I was thinking today about the fact that I am not particularly excited that the DNS records for my domains publicly list every machine I have in my farm and their associated public and private ips. I personally moved to Scalr from a colo facility in which I had every machine on it's own private network with the only external facing machines being the firewalls (which we would SSH tunnel or VPN through to get to the machines).
I think it would be really cool if Scalr had a split horizon DNS setup by default. Meaning if a query for role.domain.com comes from an Amazon ip then the private 10. ip is returned. The public facing horizon could then only have records for the load balancer or webservers, depending how you have Scalr hooked up. The next issue to tackle is how do you access your machines if you can't simply ssh to ext-role.domain.com? Why not tack on an open source VPN solution with the load balancer role. Or create a brand new VPN role. I personally only have experience on OpenBSD machines when it comes to VPN software, but I am sure there is a plethora of Linux options out there. Once the VPN is setup, you could then simply use the security groups to block external access to the machines thus making your farm infinitely more secure. You get a little benefit by the DNS records being obscured to the public and the most benefit by using Amazon's "firewall" rules to lock out your machine from being reached from the outside. I would love to hear everyone's input on this. I personally only have experience doing split horizon DNS for a couple hundred domains at the most. There may be potential scalibility problems for Scalr to support this type of a setup. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "scalr-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/scalr-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
