Closed mission-coliveros closed 6 months ago
I assume you meant "replace the internet-facing ALB with a private one".
SOCA already supports deploying the ALB and the scheduler instance in a private subnet.
This requires use of an existing VPC and existing private subnets that have an outbound path to public internet. The outbound path to public internet can be via NAT Gateway in public subnets of the VPC or via an on-prem proxy where the default route of the VPC goes to the VGW. This outbound path is required because the scheduler needs to download packages (operating system updates, OpenPBS, OpenMPI, etc..) from public internet. Also, there is an assumption that the VPC would be connected to the on-prem network via a VPN tunnel, transit gateway, or a direct connect. Otherwise the ALB wouldn't be reachable from the on-prem network.
If the above conditions are satisfied, all you need to do is change the value of entry_points_subnets
to Private
in https://github.com/awslabs/scale-out-computing-on-aws/blob/main/installer/default_config.yml#L4
Hey @mission-coliveros -
Can you please review @ahmedelz 's answer and let me know if anything else is needed?
Is your feature request related to a problem? Please describe. We've deployed this solution for a customer who is worried about making the application accessible to the general internet. We're trying to understand if there is a recommended approach on how to completely disable public access to the application, and replace the internet-facing ALB with a public one.
Describe the feature you'd like
Additional context In the meantime, we have a lot of urgency to get the system up and running, without exposing the app to dozens of
/32
CIDRs in our SG rules. I was hoping we could limit access to our VPN security groups, as well as our VPN endpoint/VPC CIDRs, but this doesn't enable access to the cluster.