Open netflash opened 7 years ago
@netflash looking at your gist, it looks like you really only changed one thing:
"AssociatePublicIpAddress":
from "true"
to "false"
for manager and worker nodes.
The rest of the changes are commented below.
These are just variable name changes, and a parameter description change, doesn't actually make them private, you can use private subnets with the current template. Since you are the one creating the subnets and picking them in the template, you can set them up however you want.
We could change the parameter description to just "Subnet X" from "Public Subnet X" If that removes confusion.
pubsubnet1 -> prvsubnet1
pubsubnet2 -> prvsubnet2
pubsubnet3 -> prvsubnet3
These aren't used in the "bring your own VPC" template, so the changes have no effect.
It looks like you just need a parameter to specify if you want to associate Public IP addresses for your manager and worker nodes. If we had that, you could use the current template. Which is currently a duplicate of the findings from #27
Did I miss anything?
Actually yes:
to make internet-facing ELB work with the instances which reside in private subnets, one still has to add public subnets to that ELB.
That's why I have to use 6 subnets for 3 AZs, public subnets for ELB and private ones for all the rest of resources.
I'll steal the ASCII diagram from my colleague - I represent this case here
public ELB == | ==> private cluster
If I add more details that could look like this:
internet-facing ELB (PubSubnet[1-3]) == | ==> cluster instances (PrvSubnet[1-3])
Ahh, I see sorry about that, I misread the diff, you added 3 subnets vs renaming the subnets.
Np. Thanks for helping me here.
BTW perhapsI am facing another issue when I remove PublicIPs (set AssociatePublicIpAddress
to false
) -
docker4x/meta-aws logs shows that go app is crashing when another master node connects to it. Let me re-check/re-confirm that before I file this as a bug.
not sure if you guys want to keep this open ?
Expected behavior
Provide a way to deploy the cluster in private subnets. Not sure if that possible in the same CF template, so it could be a new one.
Actual behavior
Current CF template assumes deployment in public subnets
Information
Here's my opinionated version of private deployment https://gist.github.com/netflash/32f19d5eeb989fca753f666246646184
Key updates:
It's based on a previous version of the template (as of 4/7/17)