1
If set to true, the preempt mode is disabled. This means that the router will not preempt the master even if it has a higher priority than the current master. If set to false, the router will preempt the master if it has a higher priority than the current master.
falseOptional list of IP addresses of the VRRP peers. If the list is empty, the router will send VRRP packets to the multicast address. If the list is not empty, the router will send VRRP packets to the unicast addresses specified in the list.
Possible values: >= 1
The priority value to be used by this VRRP router. Higher means higher priority and it ranges between 1 and 255 (decimal).
117The virtual router identifier, which ranges between 1 and 255 (decimal).
3vlans object[]
Top-level configuration and state for VLAN interfaces.
Whether to accept the route advertisements for the corresponding interface. (This is currently supported only for the interfaces that are using the Linux driver.)
falseThe addresses configured on this interface. Each address must be a valid IP prefix in CIDR notation.
gateway object
The gateway for the network interface.
The gateway address for the IPv4 networking stack. Note that there must only be one IPv4 gateway configured across all the interfaces.
The gateway address for the IPv6 networking stack. Note that there must only be one IPv6 gateway configured across all the interfaces.
The VLAN ID of the VLAN interface. It ranges between 0 and 4095.
Possible values: <= 4095
The name of the physical interface used for this VLAN.
The MAC address to use on this interface.
It is of the form XX:XX:XX:XX:XX:XX.
The MTU (Maximum Transmission Unit) to be used on this interface.
15001472The name of the network interface.
neighbors object[]
The static neighbors configured on this network interface.
The IP address.
An optional human-readable string to comment on this neighbor.
The MAC address corresponding to the address.
It is of the form XX:XX:XX:XX:XX:XX.
The sequence id determines the order of the neighbor entries.
3routes object[]
The routes which are configured on this network interface.
An optional human-readable string to comment on this route.
The source IP address for traffic going through the route.
The metric for the route. The lower its value, the higher its priority.
10The sequence id determines the order of the route entries.
3The destination prefix in CIDR notation of this route.
The next hop address which should be used for the prefix.
The number of descriptors in the receive queue. (This option is currently supported only for VPP interfaces.)
10242048The number of descriptors in the transmit queue. (This is currently supported only for VPP interfaces.)
10242048vrrp object[]
The VRRP (Virtual Router Redundancy Protocol) configurations for this interface.
The list of virtual IP addresses. It must contain at least one IP address. Each sequence entry is in CIDR notation.
Possible values: >= 1
If set to true, the preempt mode is disabled. This means that the router will not preempt the master even if it has a higher priority than the current master. If set to false, the router will preempt the master if it has a higher priority than the current master.
falseOptional list of IP addresses of the VRRP peers. If the list is empty, the router will send VRRP packets to the multicast address. If the list is not empty, the router will send VRRP packets to the unicast addresses specified in the list.
Possible values: >= 1
The priority value to be used by this VRRP router. Higher means higher priority and it ranges between 1 and 255 (decimal).
117The virtual router identifier, which ranges between 1 and 255 (decimal).
3wireguards object[]
Top-level configuration and state for Wireguard interfaces.
The addresses configured on this interface. Each address must be a valid IP prefix in CIDR notation.
gateway object
The gateway for the network interface.
The gateway address for the IPv4 networking stack. Note that there must only be one IPv4 gateway configured across all the interfaces.
The gateway address for the IPv6 networking stack. Note that there must only be one IPv6 gateway configured across all the interfaces.
The MTU (Maximum Transmission Unit) to be used on this interface.
1420The name of the network interface.
peers object[]
The list of Wireguard peers.
A list of IPv4/IPv6 addresses with a CIDR mask. The list indicates the addresses from which the peer is allowed to connect. Catch all are expressed as 0.0.0.0/0 (IPv4) and ::/0 (IPv6)
Remote endpoint of the Wireguard tunnel. In the form host:port
where host can be an IPv4/IPv6 address or a hostname,
and port is a port number.
The base64 encoded public key of the Wireguard peer.
This enables the point-to-point mode on the interface, meaning that it is a direct link between two machines with nobody else listening on it.
The port to listen on.
routes object[]
The routes for the network interface.
An optional human-readable string to comment on this route.
The source IP address for traffic going through the route.
The metric for the route. The lower its value, the higher its priority.
10The sequence id determines the order of the route entries.
3The destination prefix in CIDR notation of this route.
The next hop address which should be used for the prefix.
management object
The necessary configuration data for the management of the Anapaya appliance.
api object
Anapaya appliance management API configuration.
basic_auth object
Basic auth configuration that restricts the access to the Anapaya appliance management API.
Enable basic authentication for the Anapaya appliance management API.
users object[]
List of basic auth user credentials that are authorized to access the management API.
The user password hashed based on the hash algorithm indicated by the prefix in the string. The string takes the following form based on the Unix crypt function:
$id[$param=value(,param=value)*][$salt[$hash]]
Supported hash functions are:
- $2y$: bcrypt
The 'appliance-cli' or the 'htpasswd' tool can be used to create a password hash. E.g., 'appliance-cli crypto kdf hash' or 'htpasswd -nB -C 12 admin' prompts for a password.
$2y$10$QNodxwKFABMWu4XlFPmZDOSfqxrsqNvrSn487lCi7tJ/4nTsT/f02Name of the user.
adminlisteners object[]
List of management API listeners that define where the API is exposed
An address that is used to expose the Anapaya appliance management API. This can be either a combination of an IP address and a fixed port, or a SCION address. The address must be specified as ip:port for IPv4, [ip]:port for IPv6 and [ISD-AS,ip]:port for SCION.
127.0.0.1:443Description, or comment, for the listener.
oauth object
Open authorization (OAuth) configuration that can authorize users who want to access the Anapaya appliance management API.
