VM setup
For the test and qa platform, as well as for the initial pilot platform the following generic setup will be used as described below.
VM pairs
A total of 3 pairs of VMs, 6 in total is allocated.
Each pair has a distinct role in the setup:
- The LB* nodes represent the nodes that handle load balancing and https termination. LB nodes do not share any state
- The COAA* pair of nodes provide vhosts for comanage, saml aa and voot vhosts, and has a MySQL database with runs in master/master configuration. COAA nodes share state using the MySQL database.
- The TEIP* pair of nodes provide a vhost for the TEIP service and have a MySQL database which runs in master/master configuration. TEIP nodes share state trough the MySQL database
VM naming
Technical names
Depending on the physical platform used, the VMs will have technical names, independent of the actual platform we are deploying on. This is done by setting Cnames for various components to point to the physical instances.
Technical names will use the *.vopaas.geant.org subdomain and has a prefix depending on the platform, either DEV, TEST and PILOT
Technical names are used as deployment targets and in logging.
| VM name (Cname for VM platform name) | v4 IP | v6 IP | VM Platform name | vhosts |
|---|---|---|---|---|
| lb1.{dev|test|pilot}.vopaas.geant.org | tbd | tbd | something.okeanos.gr | |
lb2.{dev|test|pilot}.vopaas.geant.org | tbd | tbd | ip.vms.niif.hu | |
| ns1.{dev|test|pilot}.vopaas.geant.org | tbd | tbd | somebox.pt-27.utr.surfcloud.nl | |
| ns2.{dev|test|pilot}.vopaas.geant.org | tbd | tbd | etc | |
coaa1.{dev|test|pilot}.vopaas.geant.org | tbd | tbd | ... | comanage.* aa.* voot.* |
coaa2.{dev|test|pilot}.vopaas.geant.org | tbd | tbd | ... | comanage.* aa.* voot.* |
teip1.{dev|test|pilot}.vopaas.geant.org | tbd | tbd | ... | id.* |
| teip1.{dev|test|pilot}.vopaas.geant.org | tbd | tbd | ... | id.* |
Functional names
Functional names use the eduteams.org domain.
A srv.{dev|test|pilot}.eduteams.org subdomain is delegated to the DSN nameservers that live on the lb*.{dev|test|pilot}.vopaas.geant.org. This srv.* domain keeps the authoritative name-server for DNS request for various platforms {dev|test|pilot}.
It serves Cnames for functional hosts, informing the proxy on lb* what node to query for delivering the service response.
| Functional names | target |
|---|---|
| registry.{dev|test|pilot}.eduteams.org | coaa{1|2}.{dev|test|pilot}.vopaas.geant.org |
| aa.{dev|test|pilot}.eduteams.org | coaa{1|2}.{dev|test|pilot}.vopaas.geant.org |
| voot.{dev|test|pilot}.eduteams.org | coaa{1|2}.{dev|test|pilot}.vopaas.geant.org |
| id.{dev|test|pilot}.eduteams.org | teip{1|2}.{dev|test|pilot}.vopaas.geant.org |
By linking the availability of the technical infra to the DNS configuration on the LB nodes, the LB always only proxies to Vhosts that are actually available.
Access to services
For access to the services, the only available ports are HTTPS/443 and DNS/53 on the loadbalancers.
The loadbalancers will proxy traffic HTTP from and to other Vhosts on the VMs on port 80 for their own platform (dev/test/pilot)
Access to VMs
All non public access goes via a bastion host.
Access to port 80 is restricted to the LB nodes, and the bastion host
Access to port 22, 443 and 3306 is restricted to the bastion host