Private networks

Figure 1004. Private subnet overview Slide presentation

Figure 1005. Terraform subnet creation Slide presentation
resource "hcloud_network" "pNet" {
  name     = "Private network"
  ip_range = "10.0.0.0/8"
}
resource "hcloud_network_subnet" "pSubnet" {
  network_id   = hcloud_network.pNet.id
  type         = "cloud"
  network_zone = "eu-central"
  ip_range     = "10.0.1.0/24"
}
resource "hcloud_network_route" "gateway"{
  network_id = hcloud_network.pNet.id
  destination = "0.0.0.0/0"
  gateway = "10.0.1.20"
}

Figure 1006. Gateway host Slide presentation
resource "hcloud_server" "web" {
    ....
  network {
    network_id = hcloud_network.pNet.id
    ip         = "10.0.1.20"
  }
}

Figure 1007. intern host Slide presentation
resource "hcloud_server" "web" {
    ....
  public_net {
    ipv4_enabled = false
    ipv6_enabled = false
  }
  network {
    network_id = hcloud_network.pNet.id
    ip         = "10.0.1.20"
  }
}

exercise No. 10

Creating a subnet

Q:

Follow Figure 1004, “Private subnet overview ” creating two hosts being connected by a private subnet:

  1. Follow Figure 1005, “Terraform subnet creation ” creating both a private network and private subnet.

  2. Your gateway host will have two network interfaces providing connections both to the Internet and your private subnet.

    This host will be  ssh accessible.

  3. The intern host will be connected to your private subnet only. Being isolated from the Internet it will be ssh accessible from your gateway host only. In other words: Access requires two chained ssh connections.

    For the time being host intern will have no Internet access. Thus package installation or updates are not yet possible.

    Note

    This topic will be addressed in Adding an application level gateway .

  4. Provide DNS names to be used on your two hosts locally by defining /etc/cloud/templates/hosts.debian.tmpl accordingly.

Tip

Variables of type = object are your friend:

privateSubnet = {
  dnsDomainName  = "intern.g3.hdm-stuttgart.cloud"
  ipAndNetmask   = "10.0.1.0/24"
}
Figure 1008. Lack of internet access Slide presentation
  • Host intern does not have Internet access.

  • Consequences:

    1. No package updates.

    2. No package installs

    3. ...


Figure 1009. Possible solutions Slide presentation
    • Allow IP forwarding on gateway host

    • Configure NAT enabling gateway host as router

  1. Use an application level gateway:


Figure 1010. http proxy apt-cacher-ng Slide presentation

Figure 1011. Cloud-init problem Slide presentation
  • Problem: apt-cacher-ng installation requires time for service to become available.

  • Consequence: Package installs on host intern must be deferred.

  • Problem: No standard Terraform service ready dependency management hook.


Figure 1012. Service ready query script Slide presentation
#!/bin/bash
echo "Waiting for apt-cacher-ng to launch on port 3142 ..."

while ! nc -z ${frontendPrivatenetIp} 3142; 

  do
     sleep 8 # wait for 8 second before polling again
     echo apt-cacher-ng not yet ready ...
  done

echo "apt-cacher-ng service ready"

Figure 1013. Terraform service ready dependency hook Slide presentation
resource "null_resource" "waitForProxy" {
  connection {
    type     = "ssh"
    user     = "devops"
    host_key = ...public_key_openssh
    agent    = "true"
    host     = ...web.ipv4_address
  }
  provisioner "remote-exec" {
    inline=["/usr/bin/waitForAptProxy"]
  }
}
resource "hcloud_server" "intern" {
...
  depends_on = [
    hcloud_network_subnet.pSubnet
   ,null_resource.waitForProxy
  ]
}

exercise No. 11

Adding an application level gateway

Q:

This exercise is a follow-up to Creating a subnet . We add an application level gateway providing HTTP access to hosts residing in the private subnet e.g. host intern. Follow the subsequent steps:

  1. Create a hcloud_primary_ip to be used by your gateway host for Internet access. In addition to the datacenter attribute documentation valid values are also on offer by GET /datacenters.

  2. Use Cloud-init for installing apt-cacher-ng on your gateway host listening to the internal network interface only. Modify its configuration accordingly.

  3. Follow Figure 1013, “Terraform service ready dependency hook ” for delaying host intern's creation until the apt-cacher-ng service is up and running.

  4. Install supplementary packages on your intern host proofing proper network access. Enable package updates as well.