Network Requirements and Segmentation Guidelines
This section describes the general network requirements for installing and deploying Apcera. See also the installation documentation for your chosen platform provider for additional details.
For supported provisioners, during installation Apcera will create the required network rules and security groups for cluster host connectivity and component communcations. The exception is vSphere where we only create the virtual machines, not the networks or security groups. For vSphere you will need to set up your own firewall rules using the information provided here. See also Required ports.
This section defines the network requirements for installing Apcera.
To install the Apcera Platform, we require IPv4 addressing between machine hosts (IPv6 is not supported at this time). All hosts must have direct IPv4 connectivity to each other, with no NATing in between. Any connectivity solution that satisfies that requirement should be acceptable.
External connectivity requirements
Installing Apcera requires the following external access:
- Deployment requires direct (no proxy) access to the internet required for most components (see table below).
- If you are doing a connected install, each VM needs external access to the internet (Google for authentication, Docker, GitHub, and other miscellaneous repositories such as packages pulled by
apt-get). If you are doing an air-gapped install, see below.
- For most components it is not possible to use a HTTP proxy at this time.
- Each VM needs an IP address (DHCP or static IP which is handled by the Orchestrator).
Inbound connectivity requirements
To install Apcera the installation program needs the following inbound connectivity.
- Each HTTP Router (
Router) will require the port defined as
http_port(default 80) and, optionally,
https_port(default 443) opened for inbound connectivity from desired clients. These IPs are published in DNS to add an application in Apcera.
- Larger clusters utilizing the S3 compatible object storage (Riak) for package manager must provision DNS records for the router components prior to deploy
- Each TCP Router requires the desired inbound connectivity opened.
Orchestrator connectivity requirements
To install a cluster the current version of Orchestrator needs the following outbound connectivity.
|Outbound connectivity||Proxy OK|
Assuming that local NTP server is configured in cluster.conf, the NTP servers listed may be ignored. Refer to the vSphere installation instructions.
If you don't want to download the installation software from the internet, you can perform an air-gapped installation using the release bundle tarball file.
This section provides network segmentation guidelines and recommendations for running Apcera in production.
To isolate each Apcera machine role and help ensure the security of the system, Apcera recommends deploying each type of host in a specific network segment.
|Host Role||Network Segmentation|
|Routing Plane||Deploy machines within a DMZ to handle untrusted network traffic coming into the system. If you are using multiple HTTP routers, they will be fronted by a load balancer in the DMZ, with routing hosts behind the firewall. Typically the TCP Router is installed on a dedicated host so that it has its own dedicated public IP. IP Manager is also typically deployed to its own host for a dedicated IP.|
|Central, Singleton, Logs-Metrics, other (Management Plane)||Deploy the Management machines ("Brain") within a trusted network perimeter.|
|Monitoring||Deploy the Monitoring machine within a mixed trust network segment. The Monitoring host may be receiving external traffic, but only from prescribed addresses or to certain ports. This may vary per deployment, but connecting always requires authentication. The Monitoring host needs also access to all components over prescribed ports to communicate with local agents.|
|Runtime Plane (IM hosts)||Deploy the Runtime machines within a "hostile" network zone. The Runtime machines execute user workloads that the system cannot fully trust. Network communication is allowed over prescribed ports controlled through policy.|
A DNS server that can be accessed and updated to be able to run APC commands. For example, when executing
apc target <URL> the URL must be resolved. (A temporary solution is to either manually update the DNS server or update /etc/hosts.)
In addition, at least two records need to be created:
- An 'A' record which points the
base_domainof the cluster to one or more (HTTP) Routers IPs.
- A wildcard record for
*.base_domainwhich to route one or more Routers IPs.
NOTE: Additional DNS names for services which are to run within the system must to point one or more Routers IPs.