Whether the feature is enabled.
falseidentity_providers object[]
The identity providers. Currently only one is supported.
The base URL for the identity provider.
https://anapaya.eu.auth0.com/The client ID for this identity provider.
The client secret for this identity provider.
The identifier of the provider. Must be unique among all providers.
The URL for fetching the open ID configuration.
https://anapaya.eu.auth0.com/.well-known/openid-configurationThe tenant ID for Azure AD
The type of the provider.
Possible values: [GENERIC, AZURE_AD]
roles object[]
Roles configuration used for OAuth.
List of aliases for the role. This is useful for mapping
different role names from different identity providers to the
same role in the appliance. If no alias are configured for a role
the default aliases are 'appliance.
Name of the role.
token_verification_keys object[]
Keys to verify JWTs.
The identifier of the key. Must be unique among all keys.
anapaya.auth0URL for fetching JSON Web Key Sets.
https://anapaya.eu.auth0.com/.well-known/jwks.jsonWhether the management API is allowed to be exposed without authentication. Always make sure to properly protect your API.
falseThe hostname of the Anapaya appliance host. It is used to identify the host in the telemetry data; thus, each host should have a unique hostname.
anapaya-applianceedge.geneva.corpbankremote_repository object
Remote repository configuration.
cloudsmith object
The configuration data for the cloudsmith repository. This section is provided only when the remote repository is cloudsmith.
The token used to access the remote cloudsmith repository. It must be of the form <api_key>#<entitlement_token>
APIKEY#ENTITLEMENTTOKENThe url which is used to access the cloudsmith repository.
https://cloudsmith.io/anapaya/repos/externalThe type of remote repository used for storing the software packages.
Possible values: [CLOUDSMITH]
ssh object
Configuration for SSH access to the Anapaya appliance.
Whether password login is enabled for SSH access to the Anapaya appliance.
falseusers object[]
Users with SSH access to the Anapaya appliance.
ssh_keys object[]
List of SSH keys that are authorized for the given user. This list is authoritative and overwrites the list of existing SSH keys in the user's authorized_keys file.
Description or comment for the key.
The SSH public key of the user.
ssh-rsa AAAAB3NzaC1yc2The unix username of the user.
anapayatelemetry object
Anapaya appliance telemetry configuration.
The address where the telemetry data is exposed. This is a combination of an IP address and a fixed port. The address must be specified as host:port, where host can be empty. An empty address indicates a wildcard address. If the address is not specified or the IP is empty and the port is zero, only the management API address exposes the telemetry data.
:42001flow_metrics object
Configuration for the flow-metrics feature. The gateway collects information about outgoing flows, such as the source and destination ISD-AS and IP address, in order to export then number of gateway users. The flow information is sent to the flow-collector for storage and processing.
DEPRECATED: This is only used in the old flow export mechanism. Time interval at which expired flows are cleaned up.
60sURL of the flow-collector where the flow metric information is sent to. Supports 'http', 'https' and 'grpc' transport
Whether the feature is enabled.
falseDEPRECATED: This is only used in the old flow export mechanism. Time interval at which flow metrics are exported to the collector.
60sTime interval after which inactive flows are considered expired and are marked for cleanup.
180sDEPRECATED: This is only used in the old flow export mechanism. The maximum number of active flows that are expected. A flow is considered active if it has been seen in the last flow expiration interval. If the number of active flows exceeds this limit, the appliance will drop flows without reporting them.
URL of the optional HTTP(S) proxy. If set, the flow metric information is sent to the collector via the proxy.
labels object[]
List of static labels that are added to all telemetry data (e.g. logs, metrics).
Name of the label.
Value of the label.
logging object
Configuration for shipping logs to a remote log aggregation system.
The type of log aggregation system which is used.
Possible values: [LOKI]
loki object
Loki configuration.
basic_auth object
Basic auth configuration for sending log lines to Loki.
The password to use for basic auth.
The username to use for basic auth.
promtailtls_config object
Configuration for TLS connection.
insecure-skip-verify controls whether the client verifies the Loki server's certificate chain and host name. If insecure-skip-verify is true, the appliance accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used. This should be used only for testing.
falseThe url which is used to push logs to Loki.
https://loki.anapaya.net/loki/api/v1/pushnat object
Top-level configuration and state for NAT.
snat object
Top-level configuration and state for the source NAT.
The list of IP prefixes to use as the source NAT pool.
The list of IP prefixes to exclude from the NAT. The number of IP addresses that can be excluded is limited.
The list of interfaces to do the NAT. These are typically interfaces connected to the local network
scion object
Top-level configuration and state for the SCION protocol.
ases object[]
List of SCION ASes that this device is part of identified by their ISD-AS identifier.
ca_service object
SCION CPPKI (Control Plane Public Key Infrastructure) CA service configuration data. This section defines how the anapaya-scion interacts with the SCION CPPKI CA service backend. It is only required for SCION ASes that act as a CA in their respective ISD.
anapaya_vault object
The configuration data of the Anapaya SCION CPPKI CA service. This section is provided only when the CA service type is Anapaya Vault, i.e., is operated by Anapaya.
The list of addresses where the Anapaya Vault backend can be reached. This list must be non-empty.
credentials object
The necessary credentials to be logged into the Anapaya Vault backend.
The role ID used to authenticate with the Vault backend via the AppRole Authentication Method. See https://www.vaultproject.io/docs/auth/approle for more details.
The secret ID used to authenticate with the Vault backend via the AppRole Authentication Method. See https://www.vaultproject.io/docs/auth/approle for more details.
validation object
The validation option configures how the Anapaya Vault backend validate CSRs.
The subject option configures how the Anapaya Vault backend validates the subject of the CSRs.
