terraform-azurerm-terraform-enterprise icon indicating copy to clipboard operation
terraform-azurerm-terraform-enterprise copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Option for private deployment

Open pearcec opened this issue 5 years ago • 9 comments

I just finished a deployment and it is failing to install. It is hanging on healthstatus from a public IP. We don't have public IPs as a workable option in our private environment with our hub/spoke model and User Default Routes forcing tunneling traffic. I am not sure how difficult it would be to eliminate Public IPs and use the Private IPs instead. There should also be an option which would utilized Private DNS with an option to disable it. With have a 3rd party solution. I am happy to work on code. If there are prior thoughts or plans please share.

pearcec avatar Jan 13 '20 19:01 pearcec

Challenges

  • LB need to have a type/count solution to pick between the different type of frontend configurations
  • a subnet needs to be passed in -- should provide the option of which subnet

pearcec avatar Jan 15 '20 16:01 pearcec

One serious challenge we've encountered with trying to accomplish this thing is Azure Internal Load Balancers have issues if backend nodes send traffic to the load balancer and get mapped back to themselves. TCP flows break entirely because of how Azure re-writes source IPs. This causes basically everything to fail because the install process involves nodes calling the load balancer to access the Kubernetes API server. For the first primary VM, this will always get mapped back to itself, stalling the entire installation.

So far we've had to resort to using a public LB with an NSG locking down access to only the public IP of the load balancer (effectively only allowing self-referential access from the backend nodes). There are other solutions such as using a scale set of VMs running something like Nginx or HAProxy to act as a reverse proxy but that adds additional cost and complexity.

Reference: https://docs.microsoft.com/en-us/azure/load-balancer/concepts-limitations#limitations

sean-nixon avatar Feb 04 '20 15:02 sean-nixon

AH I see, I will have to take a second look at this from a security perspective given your locking down at a NSG level. I might need to adjust my routes for the load balancer.

pearcec avatar Feb 11 '20 15:02 pearcec

A quick disclaimer since I don't think I really made it clear before, I'm not directly involved with Hashicorp or maintaining this module. I'm currently trying to implement a deployment of this for a client. The only other workaround we found so far would be to put a cluster of VMs running nginx or HAProxy behind an internal load balancer and use them as a proxy for self-referential traffic. This would require modifying this module considerably and adds additional cost and management overhead.

sean-nixon avatar Feb 11 '20 15:02 sean-nixon

Hi there! @sean-nixon hit the nail on the head with one of the challenges we've run into with the Azure implementation re: why it's currently a public LB (and the Google one too, but I think in a slightly different way).

There are some options in this area, one of which is HAProxy or similar, and another is something like what is in the refactor of the Google modules where there's a bit of a IPTables "sandwich" playing this role: https://github.com/hashicorp/terraform-google-terraform-enterprise/pull/38 (I believe it's the internal_lb module).

We're looking to do a similar refactor over here very soon which would fix this issue or at very least make it so you could replace it with your own solution in the middle if ours didn't suit the particular situation.

bnferguson avatar Feb 11 '20 16:02 bnferguson

So far we've had to resort to using a public LB with an NSG locking down access to only the public IP of the load balancer (effectively only allowing self-referential access from the backend nodes). There are other solutions such as using a scale set of VMs running something like Nginx or HAProxy to act as a reverse proxy but that adds additional cost and complexity.

Reference: https://docs.microsoft.com/en-us/azure/load-balancer/concepts-limitations#limitations

How do you access the console then? Assuming you need to have DNS setup for the public IP to point to tfedev.domain do you just setup DNS internally with a different hostname and use subject alternative names to connect? Are you using azure dns?

pearcec avatar Mar 20 '20 14:03 pearcec

@pearcec We are using split-horizon DNS to access the console/app over the internal load balancer using internal AD DNS (not automated unfortunately).

For initial testing and debugging, we're also whitelisting our own public IP in the NSG and using the public LB to access the app. That's also our emergency access model if for some reason we can't reach the app over the internal network due to a misconfiguration, outage, etc.

sean-nixon avatar Mar 20 '20 14:03 sean-nixon

@pearcec We are using split-horizon DNS to access the console/app over the internal load balancer using internal AD DNS (not automated unfortunately).

Ah, ok so you are using two load balancers?

I am trying to read up on the Load Balancer Floating IP and wondering if there is a mechanism to handle this

pearcec avatar Mar 20 '20 17:03 pearcec

@pearcec Can't really advise on your current setup but yes we have two load balancers because it's not possible mix public and private frontends on Azure Load Balancer.

sean-nixon avatar Mar 20 '20 20:03 sean-nixon