Recreating HAProxy doesn't always reconnect security groups correctly for Public IPs

haydonryan commented 8 years ago

We have had two occurrences of the same issue in different environments (one being my test environment so I can provide detailed logs etc, and try fixes)

This happens when HAProxy is connected to a Public IP ie:

- name: ha_proxy-partition-e98f67a70e18480cae2et :%
  templates:
  - name: haproxy
    release: cf
  - name: metron_agent
    release: cf
  - name: consul_agent
    release: cf
  lifecycle: service
  instances: 1
  resource_pool: ha_proxy-partition-e98f67a70e18480cae20
  networks:
  - name: default
    default:
    - dns
    - gateway
  - name: public
    static_ips: [x.x.x.x] # <--- Replace with your reserved public IP address

If the HAProxy is recreated (single point of failure will create some downtime, that's understood), but when it comes back up no traffic can go through on 443 or 80.

Adding an Azure Network Security rule for 443 and 80 fixes this, however it should be automatic.

AbelHu commented 8 years ago

CPI does not create network security group and add rules. You need to create NSG and add rules by yourself. Then you can specify the name of NSG in the manifest. It will be more flexible if you have many security groups and different rules.

cppforlife commented 8 years ago

@haydonryan https://github.com/cloudfoundry/docs-bosh/blob/master/azure-cpi.html.md.erb#L72 and https://github.com/cloudfoundry-incubator/bosh-azure-cpi-release/releases/tag/v9

cloudfoundry / bosh-azure-cpi-release

Recreating HAProxy doesn't always reconnect security groups correctly for Public IPs #124