Possible values: [MATCHING_ISD_AS, EXACT_MATCH]
external object
The configuration data for the External SCION CPPKI CA service. This section is provided only when the CA service is of type External, i.e., is not operated by Anapaya.
The address where the external SCION CPPKI CA service can be reached.
192.0.2.3:5000The client ID that is used to authenticate with the CA service. The client ID is set in the 'sub' and 'iss' claim of the generated JWT. If unset, a generic client ID based on the ISD-AS is used.
The shared secrets between the appliance and the CA service (used to generate JWTs for authentication).
shared secretThe type of CA service that is used by the appliance.
Possible values: [EXTERNAL, ANAPAYA_VAULT, IN_PROCESS]
control object
The configuration for the SCION control service. The address configures where the control service is exposed. Clients connect to this address to request control plane data.
The address of the control service. The address must be specified as host:port. If the port is 0 it will be automatically allocated.
192.168.1.1:30100Whether the service is enabled.
Indicate whether the AS is core in its ISD. A SCION core AS must only have other core ASes or child ASes as neighbors. A SCION non-core AS must only have parent. child, or peer ASes as neighbors.
cppki object
SCION CPPKI configuration for the SCION AS.
Whether automatic renewal of AS certificates should be disabled. Usually, this value should not be set. By disabling certificate renewal, the appliance is set into a manual mode where new AS certificates must be provisioned manually and periodically.
issuers object[]
The SCION CPPKI Issuers that issue certificates for the local SCION AS. The list of issuers is tried in order of their priority. If no issuers are set explicitly, the renewal process will use the issuer of the newest existing SCION CPPKI AS Certificate.
The ISD-AS identifier of the issuing AS.
1-ff00:0:120The priority of the issuing AS. The appliance attempts to get certificates issued from the AS with the highest priority. The value 0 indicates the highest priority, higher numbers are lower priority.
Default indicates whether the respective SCION AS should be used by default as the source AS by SCION applications, e.g., scion ping or scion showpaths. The configurations with more than one default ASes will be rejected because there can only be one default AS. If there is only a single AS configured, it will be the default. Therefore, this setting is only necessary if multiple ASes are configured on the appliance.
falsedetails object
User-defined details about the SCION AS for informational purpose.
User-defined description, or comment, that describes this SCION AS.
SCION AS name for informational purpose.
The forwarding key for this AS. Note that changing this key might result in a network disruption and it is therefore not recommended.
ISD-AS identifier of the SCION AS.
1-ff00:0:110neighbors object[]
List of neighbor SCION ASes that this device is connected to via one or multiple SCION interfaces. Each entry is identified by the remote ISD-AS.
Description, or comment, for the neighbor AS.
interfaces object[]
SCION interfaces on this device that link to the neighbor AS.
UDP/IP underlay endpoint of the SCION Interface. The data plane traffic is received on this address. The address must be specified as host:port. Both host and port must be specified.
169.254.0.1:30100Administrative state of the SCION interface.
Experimental: Currently only UP is supported.
Possible values: [UP, ADMIN_DOWN, DATAPLANE_ONLY]
bfd object
SCION interface BFD configuration. BFD is used to detect faults on the link to the neighbor AS.
The minimum interval between transmission of BFD control packets that the operator desires. This value is advertised to the peer, however the actual interval used is specified by taking the maximum of desired-minimum-tx-interval and the value of the remote required-minimum-receive interval value. This value is specified as an integer number of microseconds.
The number of packets that must be missed to declare this session as down. The detection interval for the BFD session is calculated by multiplying the value of the negotiated transmission interval by this value.
Possible values: >= 1 and <= 0
If set to true, then the BFD session is enabled on the SCION interface - if it is set to false, BFD is disabled on that SCION interface. When disabled, the health of the interface is not tracked and it is assumed to be healthy. Note that the remote side of this SCION interface should have the same setting for enabled.
trueThe minimum interval between received BFD control packets that this system should support. This value is advertised to the remote peer to indicate the maximum frequency (i.e., minimum inter-packet interval) between BFD control packets that is acceptable to the local system.
Description, or comment, for the SCION interface.
Flag to activate SCION RSS for this link. If activated, the router utilizes UDP source port entropy on the underlay such that the remote router can leverage RSS for SCION traffic. This can greatly improve throughput performance. For low throughput SCION links (up to 1 Gbps), enabling SCION RSS is not necessary. Before enabling this feature, please ensure that the remote router supports SCION RSS.
falseSCION interface identifier. It must be unique in the SCION AS.
Possible values: >= 1 and <= 0
remote object
Remote SCION interface endpoint of the link.
UDP/IP underlay endpoint of the SCION Interface. The data plane traffic is received on this address. The address must be specified as host:port. Both host and port must be specified.
169.254.0.1:30100SCION interface identifier. It must be unique in the SCION AS.
Possible values: >= 1 and <= 0
The maximum transmission unit in bytes for SCION packets. This represents the protocol data unit (PDU) of the SCION layer on this interface and is usually calculated as maximum Ethernet payload - IP Header - UDP Header.
14721472ISD-AS number of the neighbor AS.
2-ff00:0:210The relationship to the neighbor AS. If the local AS is core, this value must either be CORE or CHILD. If the local is non-core, this value must either be PARENT, CHILD or PEER.
Possible values: [CORE, CHILD, PARENT, PEER]
router object
The configuration for the SCION router service. The address configures where the router is exposed. AS internal hosts send SCION data plane traffic to this address for forwarding over the local SCION interfaces.
Whether the service is enabled.
The address of internal SCION interface of the router. The address must be specified as host:port. If the port is 0 it will be automatically allocated.
192.168.1.1:30100The maximum transmission unit in bytes for SCION packets. This represents the protocol data unit (PDU) of the SCION layer on this interface and is usually calculated as maximum Ethernet payload - IP Header - UDP Header.
