search

docker-archive / for-aws

92 stars 26 forks source link

Provide a way to deploy the cluster in private subnets #28

Open netflash opened 7 years ago

netflash commented 7 years ago

Expected behavior

Provide a way to deploy the cluster in private subnets. Not sure if that possible in the same CF template, so it could be a new one.

Actual behavior

Current CF template assumes deployment in public subnets

Information

Here's my opinionated version of private deployment https://gist.github.com/netflash/32f19d5eeb989fca753f666246646184

Key updates:

It's based on a previous version of the template (as of 4/7/17)

kencochrane commented 7 years ago

@netflash looking at your gist, it looks like you really only changed one thing:

"AssociatePublicIpAddress": from "true" to "false" for manager and worker nodes.

The rest of the changes are commented below.

Variable name change

These are just variable name changes, and a parameter description change, doesn't actually make them private, you can use private subnets with the current template. Since you are the one creating the subnets and picking them in the template, you can set them up however you want.

We could change the parameter description to just "Subnet X" from "Public Subnet X" If that removes confusion.

pubsubnet1  -> prvsubnet1
pubsubnet2  -> prvsubnet2
pubsubnet3  -> prvsubnet3

Changes to "VpcCidrs" mapping

These aren't used in the "bring your own VPC" template, so the changes have no effect.

Conclusion

It looks like you just need a parameter to specify if you want to associate Public IP addresses for your manager and worker nodes. If we had that, you could use the current template. Which is currently a duplicate of the findings from #27

Did I miss anything?

netflash commented 7 years ago

Actually yes:

to make internet-facing ELB work with the instances which reside in private subnets, one still has to add public subnets to that ELB.

That's why I have to use 6 subnets for 3 AZs, public subnets for ELB and private ones for all the rest of resources.

I'll steal the ASCII diagram from my colleague - I represent this case here

public ELB == | ==> private cluster

If I add more details that could look like this:

internet-facing ELB (PubSubnet[1-3]) == | ==> cluster instances (PrvSubnet[1-3])
kencochrane commented 7 years ago

Ahh, I see sorry about that, I misread the diff, you added 3 subnets vs renaming the subnets.

netflash commented 7 years ago

Np. Thanks for helping me here.

BTW perhapsI am facing another issue when I remove PublicIPs (set AssociatePublicIpAddress to false) -

docker4x/meta-aws logs shows that go app is crashing when another master node connects to it. Let me re-check/re-confirm that before I file this as a bug.

netflash commented 7 years ago

not sure if you guys want to keep this open ?