====== Create a Private Network with Gandi CLI (VLAN) ======
Create a Private Network (VLAN) to scale your app and its DB with Gandi CLI.
===== Introduction =====
The objective of this tutorial is to help you setup your first private network
using [[http://cli.gandi.net|Gand CLI]].
For that purpose, let's assume that we have an existing server that we use to
host an application and its database. Our application is growing and the server
is maxing out, so we decide to operate the application and the database separately.
This way, we can have many instances of our application running on different
servers, all connecting to the same database that can be scaled independently.
So we'll create a new server to host the database on a private network that
only our application servers can access.
We'll start by creating our private network, to which we'll attach our existing
server, which will also be the network's gateway for the purpose of this tutorial.
Then, we'll create a new server (our database server) and add it to the private
network as well. In the process, we'll setup an ssh access strategy and we'll test
it all in the end to make sure your private network is up and running.
We also have some useful links at the bottom for you to continue your setup, or
dive deeper into important subjects.
===== Step 1 - Create your private network =====
Here are some of the aspects we'll have to take into consideration:
* We need to setup the network addresses consistently (as for a regular LAN)
* All the VMs and the network itself must be located on the same datacenter
* We can't directly access a VM that is only connected to a private network,
so we have to connect to the public VM first and access the private VM from it.
$ gandi vlan create --name mynetwork --datacenter LU \
--subnet 192.168.0.0/24 \
--gateway 192.168.0.10
We choose to have our addresses in the ''192.168.0.0/24'' subnet, which means
we'll have IP's that look like ''192.168.0.1'', ''192.168.0.2'', ''192.168.0.3'' and
so on, up until ''192.168.0.254''.
We also choose to set a gateway at ''192.168.0.10''. Our app server can access
the Internet thanks to its public interface and we'll set it up to acts as
the gateway to enable our private server to access the Internet (or even
just Gandi's software package mirrors).
For more information about how VLANs work at Gandi, please check out
the [[http://wiki.gandi.net/en/iaas/references/network/pvlan|VLAN reference documentation]].
===== Step 2 - Setting up an access strategy =====
At the moment, you cannot use the [[http://wiki.gandi.net/en/iaas/references/server/emergency_console|emergency console]] to access servers that only have private interfaces. While we are working on this feature, please make sure your SSH setup works properly.
Servers that are only accessible on private networks (i.e that only have
private interfaces) can only be accessed through servers that also have a public
interface.
We'll be using our existing app server to connect to the database server via
SSH. We must therefore select the appropriate shell authentication method,
choosing between password or an SSH key.
SSH keys are usually preferred, for both security and convenience, and this is
what we'll use. This requires our gateway server to either have a copy of our key,
or for us to configure agent forwarding on the local workstation.
We recommend following the best practice of using SSH agent forwarding on your
workstation, instead of copying your ssh key to your servers.
$ gandi vm info appserver01
Run the command above to obtain your current server's ip address, which will
be needed to setup your ssh config.
The idea is to enable you to forward your ssh key to appserver01 on connection,
therefore enabling you to connect to private servers on the same network from it,
using your ssh key and without having to copy it to appserver01.
For that, make sure that you enable agent forwarding in your ssh client config
and that you have added your key to the agent.
$ vim ~/.ssh/config
# add the following entry to your ssh config
Host appserver01
IdentityFile
ForwardAgent yes
$ ssh-add -c
You can also connect to the server using
''ssh -A root@'', which will enable agent forwarding for
the session. Make sure you add your SSH key to the agent anyways.
===== Step 3 - Attach and setup the existing server as the gateway =====
To connect a server to a private network, we have to create a new private
interface and attach it to the server.
$ gandi ip create --vlan mynetwork --ip 192.168.0.10 --attach appserver01
Great, now our server has 2 IPs: a public address and a private address, attached
to our VLAN.
When we created our VLAN, we used this server's IP address as the gateway. In a
our scenario, this server could be volatile and we would probably want to
use another server, dedicated to management for example, as a gateway.
To complete this server's setup as a gateway, you need to enable ip forwarding
and masquerading. For example on a Debian / Ubuntu server, you can do this:
local $> gandi vm ssh appserver01
# Enable IP forwarding
appserver01 #> cp /etc/gandi/sysctl.conf /etc/sysctl.d/gandi
appserver01 #> vim /etc/sysctl.d/gandi
# Set the following in /etc/sysctl.d/gandi
# net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
appserver01 #> vim /etc/default/gandi
# set to 0 to avoid loading Gandi sysctl options
CONFIG_SYSCTL=0
appserver01 #> /etc/init.d/networking restart
# Use iptables to setup a basic NAT
appserver01 #> apt-get install iptables
appserver01 #> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
With this setup, private servers can route their requests through this server
to access the Internet, for example to do software installations and updates.
Now we can go ahead and create a new server for our database, attaching it to
our PVLAN with an IP address of our choice.
===== Step 4 - Create a new server and attach it to the private network =====
$ gandi vm create --name dbserver01 --datacenter LU \
--vlan "mynetwork" --ip 192.168.0.9 \
--sshkey
With this simple command we'll be creating our new VM and attaching it to
our private network, with the IP address of our choice (within the vlan's
subnet, of course)
Once our new database server comes online, we'll be able to access it via
appserver01, our server that has two network interfaces.
===== Step 5 - Finish your setup =====
Now you can access your public server and connect to the private server from it.
local $> gandi vm ssh appserver01 -- -A
appserver01 #> ssh root@192.168.0.9
dbserver01 #> # we're now inside our private server
You should now make sure that your private ip is setup correctly and
that you are indeed using your public server as the gateway.
dbserver01 #> ping gandi.net # should work
If you can't access the Internet, you can either add a route or add
the gateway address to your interface configuration.
dbserver01 #> route add default gw 192.168.0.10
dbserver01 #> ping gandi.net # should definitely work!
That's it. Now you can go on to configure your dedicated database server and
maybe even multiply the number of app servers that connect to it. All you
have to do is add them to the same private network using these commands.
===== Going further =====
* [[http://cli.gandi.net|Gandi CLI documentation for more information about available commands]]
* [[http://wiki.gandi.net/en/iaas/references/vlan |VLAN documentation on Gandi's wiki]]
* [[http://wiki.gandi.net/en/iaas/references/network|Network reference on Gandi's wiki]]
* [[http://wiki.gandi.net/en/iaas/references/web-accelerator#balance_http_load_over_multiple_servers_with_round_robin_or_client-ip|Load balancer documentation for horizontal scaling with multiple multiple app servers]]
* Contact our support team or join the #gandi channel on IRC (Freenode network) for help