14721472The control and the data plane of a SCION AS is split into multiple shards. Each shard is responsible for processing and disseminating pathing information only for a subset of links. This field is the ID of the shard to which the control service and the router on this appliance belong. It is recommended to have the router and the control service from the same shard on the same host and if they are not then the routers and the control service in the same shard need mutual IP connectivity. Each shard must contain only a single control service.
synchronization object
The synchronization configuration contains the configuration for SCION path and beacon synchronization.
The interval between two consecutive beacon synchronizations attempts to the cluster peers. It requires a unit suffix out of ['d', 'h', 'm', 's']. The encoding consists of a decimal number concatenated with a suffix; for example, '5s', '10m', '12h', and '1d'.
4sThe interval between two consecutive path segment synchronizations attempts to cluster peers. It requires a unit suffix out of ['d', 'h', 'm', 's']. The encoding consists of a decimal number concatenated with a suffix; for example, '5s', '10m', '12h', and '1d'.
4sscion_tunneling object
Top-level configuration and state for IP-in-SCION tunneling.
domains object[]
List of domains that define the rules by which IP packets are routed. A domain is a subset of the IP space that shares the same policies.
Whether this domain is the default domain. The default domain is assumed to accept the whole IP space that is not covered by other domains. Because of this it may not specify an accept-filter.
Optional description, or comment, for the domain.
The domain. It matches all packets and allows any
path to be used.The payload encryption mode for the domain.
Possible values: [DISABLED, ENABLED, OPTIONAL]
List of local ISD-AS identifiers that belong to this domain. Traffic towards remote ISD-ASes is guaranteed to only use paths that start at one of these local ISD-ASes.
The name of the domain.
Default Domainprefixes object
List of IP prefix matchers to filter the announced and received prefixes.
accept_filter object[]
List of IP prefix matchers to define which prefixes announced by remotes ISD ASes are accepted. Only the matching subset of a prefix announced by a remote ISD-AS is is accepted for routing.
Specify matchers action.
Possible values: [ACCEPT, REJECT]
Optional description for the prefix matcher.
The list of IP prefixes used for matching. The matcher matches all IP prefixes that are contained in the union of the specified IP prefixes, i.e. it matches all listed prefixes as well as their contained more specific prefixes.
["192.168.1.0/24"]The sequence ID determines the order in which sequence the prefix matchers are applied. The sequence ID must be unique for each entry. Target devices apply the prefix matchers in order of ascending sequence ID (low to high) accepting all IPs that are in accepted matchers and rejecting the ones that are in rejected matchers.
1announce_filter object[]
List of IP prefix matchers to filter prefixes announced to remotes. The prefixes to be announced are configured in the static announcements or BGP. Only the subset of the routes that matches the announce filter is advertised to the remotes.
Specify matchers action.
Possible values: [ACCEPT, REJECT]
Optional description for the prefix matcher.
The list of IP prefixes used for matching. The matcher matches all IP prefixes that are contained in the union of the specified IP prefixes, i.e. it matches all listed prefixes as well as their contained more specific prefixes.
["192.168.1.0/24"]The sequence ID determines the order in which sequence the prefix matchers are applied. The sequence ID must be unique for each entry. Target devices apply the prefix matchers in order of ascending sequence ID (low to high) accepting all IPs that are in accepted matchers and rejecting the ones that are in rejected matchers.
1remote_isd_ases object[]
List of remote ISD-AS identifiers that belong to this domain. Prefix announcements will be accepted from these remote ISD-ASes. All IP traffic will be tunneled over paths that end in one of these remote ISD-ASes.
Specify the matchers action.
Possible values: [ACCEPT, REJECT]
Description for the remote matcher.
The ISD-AS identifier. The matcher matches the ISD-AS identifier of a SCION AS. 0 indicates a wildcard (both for ISD and AS).
0-ff00:0:310The sequence ID determines the order in which sequence the remote matchers are applied. The sequence ID must be unique for each entry. Target devices apply the remote matchers in order of ascending sequence ID (low to high).
1traffic_policies object[]
List of traffic policies that configure the types of traffic that are tunneled via this domain and the tunnel properties. A traffic policy defines a matcher on the IP traffic (the traffic matcher). If the IP traffic matches, it is tunneled to the remote SCION AS. Acceptable paths for the tunnel are defined via the path policy
The optional description of the traffic policy.
Default traffic policyfailover_sequence object[]
A list of failover sequence entries, each of them associated with a path filter. If there's no live path left after applying the first filter the second one is tried and so on.
Name of the path filter associated with the failover sequence entry.
Sequence number of the failover sequence entry. Sequence numbers define the ordering of the items which turn detemines how the failover between different path filters happens.
1The sequence ID determines the order in which sequence the traffic policies are applied. The sequence ID must be unique for each entry. Target devices try to find the first entry with a matching traffic matcher in ascending order determined by the sequence ID (low to high).
1Reference of the traffic matcher that is utilized by this policy. The traffic matcher is a selector for the IP packets covered by this traffic policy.
endpoint object
Local IP-in-SCION tunnel endpoint configuration
allowed_interfaces object[]
The SCION interfaces for each local SCION AS that are allowed to be used by this IP-in-SCION tunneling endpoint. This can be used to control incoming traffic, e.g., if a tunnel endpoint should only be reachable via SCION interfaces 1 and 2, allowed-interfaces should list them explicitly. Remote tunnel endpoints will then only choose paths entering the respective local AS via SCION interface 1 or 2. If the IP-in-SCION tunneling endpoint on this appliance should be reachable via a SCION interface of a peer appliance, the allowed-interfaces list must be configured with the respective SCION interface of the peer appliance. By default the list is empty, in this case the appliance will automatically configure the locally configured SCION interfaces as allowed-interfaces. Automatic configuration is disabled if topology synchronization is enabled or if disable_auto_allowed_interfaces is set.
