Private networks

Figure 1096. Private subnet overview Slide presentation
  • Sdi/CloudProvider/Fig/privateNetwork-0
  • Sdi/CloudProvider/Fig/privateNetwork-1
  • Sdi/CloudProvider/Fig/privateNetwork-2
  • Sdi/CloudProvider/Fig/privateNetwork-3
  • Sdi/CloudProvider/Fig/privateNetwork-4


Figure 1097. Terraform network and subnetwork creation Slide presentation 
resource "hcloud_network" "privateNet" {
  name     = "Private network"
  ip_range = "10.0.0.0/8"
}
resource "hcloud_network_subnet" "privateSubnet" {
  network_id   = hcloud_network.privateNet.id
  type         = "cloud"
  network_zone = "eu-central"
  ip_range     = "10.0.1.0/24"
}
resource "hcloud_network_route" "gateway"{
  network_id = hcloud_network.privateNet.id
  destination = "0.0.0.0/0"
  gateway = "10.0.1.20"
}

Figure 1098. Gateway: External and internal interface Slide presentation 
resource "hcloud_server" "gateway" {
    ....
  public_net {
    ipv4 = hcloud_primary_ip.gatwewayIp.id
  }
  network {
    network_id = hcloud_network.privateNet.id
    ip         = "10.0.1.20"
  }
}

Figure 1099. intern host Slide presentation 
resource "hcloud_server" "intern" {
    ....
  public_net {
    ipv4_enabled = false
    ipv6_enabled = false
  }
  network {
    network_id = hcloud_network.privateNet.id
    ip         = "10.0.1.30"
  }
}

exercise No. 28

Creating a subnet

Q:

Follow Figure 1096, “Private subnet overview ” creating two hosts being connected by a private subnet:

  1. Follow Figure 1097, “Terraform network and subnetwork creation ” creating both a private network and private subnet.

  2. Your gateway host will have two network interfaces providing connections both to the Internet and your private subnet.

    This host will be  ssh accessible.

  3. The intern host will be connected to your private subnet only. Being isolated from the Internet it will be ssh accessible from your gateway host only. In other words: Access requires two chained ssh connections.

    For the time being host intern will have no Internet access. Thus package installation or updates are not yet possible.

    Note

    This topic will be addressed in Adding an application level gateway .

  4. Provide DNS names to be used on your two hosts locally by defining /etc/cloud/templates/hosts.debian.tmpl accordingly.

Tip

Variables of type = object are your friend: 

privateSubnet = {
  dnsDomainName  = "intern.g3.hdm-stuttgart.cloud"
  ipAndNetmask   = "10.0.1.0/24"
}
Figure 1100. Lack of internet access Slide presentation

  • Host intern does not have Internet access.

  • Consequences:

    1. No package updates.

    2. No package installs

    3. ...


Figure 1101. Possible solutions Slide presentation

    • Allow IP forwarding on gateway host

    • Configure NAT enabling gateway host as router

  2. Use an application level gateway:

    1. apt-cacher-ng

    2. Squid


Figure 1102. http proxy apt-cacher-ng Slide presentation
  • Sdi/CloudProvider/Fig/httpProxy-0
  • Sdi/CloudProvider/Fig/httpProxy-1


Figure 1103. Cloud-init problem Slide presentation

  • Problem: apt-cacher-ng installation requires time for service to become available.

  • Consequence: Package installs / updates on host intern must be deferred.

  • Problem: No standard Terraform service ready dependency management hook.


Figure 1104. Service ready query script Slide presentation
tpl/waitForAptProxy.sh main.tf 
#!/bin/bash
echo "Waiting for apt-cacher-ng ..."
while ! nc -z ${interface} 3142; 
  do
     sleep 8 # wait 8 second for next poll
     echo apt-cacher-ng not yet ready ...
  done

echo "apt-cacher-ng service ready"
 
resource "local_file" "waitForAptProxy" {
  content = templatefile(
               "tpl/waitForAptProxy.sh", {
    interface = var.frontendServer.privateIp
  })
  filename        = "gen/waitForAptProxy"
  file_permission = "755"
}

Figure 1105. Terraform service ready dependency hook Slide presentation 
resource "null_resource" "waitForProxy" {
  connection {
    type     = "ssh"
    user     = "devops"
    host_key = ...public_key_openssh
    agent    = "true"
    host     = ...web.ipv4_address
  }
  provisioner "remote-exec" {
    script = local_file.waitForAptProxy.filename
  }
}
 
resource "hcloud_server" "intern" {
...
  depends_on = [
    hcloud_network_subnet.pSubnet
   ,null_resource.waitForProxy
  ]
}

exercise No. 29

Adding an application level gateway

Q:

This exercise is a follow-up to Creating a subnet . We add an application level gateway providing HTTP access to hosts residing in the private subnet e.g. host intern. Follow the subsequent steps:

  1. Create a hcloud_primary_ip to be used by your gateway host for Internet access. In addition to the datacenter attribute documentation valid values are also on offer by GET /datacenters.

  2. Use Cloud-init for installing apt-cacher-ng on your gateway host listening to the internal network interface only. Modify its configuration accordingly.

  3. Follow Figure 1105, “Terraform service ready dependency hook ” for delaying host intern's creation until the apt-cacher-ng service is up and running.

  4. Install supplementary packages on your intern host proofing proper network access. Enable package updates as well.

Prev  Up  Next
Terraform states  Home  Appendix