Replace Security Zones with private networks

On 15.11.2022 we will lock the Security Zones. You will no longer be able to create new Security Zones.
On March 1, 2023, we will completely remove Security Zones from our product portfolio. What you have to do if you still use Security Zones, you can find out here.

Prerequisites:

Currently, PaaS services can connect to private networks that have a DHCP range within the 10.0.0.0/8 and 192.168.0.0/16 subnets. Here are examples of a valid DHCP range of a private network:

10.x.y.0/24
192.168.x.0/24

The values for x and y are decimal values (from 0 to 254), which you can choose freely.

Three concrete use cases:

1. Existing security zone, but no service connected

This is the simplest scenario imaginable. In this case, you simply delete the existing Security Zone yourself or it will be automatically deleted itself on 01.03.2023.

2. Existing Security Zone connected to a Paas

You have a PaaS, for example gridFS or a database connected to a Security Zone? In this case, the existing service needs to be changed to a private network.

Create a private network for this purpose. It’s best to make the switch during a downtime you specify – there will be a short network interruption during this time.

You should use the downtime to reconfigure your application.

If the existing service is connected to a Security Zone, it must be changed to a private network. For new, unused networks, the platform service will be assigned the first IP address in the specified range (for example, 10.0.0.1).

  1. Create a private network or use an existing network (in both cases, the range must be either 10.x.y.0/24 or 192.168.x.0/24).
  2. Navigate to the Platform Service and, in the Network Configuration section, swap out the existing security zone connection for the private network you’ve chosen.
  3. After the deployment is complete – during which the Platform service will be unavailable for a few seconds – you will see the new IPv4 address of the service in the Connection Details section or in the details view of the private network itself.

3. Security Zone connected to Kubernetes as a Sidecar (Proxy VM) connecting the Platform Service to a GSK Cluster.

Another possible scenario is that there is a server, as a sidecar, between your Security Zone and your GSK Cluster.

In this case, the Kubernetes cluster already has a private network. The sidecar is then no longer needed. Just swap the connected network on the platform service you want to use. You will then get the next free IPv4 address. Note that after changing the network the service is no longer reachable via the old IPv6 address.

The service will only be reachable again after the deployment is complete. After that, you just need to define the service that replaces the sidecar to connect GSK to a PaaS. If you need more information on this, feel free to check out our product documentation.

We know this is a big change that will require downtime.

That’s why we’ve prepared as much content as possible to best support you through this change.

However, if something is still unclear or you are not able to make the necessary changes in time, please contact our support team for assistance at any time.