List of allowed interfaces for this SCION AS
[2,3]The SCION AS where the list of allowed interfaces applies. Packets to this IP-in-SCION tunnel endpoint in this SCION AS will only arrive on the listed interfaces.
Port number for control traffic. The control address is constructed from the ip address and this control port. The control address is used to exchange IP routing information as part of SGRP. If not set, or zero, the control port will be dynamically allocated.
40201Port number for data traffic. The data address is constructed from the ip address and this control port. The data address is used for the IP-in-SCION encapsulated traffic stream. If not set, or zero, the data port will be dynamically allocated.
40200Optional description of the IP-in-SCION tunnel endpoint.
Whether the automatic configuration of allowed interfaces should be disabled. When disabled, the IP-in-SCION tunneling endpoint will be reached by remote endpoints on all SCION interfaces of the locally configured AS. When enabled (default), the local IP-in-SCION tunneling endpoint will only be reached by remote endpoints on the SCION interfaces that are configured on the local appliance.
Flag to disable uRPF. When enabled (default), the gateway performs strict URPF for all the received IP-in-SCION-tunneled traffic, checking that incoming IP packets have a source address that is within the announced prefixes by a remote gateway, and that the SCION packets are sent from a valid remote ISD-AS and are encrypted as configured in the associated domain.
Flag to activate SCION RSS. If activated, the gateway utilizes UDP source port entropy on the underlay such that EDGE and CORE routers can leverage RSS for SCION traffic. This can greatly improve throughput performance.
trueWhether this endpoint is enabled.
encryption object
Payload encryption configuration for the IP-in-SCION tunnel endpoint.
Whether the payload encryption module is enabled. With payload encryption enabled, the IP packets are encrypted and authenticated before being sent to a remote tunnel endpoint for domains that have the payload encryption enabled. Note that this flag only enables the payload encryption system. Each domain for which payload encryption should be used must still explicitly enable it.
The maximum number of Security Associations (SAs) that can be established with a single remote AS. If the limit is reached, new SAs from all endpoints in that AS will be rejected.
10001000Port number for the secure data traffic. The address is constructed from the endpoint IP address and this port. If not set, or zero, the secure data port will be dynamically allocated.
40203The maximum number of Security Associations (SAs) that can be established with remote tunnel endpoints. If the limit is reached, new SAs will be rejected.
100000100000IP address of the local IP-in-SCION endpoint.
192.168.1.100Port number for probing traffic. The probe address is constructed from the ip address and this probe port. The probe address is used by remote tunnel endpoints in their health probing. If not set, or zero, the probe port will be dynamically allocated.
40202path_filters object[]
List of path filters that can be referenced by name from a path policies. A path filter defines a set of paths by applying the filter to all available paths.
The ACL that is applied on the path. An ACL consists of a list of
ACL entries. Each ACL entry has the form action hop-predicate,
where the action can either be accept (+) or deny (-). The hop
predicate is optional and has the form isd-as#interface,
where isd is the ISD identifier, as is the AS identifier,
and interface is the interface identifier of a SCION path hop.
The hop predicate can be fully or partially qualified, i.e., all
entries of the hop predicate are optional or can include
wildcards (0). If no hop predicate is specified the action
matches every hop, i.e., a single '+' is the default accept action
and a single '-' is the default deny action. The ACL is applied
by sequentially applying all ACL entries to paths. If the ACL is
empty, it defaults to accepting all paths.
["+ 64-0"]Description, or comment, for the path filter.
Match only paths in the Swiss Isolation Domain (ID 64).The sequence of hop predicates that a path has to match to be accepted. Each hop predicate can optionally be extended with a modifier '' or '+'. The '' modifier means 0 or more occurrences. The '+' means one or more occurrences.
0* 64+ 0+Name of the path filter. This is value is used by the path policy to reference the path filter.
CH ISD onlyremotes object[]
List of remote ISD-ASes that are connected with the gateway. The remote ISD-ASes can be referenced in the remote matchers of the domains.
Description or Comment on the remote.
The ISD-AS of the remote.
1-ff00:0:310static_announcements object[]
List of static routes that are advertised. The routes are only advertised to the domains with matching announce filters.
Description, or comment, for the target.
next_hop_tracking object
container for next hop tracking
Whether or not this next-hop is tracked.
The routes are only distributed if the address responds to pings. This can be used to implement dynamically retractable routes without having to resort to a dynamic routing protocol.
192.168.0.1The IP prefixes that are statically configured and advertised via SGRP
Possible values: >= 1
["192.168.1.0/24","172.30.100.0/28"]The sequence ID defines the order of the static route entries. The sequence ID must be unique for each entry.
1traffic_matchers object[]
List of traffic matchers that can be referenced by name from a traffic policy. A matcher is used to classify traffic for tunneling. Each packet is classified based on configured traffic matchers and put in a traffic class. A traffic class is used in a traffic policy to map a path policy to a traffic class.
The condition for traffic to match this traffic matcher.
BOOL=trueDescription, or comment, for the traffic matcher
'all packets' matches all packets.Name that identifies the traffic matcher. This is value is used by the traffic policy to reference the traffic matcher.
all packetssystem object
The necessary configuration data for the system of the Anapaya appliance.
dns object
Anapaya appliance DNS configuration.
servers object[]
List of DNS servers.
IP address of a DNS server.
kernel object
Anapaya appliance Linux kernel configuration.
Size of hugepages the kernel should allocate at boot time.
2MNumber of hugepages the kernel should allocate at boot time. If not set, a sensible default is used based on the available memory.
