Jeremy T. Bouse
2018-03-14 05:26:22 UTC
I've been running my SKS cluster under Docker for awhile now and my
current Docker cluster is currently Tango Uniform it would appear (hence
sks.undergrid.net being offline still). I've got an ECS (Docker-based)
cluster already running and operational in AWS that I could move the
service over to however the issue that has kept me from doing so is the
operational difference it would incur. Looking to get some opinions and
see if I'm overthinking it or if I'd be good to go.
First of all the cluster is in a private subnet with no direct
internet so it gets NAT'd outbound from an IP address that would not
match the inbound IP address to be used. Second is the fact that because
of it being in a private subnet I'd have to use a LB (ELB or NLB given
the multiple ports required and only about to apply to one LB for all)
in a public subnet. The way AWS does their LB it doesn't necessarily
have a static IP address as they may change it for DDoS prevention but
my hostnames would be able to resolve to IP addresses using Route53
ALIAS records. As I understand it the gossip port (11370/tcp) is not
HTTP based so it couldn't go through an ALB (application) and would need
to be pass-thru so that would mean NLB (network) or ELB (classic). The
HKP port (11371/tcp) could still be ran through any LB but since you can
only have a container configured to join one LB that would likely mean
needing to use an ELB so I could perform pass-thru for gossip and
HTTP/HTTPS for HKP port wheere the NLB would just pass-thru both to the
container.
The other likely result of this move would be I'd go from actually
have 2 nodes running to only 1 node but it would be able to restart
immediately if it crashed.
current Docker cluster is currently Tango Uniform it would appear (hence
sks.undergrid.net being offline still). I've got an ECS (Docker-based)
cluster already running and operational in AWS that I could move the
service over to however the issue that has kept me from doing so is the
operational difference it would incur. Looking to get some opinions and
see if I'm overthinking it or if I'd be good to go.
First of all the cluster is in a private subnet with no direct
internet so it gets NAT'd outbound from an IP address that would not
match the inbound IP address to be used. Second is the fact that because
of it being in a private subnet I'd have to use a LB (ELB or NLB given
the multiple ports required and only about to apply to one LB for all)
in a public subnet. The way AWS does their LB it doesn't necessarily
have a static IP address as they may change it for DDoS prevention but
my hostnames would be able to resolve to IP addresses using Route53
ALIAS records. As I understand it the gossip port (11370/tcp) is not
HTTP based so it couldn't go through an ALB (application) and would need
to be pass-thru so that would mean NLB (network) or ELB (classic). The
HKP port (11371/tcp) could still be ran through any LB but since you can
only have a container configured to join one LB that would likely mean
needing to use an ELB so I could perform pass-thru for gossip and
HTTP/HTTPS for HKP port wheere the NLB would just pass-thru both to the
container.
The other likely result of this move would be I'd go from actually
have 2 nodes running to only 1 node but it would be able to restart
immediately if it crashed.