I think I may have come up with a solution that I might try to employ on my farm. Here it is:
1. Set the "Generate /etc/hosts for local resolve" script to fire for every instance in the farm OnHostInit of any role. 2. Change code where I am calling int-db1.domain.com to int-db1, etc. 3. Do an "Exclude from DNS zone" for every role in the farm EXCEPT your load balancer (or webserver if you don't have an lb) roles. 4. Either setup a VPN solution on the public facing role, OR setup an SSH Tunnel to be able to get to all the various instances inside the farm. Does anyone have any ideas about this: horrible, clever, otherwise? On Mar 27, 9:29 am, Hareem Ul Haque <[email protected]> wrote: > Any solution to resolve this. > > On Mar 27, 5:43 am, mikeytag <[email protected]> wrote: > > > I was thinking today about the fact that I am not particularly excited > > that the DNS records for my domains publicly list every machine I have > > in my farm and their associated public and private ips. I personally > > moved to Scalr from a colo facility in which I had every machine on > > it's own private network with the only external facing machines being > > the firewalls (which we would SSH tunnel or VPN through to get to the > > machines). > > > I think it would be really cool if Scalr had a split horizon DNS setup > > by default. Meaning if a query for role.domain.com comes from an > > Amazon ip then the private 10. ip is returned. The public facing > > horizon could then only have records for the load balancer or > > webservers, depending how you have Scalr hooked up. > > > The next issue to tackle is how do you access your machines if you > > can't simply ssh to ext-role.domain.com? Why not tack on an open > > source VPN solution with the load balancer role. Or create a brand new > > VPN role. I personally only have experience on OpenBSD machines when > > it comes to VPN software, but I am sure there is a plethora of Linux > > options out there. > > > Once the VPN is setup, you could then simply use the security groups > > to block external access to the machines thus making your farm > > infinitely more secure. You get a little benefit by the DNS records > > being obscured to the public and the most benefit by using Amazon's > > "firewall" rules to lock out your machine from being reached from the > > outside. > > > I would love to hear everyone's input on this. I personally only have > > experience doing split horizon DNS for a couple hundred domains at the > > most. There may be potential scalibility problems for Scalr to support > > this type of a setup. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "scalr-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/scalr-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