Whether the IOMMU subsystem in the Linux kernel is enabled. IOMMU should be enabled on systems that support it for better performance. Note: After changing this option the appliance needs to be rebooted.
falsentp object
Anapaya appliance NTP configuration.
Maximum acceptable root distance, i.e. the maximum estimated time required for a packet to travel to the server we are connected to from the server with the reference clock. If the current server does not satisfy this limit, the appliance will switch to a different server.
5s1sservers object[]
List of NTP servers.
Address of a NTP server. This may be expressed as an IP address or a FQDN.
resources object
Anapaya appliance system resources configuration.
service_limits object[]
Configuration for per service resource limits.
The CPU limit in number of fractional CPU cores that can be used by the service. If not specified, a sensible default is chosen by the system. If set to 0, the service is not limited in terms of CPU usage.
1.5The memory limit in bytes that can be used by the service. The limit can
be specified using a string of the format
2.5GName of the service.
Possible values: [CA_FRONTEND, CONTROL, CRON, DAEMON, DATAPLANE, DATAPLANE_CONTROL, DISPATCHER, FRR, FRR_EXPORTER, GATEWAY, MOLE, NODE_EXPORTER, PROMTAIL, ROUTER, TELEMETRY, SHUTTLE]
vpp object
Anapaya appliance VPP configuration.
buffers object
Buffers configuration.
The size of VPP internal buffers, in bytes.
9000The number of VPP internal buffers. If set to 0, a 3/4 of the available hugepages are used for buffers.
0connection object
Connection configuration.
health_check object
Health check configuration.
The interval in which a health check probe is sent to the VPP dataplane. It requires a unit suffix out of ['d', 'h', 'm', 's', 'ms', 'us', 'ns']. The encoding consists of a decimal number concatenated with a suffix; for example, '5us', '10m', '12h', and '1d'.
1s1sThe time in which VPP control services expect a reply from the VPP dataplane. It requires a unit suffix out of ['d', 'h', 'm', 's', 'ms', 'us', 'ns']. The encoding consists of a decimal number concatenated with a suffix; for example, '5us', '10m', '12h', and '1d'.
250ms250msThe number of health checks, from VPP control services to the VPP dataplane, that are allowed to time out before the connection is considered dead.
33The number of connect attempts on start from VPP control services to the VPP dataplane.
55The interval at which a connection is attempted on start from VPP control services to the VPP dataplane. It requires a unit suffix out of ['d', 'h', 'm', 's', 'ms', 'us', 'ns']. The encoding consists of a decimal number concatenated with a suffix; for example, '5us', '10m', '12h', and '1d'.
1s1scpu object
CPU configuration.
The list of CPU cores to be used by the workers. The cores are pinned to the workers in the order they are listed. The format for the list is A,B1-Bn,C1-Cn. This setting is mutually exclusive with workers and the list must not contain the main-core.
2-3,5The logical CPU core where main thread runs.
1The number of workers to be created for VPP. The workers are pinned to consecutive CPU cores. If set to 0, packet processing is performed by the main-core
The fixed-sleep between main loop polls in the VPP dataplane. It requires a unit suffix out of ['d', 'h', 'm', 's', 'ms', 'us', 'ns']. The encoding consists of a decimal number concatenated with a suffix; for example, '5us', '10m', '12h', and '1d'. Setting it to 0 disables the fixed-sleep.
0sstatseg object
Statseg configuration.
The size of the statseg segment. This can be specified in bytes with a suffix of kilo 'K', mega 'M', or giga 'G'. WARNING: Changing this value causes the dataplane to restart and therefore interrupts traffic.
32M100Mtun object
TUN configuration.
The MTU (Maximum Transmission Unit) to be used on this TUN.
15001500The list of prefixes to route from VPP to Linux.
["192.168.1.0/24"]{
"advanced": {
"service_customizations": [
{
"disabled": false,
"service_type": "CA_FRONTEND",
"skip_template_validation": false,
"template": "string"
}
]
},
"bgp": {
"global": {
"as": 0,
"networks": [
"string"
],
"router_id": "string",
"src_address": "string"
},
"neighbors": [
{
"auth_password": "string",
"bfd": {
"desired_minimum_tx_interval": 300,
"detection_multiplier": 3,
"enabled": false,
"local_address": "string",
"minimum_ttl": 254,
"multihop": false,
"required_minimum_receive": 300
},
"description": "string",
"ebgp_multihop": 0,
"enabled": true,
"local_as": 0,
"neighbor_address": "string",
"peer_as": 0,
"timers": {
"connect_retry": 30,
"hold_time": 30,
"keepalive_interval": 10,
"minimum_advertisement_interval": 30
},
"transport": {
"local_address": "string"
},
"ttl_security": 0
}
]
},
"cluster": {
"features": {
"scion_rss": true
},
"peers": [
{
