Hello. First, thanks for all your reply! It's very helpful.
>>> Maybe an other solution - what about a shared IP bound to one of the >>> servers. >>> Using HA mechanisms it could be bound to another host is the current one >>> fails. >>> This would avoid a single point of failure. >> Yes, I think it would work to have a firewall VM with the public IP, >> configured as HA; then nodes have private IPs. >> >> Administration would be by VPN as Alain said. If the node running the >> firewall crashes, HA would restart it on another node. VMs gateway >> would be the firewall. >> >> You need shared storage for this of course. Ok. I think I use this way. I want to use a converged ceph storage, so it will be good... > > I'm not sure how exactly your topology is but I'd look into > keepalived/vrrp for a virtual IP (never tryed with more than 2 servers > but it should work). > > I'm not a fun of a HA firewall VM, as if for some reason the VM does not > start, or is locked or anything you would have no way to access the > proxmox servers. Yes. It's a good point. Maybe I will try to create another "just in case" gateway (on front on internet with another public ip or via another network) in case of HA failure. > > I'd also try using something like tinc/openvpn to make the proxmox nodes > connect as clients to one vpn server which I'm in control of just in > case (but you are supposed to have one). > > Obviously also configuring a firewall on the nodes is raccomanded if > they are public. > > I suppose you have a gateway which does NAT and you have no direct > control for this so you'd like to point the public address to one > internal (?) Yes! Many thanks. Best regards. Jean-Mathieu _______________________________________________ pve-user mailing list [email protected] https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
