Hi Dojo,
I'm struggling to find documentation on which IP addresses to use when building firewall rules for a cluster composed of multiple failover pair DMAs. I know the ports necessary as documented in DM Help, but I'm unsure of which IPs need to be configured for the ports.
For ex., let's say I have the following config:
- DMA01 Active - 100.10.1.2 (VIP: 100.10.1.1)
- DMA01 Backup - 100.10.1.3
- DMA02 Active - 100.20.1.11 (VIP: 100.20.1.10)
- DMA02 Backup - 100.20.1.12
- DMA03 Active - 100.30.1.21 (VIP: 100.30.1.20)
- DMA03 Backup - 100.30.1.22
... how should the rules be configured? I can think of the following potentials:
- All IPs (including VIPs) to all other IPs (including VIPs).
- All non-VIP IPs to all other non-VIP IPs.
- All VIPs to all other IPs.
- All VIPs to all other VIPs.
When doing some port testing for an upcoming upgrade, we originally setup #2 but found that without having some rules for the VIPs, some connection tests failed. Option #1 seems the safest bet but in a large cluster can result in many rules, so just wondering if Options #3 or #4 are suitable?
Thanks!
Hi Jamie,
Off the top of my head, here's how agents are reaching each other:
Every agent needs to be able to access:
- the virtual IP of other logical agents (failover pairs) in the cluster
- the local IP address of its partner/buddy agent (from main to backup and from backup to main)
As example, DMA01A should be able to reach 100.20.1.10 (VIP DMA02), 100.30.1.20 (VIP DMA03) and 100.10.1.3 (local IP of DMA01B, the failover buddy)
As source address between logical agents, I would expect the VIP to be used (based on the SkipAsSource configuration that has all outgoing communication originate from the VIP)
As source address between active/backup Failover agents, either the VIP or local IP will be used depending on whether or not the agent is online.
Thanks Wouter!