Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[docs] Firewall requirements clarification #10633

Closed
Oloremo opened this issue May 21, 2021 · 4 comments
Closed

[docs] Firewall requirements clarification #10633

Oloremo opened this issue May 21, 2021 · 4 comments
Labels
stage/waiting-reply theme/config theme/networking type/question

Comments

@Oloremo
Copy link
Contributor

Oloremo commented May 21, 2021

I'm trying to understand how firewall has to be configured for the following setup:

  • Single DC Nomad Cluster
  • Nomad jobs in Docker with port mapping
  • Nomad jobs in Docker with Consul Connect

I was reading through the:

And can't get the full picture.

When tasks ask for dynamic ports, they are allocated out of the port range between 20,000 and 32,000.

That part is about port mapping, right? So If I want those services to be accessible I need to open that range?

Sidecar Proxy Min
Sidecar Proxy Max

And this is the port used by Envoy in Consul Connect? So they have to be open on all Nomad nodes as well, right?

If both statements are correct I wonder how can I narrow that down?
For example, if I set allocated out of the port range to 20000 - 20100 and Sidecar Proxy Min\Max to 21000 - 21100 - does that effectively means that I will only be able to start 100 envoys side-cars and map 100 ports on a single Nomad node?
@tgross
Copy link
Member

tgross commented May 21, 2021
edited
Loading

The Envoy sidecars are launched as Nomad tasks. So the required port range for sidecar proxies is controlled by Nomad, not by Consul (see also hashicorp/consul#9216). If you narrow the port range via reserved_ports that range will be shared across both Envoy side cars and "normal" tasks. So if you narrow it to 20000-20100 you would have room for at most 100 tasks (or in other words 50 allocations with sidecars) on each client.

(Also, for what it's worth when I've run Nomad production clusters, typically what I'd do is create a perimeter rule that only allowed HTTPS and my VPN traffic, and then allow a wide range of ports between hosts within the network.)

@tgross tgross self-assigned this May 21, 2021
@tgross
Copy link
Member

tgross commented Jun 3, 2021

Looks like we've answered this one so I'm going to close it out. Feel free to open a new issue or post on Discuss if you have more questions.

@tgross tgross closed this as completed Jun 3, 2021
@tgross tgross removed their assignment Jun 3, 2021
@Oloremo
Copy link
Contributor Author

Oloremo commented Sep 30, 2021

Btw seems like that won't work before #8186 would be merged.

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 16, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
stage/waiting-reply theme/config theme/networking type/question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tgross @Oloremo