Global Site
Displaying present location in the site.
July 13th, 2022
Machine translation is used partially for this article. See the Japanese version for the original article.
Introduction
We tried building an HA cluster using proxy server on Amazon Web Services (hereinafter called "AWS"). In a previous blog, we introduced the configuration that does not access the Internet from the HA cluster using VPC endpoints. However, some AWS services are not available via VPC endpoints, in which case an access path to the internet is required.
When preparing an access route to the internet, NAT or NAT gateway are available, but a proxy server provides more secure access to the internet.
However, there are some precautions when using a proxy server, such as adding settings to environment variables in advance.
This time, we will introduce how to build an HA cluster based on DNS name control using proxy server, including precautions.
Contents
1. Advantages of Using Proxy Server
To use the AWS-related group resources and monitor resources in EXPRESSCLUSTER X, you must have an environment in which you can run the AWS CLI. When running the AWS CLI, each instance needs to communicate with the endpoints in the region, essentially the HA cluster needs to have access to the internet. The HA cluster can communicate with endpoint in the region using Proxy server, NAT instance, NAT gateway, Public IP, Elastic IP, VPC endpoint, etc.
The configuration using VPC endpoints, described in a previous blog, allows the HA cluster to access the endpoints in the region without accessing the internet using AWS CLI.
- * VPC endpoint is an AWS service that provide a private connection between a VPC and other AWS services without going through an internet gateway, NAT instance, NAT gateway, etc.
If it is difficult to create a proxy server on AWS with the same security settings as the on-premises environment, there are cases where the proxy server in the on-premise environment is used from AWS. If AWS and the on-premises environment are connected via such as AWS Direct Connect, using proxy server in the on-premiss environment allows to restrict the connection destinations with the same security level as the on-premises environment.
2. HA Cluster Configuration
We will build an "HA cluster based on DNS name control" in the Amazon Virtual Private Cloud (hereinafter called "VPC") environment in the N. Virginia region. This time, we will build a proxy server in an on-premises environment.
As a pseudo-environment for on-premises environments, we build client machine and proxy server in the Singapore region, and connect the Singapore region and N. Virginia region VPCs via VPN.
- * If you are actually connecting from an on-premises environment, please replace the following Singapore regions with on-premises environment.
3. HA Cluster Building Procedure
Build an "HA cluster based on DNS name control".
3.1 Preparation for HA Cluster Building
Create a VPC and EC2 instances in advance. The VPC configuration is as follows:
Create a proxy server in the Singapore region. This time, we used Amazon Linux 2 and installed Squid.
- N. Virginia Region
- VPC(VPC ID : vpc-1234abcd)
- ■CIDR : 10.0.0.0/16
- ■Subnets
- Subnet-A2 (subnet ID : sub-2222aaaa) : 10.0.110.0/24
- Subnet-B2 (subnet ID : sub-2222bbbb) : 10.0.120.0/24
- ■Instance
- Active EC2 (Instance ID : i-2222aaaa) : 10.0.110.100
- Standby EC2 (Instance ID : i-2222bbbb) : 10.0.120.100
- Singapore Region
- VPC(VPC ID : vpc-5678cdef)
- ■CIDR : 11.0.0.0/16
- ■Subnets
- Subnet-A1 (subnet ID : sub-1111aaaa) : 11.0.10.0/24
- ■Instance
- Client (Instance ID : i-1111aaaa) : 11.0.10.100
- vyos (instance ID : i-1111bbbb) : 11.0.10.150
- proxy (instance ID : i-1111cccc) : 11.0.10.200
After installing Squid, add the setting to "squid.conf". Add ACL names and set access permissions for the added ACL name. Restart Squid after setting.
Also, set the security group according to the port used by Squid.
- * The settings are simple for verification purpose, so set it appropriately when you try it.
- # vi /etc/squid/squid.conf
- acl myacl src 10.0.0.0/16 <-- This value should be set according to the actual environment.
- http_access allow myacl
- * Add it in the position before the description of "http_access deny all".
For more information on preparation in other AWS environments, please refer to the Configuration Guide.
Documentation - Setup Guides
- Windows > Cloud > Amazon Web Services > EXPRESSCLUSTER X 5.0 for Windows HA Cluster Configuration Guide for Amazon Web Services
- -> Constructing an HA cluster based on DNS name control
- -> Configuring the VPC Environment
- -> Configurin the instance
- Linux > Cloud > Amazon Web Services > EXPRESSCLUSTER X 5.0 for Linux HA Cluster Configuration Guide for Amazon Web Services
- -> Constructing an HA cluster based on DNS name control
- -> Configuring the VPC Environment
- -> Configurin the instance
3.2 Building an HA Cluster
3.2.1 Building an HA Cluster Based on DNS Name Control
Build an "HA cluster based on DNS name control". This time, we registered two resources, "AWS DNS Resource" and "Mirror Disk Resource".
