Do any Scalr devs think this type of approach would work?
On Mar 27, 3:00 pm, mikeytag <[email protected]> wrote:
> Forgot to add:
>
> 5. Setup Security Groups for all non public facing roles to disallow
> ALL external traffic.
> Although we might need to leave snmpd open for Scalr access because I
> believe Scalr is hosted at The Planet. Maybe evensshtoo.
>
> On Mar 27, 2:50 pm, mikeytag <[email protected]> wrote:
>
> > I think I may have come up with a solution that I might try to employ
> > on my farm. Here it is:
>
> > 1. Set the "Generate /etc/hosts for local resolve" script to fire for
> > every instance in the farm OnHostInit of any role.
> > 2. Change code where I am calling int-db1.domain.com to int-db1, etc.
> > 3. Do an "Exclude from DNS zone" for every role in the farm EXCEPT
> > your load balancer (or webserver if you don't have an lb) roles.
> > 4. Either setup a VPN solution on the public facing role, OR setup an
> >SSHTunnel to be able to get to all the various instances inside the
> > farm.
>
> > Does anyone have any ideas about this: horrible, clever, otherwise?
>
> > On Mar 27, 9:29 am, Hareem Ul Haque <[email protected]> wrote:
>
> > > Any solution to resolve this.
>
> > > On Mar 27, 5:43 am, mikeytag <[email protected]> wrote:
>
> > > > I was thinking today about the fact that I am not particularly excited
> > > > that the DNS records for my domains publicly list every machine I have
> > > > in my farm and their associated public and private ips. I personally
> > > > moved to Scalr from a colo facility in which I had every machine on
> > > > it's own private network with the only external facing machines being
> > > > the firewalls (which we wouldSSHtunnel or VPN through to get to the
> > > > machines).
>
> > > > I think it would be really cool if Scalr had a split horizon DNS setup
> > > > by default. Meaning if a query for role.domain.com comes from an
> > > > Amazon ip then the private 10. ip is returned. The public facing
> > > > horizon could then only have records for the load balancer or
> > > > webservers, depending how you have Scalr hooked up.
>
> > > > The next issue to tackle is how do you access your machines if you
> > > > can't simplysshto ext-role.domain.com? Why not tack on an open
> > > > source VPN solution with the load balancer role. Or create a brand new
> > > > VPN role. I personally only have experience on OpenBSD machines when
> > > > it comes to VPN software, but I am sure there is a plethora of Linux
> > > > options out there.
>
> > > > Once the VPN is setup, you could then simply use the security groups
> > > > to block external access to the machines thus making your farm
> > > > infinitely more secure. You get a little benefit by the DNS records
> > > > being obscured to the public and the most benefit by using Amazon's
> > > > "firewall" rules to lock out your machine from being reached from the
> > > > outside.
>
> > > > I would love to hear everyone's input on this. I personally only have
> > > > experience doing split horizon DNS for a couple hundred domains at the
> > > > most. There may be potential scalibility problems for Scalr to support
> > > > this type of a setup.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"scalr-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/scalr-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
