目錄表
Create a Private Network with Gandi CLI (VLAN)
Create a Private Network (VLAN) to scale your app and its DB with Gandi CLI.
Introduction
The objective of this tutorial is to help you setup your first private network using Gand CLI.
For that purpose, let's assume that we have an existing server that we use to host an application and its database. Our application is growing and the server is maxing out, so we decide to operate the application and the database separately.
This way, we can have many instances of our application running on different servers, all connecting to the same database that can be scaled independently. So we'll create a new server to host the database on a private network that only our application servers can access.
We'll start by creating our private network, to which we'll attach our existing server, which will also be the network's gateway for the purpose of this tutorial.
Then, we'll create a new server (our database server) and add it to the private network as well. In the process, we'll setup an ssh access strategy and we'll test it all in the end to make sure your private network is up and running.
We also have some useful links at the bottom for you to continue your setup, or dive deeper into important subjects.
Step 1 - Create your private network
Here are some of the aspects we'll have to take into consideration:
- We need to setup the network addresses consistently (as for a regular LAN)
- All the VMs and the network itself must be located on the same datacenter
- We can't directly access a VM that is only connected to a private network,
so we have to connect to the public VM first and access the private VM from it.
$ gandi vlan create --name mynetwork --datacenter LU \ --subnet 192.168.0.0/24 \ --gateway 192.168.0.10
We choose to have our addresses in the 192.168.0.0/24
subnet, which means
we'll have IP's that look like 192.168.0.1
, 192.168.0.2
, 192.168.0.3
and
so on, up until 192.168.0.254
.
We also choose to set a gateway at 192.168.0.10
. Our app server can access
the Internet thanks to its public interface and we'll set it up to acts as
the gateway to enable our private server to access the Internet (or even
just Gandi's software package mirrors).
For more information about how VLANs work at Gandi, please check out the VLAN reference documentation.
Step 2 - Setting up an access strategy
Servers that are only accessible on private networks (i.e that only have private interfaces) can only be accessed through servers that also have a public interface.
We'll be using our existing app server to connect to the database server via SSH. We must therefore select the appropriate shell authentication method, choosing between password or an SSH key.
SSH keys are usually preferred, for both security and convenience, and this is what we'll use. This requires our gateway server to either have a copy of our key, or for us to configure agent forwarding on the local workstation.
We recommend following the best practice of using SSH agent forwarding on your workstation, instead of copying your ssh key to your servers.
$ gandi vm info appserver01
Run the command above to obtain your current server's ip address, which will be needed to setup your ssh config.
The idea is to enable you to forward your ssh key to appserver01 on connection, therefore enabling you to connect to private servers on the same network from it, using your ssh key and without having to copy it to appserver01.
For that, make sure that you enable agent forwarding in your ssh client config and that you have added your key to the agent.
$ vim ~/.ssh/config # add the following entry to your ssh config Host appserver01 <ip of appserver01> IdentityFile </path/to/your/key> ForwardAgent yes $ ssh-add -c </path/to/your/key>
ssh -A root@<ip of appserver01>
, which will enable agent forwarding for
the session. Make sure you add your SSH key to the agent anyways.
Step 3 - Attach and setup the existing server as the gateway
To connect a server to a private network, we have to create a new private interface and attach it to the server.
$ gandi ip create --vlan mynetwork --ip 192.168.0.10 --attach appserver01
Great, now our server has 2 IPs: a public address and a private address, attached to our VLAN.
When we created our VLAN, we used this server's IP address as the gateway. In a our scenario, this server could be volatile and we would probably want to use another server, dedicated to management for example, as a gateway.
To complete this server's setup as a gateway, you need to enable ip forwarding and masquerading. For example on a Debian / Ubuntu server, you can do this:
local $> gandi vm ssh appserver01 # Enable IP forwarding appserver01 #> cp /etc/gandi/sysctl.conf /etc/sysctl.d/gandi appserver01 #> vim /etc/sysctl.d/gandi # Set the following in /etc/sysctl.d/gandi # net.ipv4.ip_forward = 0 net.ipv4.ip_forward = 1 appserver01 #> vim /etc/default/gandi # set to 0 to avoid loading Gandi sysctl options CONFIG_SYSCTL=0 appserver01 #> /etc/init.d/networking restart # Use iptables to setup a basic NAT appserver01 #> apt-get install iptables appserver01 #> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
With this setup, private servers can route their requests through this server to access the Internet, for example to do software installations and updates.
Now we can go ahead and create a new server for our database, attaching it to our PVLAN with an IP address of our choice.
Step 4 - Create a new server and attach it to the private network
$ gandi vm create --name dbserver01 --datacenter LU \ --vlan "mynetwork" --ip 192.168.0.9 \ --sshkey </path/to/your/key>
With this simple command we'll be creating our new VM and attaching it to our private network, with the IP address of our choice (within the vlan's subnet, of course)
Once our new database server comes online, we'll be able to access it via appserver01, our server that has two network interfaces.
Step 5 - Finish your setup
Now you can access your public server and connect to the private server from it.
local $> gandi vm ssh appserver01 -- -A appserver01 #> ssh root@192.168.0.9 dbserver01 #> # we're now inside our private server
You should now make sure that your private ip is setup correctly and that you are indeed using your public server as the gateway.
dbserver01 #> ping gandi.net # should work
If you can't access the Internet, you can either add a route or add the gateway address to your interface configuration.
dbserver01 #> route add default gw 192.168.0.10 dbserver01 #> ping gandi.net # should definitely work!
That's it. Now you can go on to configure your dedicated database server and maybe even multiply the number of app servers that connect to it. All you have to do is add them to the same private network using these commands.
Going further
- Contact our support team or join the #gandi channel on IRC (Freenode network) for help