vn-network-services

VHP Bastion: Access to Network Clusters / Services

Brief Setup Up-Streams Access

Brief

The bastion is needed to gain access into our private sub-net ec2s. A user will be able to send an ssh request to the bastion, then the bastion reverse-proxies the request to the desired unit.

• reverse-proxy ssh request
• do not store keys (forward keys?)
• allow user to interact with up-stream units
• easy process to connect
• Access Docker on up-streams

An nginx server will be configured for streams, and take request in on different ports. These ports will be associated with a different up-stream server / command to server. The different commands will be grouped in port “chunks”. Docker commands are sent to (6000

6001…), ssh (3434

3435…).

Setup

Setup is a bit different than the other clusters as we do not have a compose file yet, just one image running an nginx server. On the ec2 unit we will create a systemd services to start this container, and configure the run command to expose the correct ports.

Vhp-Bastion Systemd

sudo vim /etc/systemd/system/vhp-bastion.service

File Configuration

[Unit]
Description=VHP Bastion
After=docker.service
Requiers=docker.service

[Service]
TimeoutStartSec=0
Restart=always
ExecStartPre=-/usr/bin/docker stop %n
ExecStartPre=-/usr/bin/docker rm %n
ExecStartPre=-/usr/bin/docker pull cmv343/vhp-bastion
ExecStart=/usr/bin/docker run --rm --name %n \
-p 3434:3434 -p 3435:3435 -p 3436:3436 -p 3437:3437 \
-p 6001:6001 -p 6002:6002 -p 6003:6003 -p 6004:6004 \
cmv343/vhp-bastion

[Install]
WantedBy=default.target

The ports described will need to open to inbound / outbound traffic. Upstream servers will just need ports 22 AND 6000 inbound from the bastions IP.

Dockerfile

Bastion Server

For this an nginx server will be used as a reverse-proxy.

events {
    worker_connections 1024;
}
stream {
    upstream vhpcore {
        server 10.0.2.212:22;
    }
    upstream vhpwebserver {
        server 10.0.1.212:22;
    }
    upstream vhpservices {
        server 10.0.2.157:22;
    }
    upstream vhpmart {
        server 10.0.2.116:22;
    }


    upstream webserver-cluster {
        server 10.0.1.212:6000;
    }
    upstream core-cluster {
        server 10.0.2.212:6000;
    }
    upstream mart-cluster {
        server 10.0.2.116:6000;
    }
    upstream services-cluster {
        server 10.0.2.157:6000;
    }


    server {
        listen       3434;
        proxy_pass vhpcore;
    }
    server {
        listen       3435;
        proxy_pass vhpwebserver;
    }
    server {
        listen       3436;
        proxy_pass vhpservices;
    }
    server {
        listen       3437;
        proxy_pass vhpmart;
    }


    server {
        listen  6001;
        proxy_pass webserver-cluster;
    }
    server {
        listen  6002;
        proxy_pass core-cluster;
    }
    server {
        listen  6003;
        proxy_pass mart-cluster;
    }
    server {
        listen  6004;
        proxy_pass services-cluster;
    }
}

From the above we have 3 real sections

1) Up-streams - These are the connection IP:PORT to the necessary up-stream server. For each up-stream there will be two declarations for the bastion server, one for SSH(22) and one for Docker(6000).

2) SSH Servers - These servers map request to ports (3434,3435…) to matching up-stream->(22).

3) Docker Servers - These servers map request to ports (6001,6002…) to matching up-stream->(6000)

Up-Streams

The available up-streams are described as private IP addresses. Our current network setups allow for the these IP address to remain constant. For consistency we will use the cluster names as the ec2 unit name. You may see the units with a prefix to describe the attached network, like prod- or dev-.

VHPportal

• IP - 10.0.1.212
• SSH - 3435
• Docker - 6001

Core Cluster

• IP - 10.0.2.212
• SSH - 3434
• Docker - 6002

Services Cluster

• IP - 10.0.2.157
• SSH - 3436
• Docker - 6004

Mart Cluster

• IP - 10.0.2.116
• SSH - 3437
• Docker - 6003