"description": "string",
"features": {
"scion_rss": false
},
"name": "string",
"scion": {
"ases": [
{
"control": {
"address": "192.168.1.1:30100"
},
"isd_as": "1-ff00:0:110",
"neighbors": [
{
"interfaces": [
{
"interface_id": 0,
"next_hop": "169.254.0.1:30100",
"scion_mtu": 1472
}
],
"neighbor_isd_as": "2-ff00:0:210",
"relationship": "CORE"
}
],
"shard_id": 0
}
]
},
"scion_tunneling": {
"endpoint": {
"allowed_interfaces": [
{
"interfaces": [
2,
3
],
"isd_as": "string"
}
],
"control_port": 40201,
"data_port": 40200,
"disable_auto_allowed_interfaces": true,
"ip": "192.168.1.100",
"probe_port": 40202
}
},
"synchronization": {
"address": "192.168.1.1:30100"
}
}
],
"synchronization": {
"address": "192.0.2.3:40000",
"node_synchronization_interval": "1m"
}
},
"experiments": {
"features": [
{
"name": "string",
"value": "string"
}
]
},
"firewall": {
"mode": "AUTO",
"tables": [
{
"chains": [
{
"chaintype": "FILTER",
"hook": "PREROUTING",
"name": "string",
"policy": "ACCEPT",
"priority": 0,
"rules": [
{
"comment": "string",
"rule": "string",
"sequence_id": 1
}
]
}
],
"counters": [
{
"name": "string"
}
],
"family": "IP",
"name": "string"
}
]
},
"interfaces": {
"bonds": [
{
"accept_ra": false,
"addresses": [
"string"
],
"gateway": {
"ipv4_gateway": "string",
"ipv6_gateway": "string"
},
"interfaces": [
"string"
],
"mac": "string",
"mtu": 1472,
"name": "string",
"neighbors": [
{
"address": "string",
"comment": "string",
"mac": "string",
"sequence_id": 3
}
],
"routes": [
{
"comment": "string",
"from": "string",
"metric": 10,
"sequence_id": 3,
"to": "string",
"via": "string"
}
],
"rx_queue_size": 2048,
"tx_queue_size": 2048,
"vrrp": [
{
"addresses": [
"string"
],
"no_preempt": false,
"peers": [
"string"
],
"priority": 17,
"vrid": 3
}
]
}
],
"ethernets": [
{
"accept_ra": false,
"addresses": [
"string"
],
"driver": "LINUX",
"gateway": {
"ipv4_gateway": "string",
"ipv6_gateway": "string"
},
"mac": "string",
"mtu": 1472,
"name": "string",
"neighbors": [
{
"address": "string",
"comment": "string",
"mac": "string",
"sequence_id": 3
}
],
"routes": [
{
"comment": "string",
"from": "string",
"metric": 10,
"sequence_id": 3,
"to": "string",
"via": "string"
}
],
"rx_queue_size": 2048,
"tx_queue_size": 2048,
"vpp": {
"vlan_strip_offload": false
},
"vrrp": [
{
"addresses": [
"string"
],
"no_preempt": false,
"peers": [
"string"
],
"priority": 17,
"vrid": 3
}
]
}
],
"loopbacks": [
{
"addresses": [
"string"
],
"name": "string"
}
],
"virtual_functions": [
{
"accept_ra": false,
"addresses": [
"string"
],
"gateway": {
"ipv4_gateway": "string",
"ipv6_gateway": "string"
},
"link": "string",
"mac": "string",
"mtu": 1472,
"name": "string",
"neighbors": [
{
"address": "string",
"comment": "string",
"mac": "string",
"sequence_id": 3
}
],
"routes": [
{
"comment": "string",
"from": "string",
"metric": 10,
"sequence_id": 3,
"to": "string",
"via": "string"
}
],
"rx_queue_size": 2048,
"tx_queue_size": 2048,
"vrrp": [
{
"addresses": [
"string"
],
"no_preempt": false,
"peers": [
"string"
],
"priority": 17,
"vrid": 3
}
]
}
],
"vlans": [
{
"accept_ra": false,
"addresses": [
"string"
],
"gateway": {
"ipv4_gateway": "string",
"ipv6_gateway": "string"
},
"id": 0,
"link": "string",
"mac": "string",
"mtu": 1472,
"name": "string",
"neighbors": [
{
"address": "string",
"comment": "string",
"mac": "string",
"sequence_id": 3
}
],
"routes": [
{
"comment": "string",
"from": "string",
"metric": 10,
"sequence_id": 3,
"to": "string",
"via": "string"
}
],
"rx_queue_size": 2048,
"tx_queue_size": 2048,
"vrrp": [
{
"addresses": [
"string"
],
"no_preempt": false,
"peers": [
"string"
],
"priority": 17,
"vrid": 3
}
]
}
],
"wireguards": [
{
"addresses": [
"string"
],
"gateway": {
"ipv4_gateway": "string",
"ipv6_gateway": "string"
},
"mtu": 1420,
"name": "string",
"peers": [
{
"allowed_ips": [
"string"
],
"endpoint": "string",
"public_key": "string"
}
],
"pointopoint": "string",
"port": 0,
"routes": [
{
"comment": "string",
"from": "string",
"metric": 10,
"sequence_id": 3,
"to": "string",
"via": "string"
}
]
}
]
},
"management": {
"api": {
"basic_auth": {
"enabled": true,
"users": [
{
"password_hashed": "$2y$10$QNodxwKFABMWu4XlFPmZDOSfqxrsqNvrSn487lCi7tJ/4nTsT/f02",
"username": "admin"
}
]
},
"listeners": [
{
"address": "127.0.0.1:443",
"description": "string"
}
],
"oauth": {
"enabled": false,
"identity_providers": [
{
"base_auth_url": "https://anapaya.eu.auth0.com/",
"client_id": "string",
"client_secret": "string",
"id": "string",
"metadata_url": "https://anapaya.eu.auth0.com/.well-known/openid-configuration",
"tenant_id": "string",
"type": "GENERIC"
}
],
"roles": [
{
"aliases": [
"string"
],
"role": "string"
}
],
"token_verification_keys": [
{
"id": "anapaya.auth0",
"jwks_url": "https://anapaya.eu.auth0.com/.well-known/jwks.json"
}
]
},
"unprotected": false
},
"hostname": "edge.geneva.corpbank",
