Forgot to add: 5. Setup Security Groups for all non public facing roles to disallow ALL external traffic. Although we might need to leave snmpd open for Scalr access because I believe Scalr is hosted at The Planet. Maybe even ssh too.
On Mar 27, 2:50 pm, mikeytag <[email protected]> wrote: > I think I may have come up with a solution that I might try to employ > on my farm. Here it is: > > 1. Set the "Generate /etc/hosts for local resolve" script to fire for > every instance in the farm OnHostInit of any role. > 2. Change code where I am calling int-db1.domain.com to int-db1, etc. > 3. Do an "Exclude from DNS zone" for every role in the farm EXCEPT > your load balancer (or webserver if you don't have an lb) roles. > 4. Either setup a VPN solution on the public facing role, OR setup an > SSH Tunnel to be able to get to all the various instances inside the > farm. > > Does anyone have any ideas about this: horrible, clever, otherwise? > > On Mar 27, 9:29 am, Hareem Ul Haque <[email protected]> wrote: > > > Any solution to resolve this. > > > On Mar 27, 5:43 am, mikeytag <[email protected]> wrote: > > > > I was thinking today about the fact that I am not particularly excited > > > that the DNS records for my domains publicly list every machine I have > > > in my farm and their associated public and private ips. I personally > > > moved to Scalr from a colo facility in which I had every machine on > > > it's own private network with the only external facing machines being > > > the firewalls (which we would SSH tunnel or VPN through to get to the > > > machines). > > > > I think it would be really cool if Scalr had a split horizon DNS setup > > > by default. Meaning if a query for role.domain.com comes from an > > > Amazon ip then the private 10. ip is returned. The public facing > > > horizon could then only have records for the load balancer or > > > webservers, depending how you have Scalr hooked up. > > > > The next issue to tackle is how do you access your machines if you > > > can't simply ssh to ext-role.domain.com? Why not tack on an open > > > source VPN solution with the load balancer role. Or create a brand new > > > VPN role. I personally only have experience on OpenBSD machines when > > > it comes to VPN software, but I am sure there is a plethora of Linux > > > options out there. > > > > Once the VPN is setup, you could then simply use the security groups > > > to block external access to the machines thus making your farm > > > infinitely more secure. You get a little benefit by the DNS records > > > being obscured to the public and the most benefit by using Amazon's > > > "firewall" rules to lock out your machine from being reached from the > > > outside. > > > > I would love to hear everyone's input on this. I personally only have > > > experience doing split horizon DNS for a couple hundred domains at the > > > most. There may be potential scalibility problems for Scalr to support > > > this type of a setup. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "scalr-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/scalr-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
