Network Requirements and Segmentation Guidelines

This section describes the general network requirements for installing and deploying Apcera. See also the installation documentation for your chosen platform provider for additional details.

For supported provisioners, during installation Apcera will create the required network rules and security groups for cluster host connectivity and component communcations. The exception is vSphere where we only create the virtual machines, not the networks or security groups. For vSphere you will need to set up your own firewall rules using the information provided here. See also Required ports.

Installation

This section defines the network requirements for installing Apcera.

IPv4 required

To install the Apcera Platform, we require IPv4 addressing between machine hosts (IPv6 is not supported at this time). All hosts must have direct IPv4 connectivity to each other, with no NATing in between. Any connectivity solution that satisfies that requirement should be acceptable.

External connectivity requirements

Installing Apcera requires the following external access:

  • Deployment requires direct (no proxy) access to the internet required for most components (see table below).
  • If you are doing a connected install, each VM needs external access to the internet (Google for authentication, Docker, GitHub, and other miscellaneous repositories such as packages pulled by apt-get). If you are doing an air-gapped install, see below.
  • For most components it is not possible to use a HTTP proxy at this time.
  • Each VM needs an IP address (DHCP or static IP which is handled by the Orchestrator).

Inbound connectivity requirements

To install Apcera the installation program needs the following inbound connectivity.

  • Each HTTP Router (Router) will require the port defined as http_port (default 80) and, optionally, https_port (default 443) opened for inbound connectivity from desired clients. These IPs are published in DNS to add an application in Apcera.
  • Larger clusters utilizing the S3 compatible object storage (Riak) for package manager must provision DNS records for the router components prior to deploy
  • Each TCP Router requires the desired inbound connectivity opened.

Orchestrator connectivity requirements

To install a cluster the current version of Orchestrator needs the following outbound connectivity.

Outbound connectivity Proxy OK
DNS no
ntp://0.ubuntu.pool.ntp.org no
ntp://1.ubuntu.pool.ntp.org no
ntp://2.ubuntu.pool.ntp.org no
ntp://3.ubuntu.pool.ntp.org no
hkp://keyserver.ubuntu.com no
s3://s3-us-west-2.amazonaws.com/continuum-builds no
http://apcera-apt.s3.amazonaws.com no
http://us.archive.ubuntu.com/ubuntu/ no
http://security.ubuntu.com/ubuntu no
http://community.opscode.com/api/v1 no
http://apt.postgresql.org/pub/repos/apt no
https://rubygems.org no
https://github.com no
git://github.com no

Assuming that local NTP server is configured in cluster.conf, the NTP servers listed may be ignored. Refer to the vSphere installation instructions.

Air-gapped installation

If you don't want to download the installation software from the internet, you can perform an air-gapped installation using the release bundle tarball file.

Deployment

This section provides network segmentation guidelines and recommendations for running Apcera in production.

Network segmentation

To isolate each Apcera machine role and help ensure the security of the system, Apcera recommends deploying each type of host in a specific network segment.

Host Role Network Segmentation
Routing Plane Deploy machines within a DMZ to handle untrusted network traffic coming into the system. If you are using multiple HTTP routers, they will be fronted by a load balancer in the DMZ, with routing hosts behind the firewall. Typically the TCP Router is installed on a dedicated host so that it has its own dedicated public IP. IP Manager is also typically deployed to its own host for a dedicated IP.
Central, Singleton, Logs-Metrics, other (Management Plane) Deploy the Management machines ("Brain") within a trusted network perimeter.
Monitoring Deploy the Monitoring machine within a mixed trust network segment. The Monitoring host may be receiving external traffic, but only from prescribed addresses or to certain ports. This may vary per deployment, but connecting always requires authentication. The Monitoring host needs also access to all components over prescribed ports to communicate with local agents.
Runtime Plane (IM hosts) Deploy the Runtime machines within a "hostile" network zone. The Runtime machines execute user workloads that the system cannot fully trust. Network communication is allowed over prescribed ports controlled through policy.

DNS requirements

A DNS server that can be accessed and updated to be able to run APC commands. For example, when executing apc target <URL> the URL must be resolved. (A temporary solution is to either manually update the DNS server or update /etc/hosts.)

In addition, at least two records need to be created:

  • An 'A' record which points the base_domain of the cluster to one or more (HTTP) Routers IPs.
  • A wildcard record for *.base_domain which to route one or more Routers IPs.

NOTE: Additional DNS names for services which are to run within the system must to point one or more Routers IPs.