Also if I were to have the generate /etc/hosts for local resolve script fire for all instance onHostInit, would it be a good idea to do the same for rebuild /etc/aws/hosts?
On Apr 3, 11:58 am, mikeytag <[email protected]> wrote: > Do any Scalr devs think this type of approach would work? > > On Mar 27, 3:00 pm, mikeytag <[email protected]> wrote: > > > Forgot to add: > > > 5. Setup Security Groups for all non public facing roles to disallow > > ALL external traffic. > > Although we might need to leave snmpd open for Scalr access because I > > believe Scalr is hosted at The Planet. Maybe evensshtoo. > > > On Mar 27, 2:50 pm, mikeytag <[email protected]> wrote: > > > > I think I may have come up with a solution that I might try to employ > > > on my farm. Here it is: > > > > 1. Set the "Generate /etc/hosts for local resolve" script to fire for > > > every instance in the farm OnHostInit of any role. > > > 2. Change code where I am calling int-db1.domain.com to int-db1, etc. > > > 3. Do an "Exclude from DNS zone" for every role in the farm EXCEPT > > > your load balancer (or webserver if you don't have an lb) roles. > > > 4. Either setup a VPN solution on the public facing role, OR setup an > > >SSHTunnel to be able to get to all the various instances inside the > > > farm. > > > > Does anyone have any ideas about this: horrible, clever, otherwise? > > > > On Mar 27, 9:29 am, Hareem Ul Haque <[email protected]> wrote: > > > > > Any solution to resolve this. > > > > > On Mar 27, 5:43 am, mikeytag <[email protected]> wrote: > > > > > > I was thinking today about the fact that I am not particularly excited > > > > > that the DNS records for my domains publicly list every machine I have > > > > > in my farm and their associated public and private ips. I personally > > > > > moved to Scalr from a colo facility in which I had every machine on > > > > > it's own private network with the only external facing machines being > > > > > the firewalls (which we wouldSSHtunnel or VPN through to get to the > > > > > machines). > > > > > > I think it would be really cool if Scalr had a split horizon DNS setup > > > > > by default. Meaning if a query for role.domain.com comes from an > > > > > Amazon ip then the private 10. ip is returned. The public facing > > > > > horizon could then only have records for the load balancer or > > > > > webservers, depending how you have Scalr hooked up. > > > > > > The next issue to tackle is how do you access your machines if you > > > > > can't simplysshto ext-role.domain.com? Why not tack on an open > > > > > source VPN solution with the load balancer role. Or create a brand new > > > > > VPN role. I personally only have experience on OpenBSD machines when > > > > > it comes to VPN software, but I am sure there is a plethora of Linux > > > > > options out there. > > > > > > Once the VPN is setup, you could then simply use the security groups > > > > > to block external access to the machines thus making your farm > > > > > infinitely more secure. You get a little benefit by the DNS records > > > > > being obscured to the public and the most benefit by using Amazon's > > > > > "firewall" rules to lock out your machine from being reached from the > > > > > outside. > > > > > > I would love to hear everyone's input on this. I personally only have > > > > > experience doing split horizon DNS for a couple hundred domains at the > > > > > most. There may be potential scalibility problems for Scalr to support > > > > > this type of a setup. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "scalr-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/scalr-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