For more information about how to build an HA cluster using AWS DNS resources, refer to the Configuration Guide.
Documentation - Setup Guides
- Windows > Cloud > Amazon Web Services > EXPRESSCLUSTER X 5.0 for Windows HA Cluster Configuration Guide for Amazon Web Services
- -> Constructing an HA cluster based on DNS name control
- -> Setting up EXPRSSCLUSTER
- Linux > Cloud > Amazon Web Services > EXPRESSCLUSTER X 5.0 for Linux HA Cluster Configuration Guide for Amazon Web Services
- -> Constructing an HA cluster based on DNS name control
- -> Setting up EXPRSSCLUSTER
3.2.2 Running the AWS CLI via a Proxy Server
To run the AWS CLI via a proxy server, you must the HTTP_PROXY and HTTPS_PROXY environment variables.
Also, when using IAM role assigned to instance, set the NO_PROXY environment variable so that proxy is not used for the address(169.254.169.254) used to access instance metadata.
In EXPRESSCLUSTER X, environment variables can be applied in the AWS CLI run from AWS-related resources by setting them in the specified environment variable configuration file. The environment variables set are applied only in the AWS CLI run from AWS-related resources (in this case, AWS DNS resources).
Add the following environment variables to the environment variable configuration file.
- HTTP_PROXY = http://11.0.10.200:3128 <-- This value should be set according to the actual environment.
- HTTPS_PROXY = http://11.0.10.200:3128 <-- This value should be set according to the actual environment.
- NO_PROXY = 169.254.169.254
Refer to the "Reference Guide" for details.
Documentation - Manuals
- EXPRESSCLUSTER X 5.0 > EXPRESSCLUSTER X 5.0 for Windows > Reference Guide
- -> Group resource details
- -> Understanding AWS DNS Resources
- -> Applying environment variabels to AWS CLI run from the AWS DNS resource
- EXPRESSCLUSTER X 5.0 > EXPRESSCLUSTER X 5.0 for Linux > Reference Guide
- -> Group resource details
- -> Understanding AWS DNS Resources
- -> Applying environment variabels to AWS CLI run from the AWS DNS resource
As a precaution, environment variables are not applied in the AWS CLI run from scripts that are not AWS-related resources. (e.g., scripts run from script resources or EXEC resources). Therefore, when running the AWS CLI in scripts, such as script resource and EXEC resource, the necessary environment variables must be set in the appropriate script.
In addition, although it is unnecessary for this setting, the environment variables can be applied in the AWS CLI run from the OS by Using setx command or exprort command. When used in conjunction with the environment variable configuration file specified by EXPRESSCLUSTER X, environment variables to be applied in the AWS CLI can be set separately for running from AWS-related resources in EXPRESSCLUSTER X and for running from the OS.
Refer to the following site for the setup procedure.
Using an HTTP proxy
3.2.3 Creating a Transit Gateway
Create a Transit Gateway to connect the N. Virginia regions and Singapore regions via VPN. Refer to "4.2 Creating Transit Gateway" in our previous blog for the setup procedure.
4. Checking the Operation
Check that communication is possible from N. Virginia region to Singapore region.
Next, start the HA cluster and check that the failover group starts successfully (AWS DNS resources are active).
Also, check that the failover group starts successfully (AWS DNS resources are active) on the standby EC2 when it moves to the standby system.
- 1. Start the failover group on the Active EC2.
Check that the failover group starts successfully (AWS DNS resources are active). - 2. Run remote desktop from the Client (specify test.clusterpro.local as the connection destination).
Check that you can connect to the Acitive EC2. - 3. From Cluster WebUI, manually move the failover group from the Active EC2 to the standby EC2.
- 4. Check that the failover group starts successfully (AWS DNS resources are active) on the standby EC2.
- 5. Run remote desktop from the Client (specify test.clusterpro.local as the connection destination).
Check that you can connect to the Standby EC2.
Conclusion
This time, we introduced the procedure for building an HA cluster based on DNS name control using a proxy server. Using the proxy server enables the restriction of connection destinations and provides a more secure access route, so please try it.
If you consider introducing the configuration described in this article, you can perform a validation with the trial module of EXPRESSCLUSTER. Please do not hesitate to contact us if you have any questions.