"remote_repository": {
"cloudsmith": {
"access_token": "APIKEY#ENTITLEMENTTOKEN",
"url": "https://cloudsmith.io/anapaya/repos/external"
},
"repository_type": "CLOUDSMITH"
},
"ssh": {
"enable_password_login": false,
"users": [
{
"ssh_keys": [
{
"description": "string",
"key": "ssh-rsa AAAAB3NzaC1yc2"
}
],
"username": "anapaya"
}
]
},
"telemetry": {
"address": ":42001",
"flow_metrics": {
"cleanup_task_interval": "60s",
"collector_url": "string",
"enabled": false,
"export_task_interval": "60s",
"flow_expiration_interval": "180s",
"max_active_flows": 0,
"proxy_url": "string"
},
"labels": [
{
"label": "string",
"value": "string"
}
],
"logging": {
"logging_type": "LOKI",
"loki": {
"basic_auth": {
"password": "string",
"username": "promtail"
},
"tls_config": {
"insecure_skip_verify": false
},
"url": "https://loki.anapaya.net/loki/api/v1/push"
}
}
}
},
"nat": {
"snat": {
"address_pool": [
"string"
],
"exclude": [
"string"
],
"interfaces": [
"string"
]
}
},
"scion": {
"ases": [
{
"ca_service": {
"anapaya_vault": {
"addresses": [
"string"
],
"credentials": {
"role_id": "string",
"secret_id": "string"
},
"validation": {
"subject": "MATCHING_ISD_AS"
}
},
"external": {
"address": "192.0.2.3:5000",
"client_id": "string",
"shared_secret": "shared secret"
},
"service_type": "EXTERNAL"
},
"control": {
"address": "192.168.1.1:30100",
"enabled": true
},
"core": true,
"cppki": {
"disable_auto_renewal": true,
"issuers": [
{
"isd_as": "1-ff00:0:120",
"priority": 0
}
]
},
"default": false,
"details": {
"description": "string",
"name": "string"
},
"forwarding_key": "string",
"isd_as": "1-ff00:0:110",
"neighbors": [
{
"description": "string",
"interfaces": [
{
"address": "169.254.0.1:30100",
"administrative_state": "UP",
"bfd": {
"desired_minimum_tx_interval": 0,
"detection_multiplier": 0,
"enabled": true,
"required_minimum_receive": 0
},
"description": "string",
"enable_scion_rss": false,
"interface_id": 0,
"remote": {
"address": "169.254.0.1:30100",
"interface_id": 0
},
"scion_mtu": 1472
}
],
"neighbor_isd_as": "2-ff00:0:210",
"relationship": "CORE"
}
],
"router": {
"enabled": true,
"internal_interface": "192.168.1.1:30100"
},
"scion_mtu": 1472,
"shard_id": 0
}
],
"synchronization": {
"beacon_synchronization_interval": "4s",
"path_segment_synchronization_interval": "4s"
}
},
"scion_tunneling": {
"domains": [
{
"default": true,
"description": "The domain. It matches all packets and allows any\npath to be used.",
"encryption": "DISABLED",
"local_isd_ases": [
"string"
],
"name": "Default Domain",
"prefixes": {
"accept_filter": [
{
"action": "ACCEPT",
"description": "string",
"prefixes": [
"192.168.1.0/24"
],
"sequence_id": 1
}
],
"announce_filter": [
{
"action": "ACCEPT",
"description": "string",
"prefixes": [
"192.168.1.0/24"
],
"sequence_id": 1
}
]
},
"remote_isd_ases": [
{
"action": "ACCEPT",
"description": "string",
"isd_as": "0-ff00:0:310",
"sequence_id": 1
}
],
"traffic_policies": [
{
"description": "Default traffic policy",
"failover_sequence": [
{
"path_filter": "string",
"sequence_id": 1
}
],
"sequence_id": 1,
"traffic_matcher": "string"
}
]
}
],
"endpoint": {
"allowed_interfaces": [
{
"interfaces": [
2,
3
],
"isd_as": "string"
}
],
"control_port": 40201,
"data_port": 40200,
"description": "string",
"disable_auto_allowed_interfaces": true,
"disable_urpf": true,
"enable_scion_rss": true,
"enabled": true,
"encryption": {
"enabled": true,
"per_remote_sa_limit": 1000,
"port": 40203,
"total_sa_limit": 100000
},
"ip": "192.168.1.100",
"probe_port": 40202
},
"path_filters": [
{
"acl": [
"+ 64-0"
],
"description": "Match only paths in the Swiss Isolation Domain (ID 64).",
"hop_pattern": "0* 64+ 0+",
"name": "CH ISD only"
}
],
"remotes": [
{
"description": "string",
"isd_as": "1-ff00:0:310"
}
],
"static_announcements": [
{
"description": "string",
"next_hop_tracking": {
"disabled": true,
"target": "192.168.0.1"
},
"prefixes": [
"192.168.1.0/24",
"172.30.100.0/28"
],
"sequence_id": 1
}
],
"traffic_matchers": [
{
"condition": "BOOL=true",
"description": "'all packets' matches all packets.",
"name": "all packets"
}
]
},
"system": {
"dns": {
"servers": [
{
"address": "string"
}
]
},
"kernel": {
"hugepage_size": "2M",
"hugepages": 0,
"iommu_enabled": false
},
"ntp": {
"root_distance_max": "1s",
"servers": [
{
"address": "string"
}
]
},
"resources": {
"service_limits": [
{
"cpu": 1.5,
"memory": "2.5G",
"name": "CA_FRONTEND"
}
]
},
"vpp": {
"buffers": {
"data_size": 9000,
"num_buffers": 0
},
"connection": {
"health_check": {
"probe_interval": "1s",
"reply_timeout": "250ms",
"threshold": 3
},
"reconnect_attempts": 5,
"reconnect_interval": "1s"
},
"cpu": {
"corelist_workers": "2-3,5",
"main_core": 1,
"workers": 0
},
"poll_sleep": "0s",
"statseg": {
"size": "100M"
},
"tun": {
"mtu": 1500,
"prefixes": [
"192.168.1.0/24"
]
}
}
}
}