Which source IP is used for database connection in a failover pair? Can we control this?

Solved118 viewsdatabase Failover VIP
3
0 Comments

Question on networking for the following scenario.

  • DMA failover pair with Virtual IP.
  • each DMA has two interfaces.
    ETH1 = data interface over which devices to be polled are accessible
    ETH2 = management interface over which database are accessible and over which clients will connect to the DMA
  • ETH2 interface of each DMA is in the same network so a shared virtual IP can be assigned
  • ETH1 interface on DMA1 and ETH1 interface on DMA2 are in a totally different network (no shared IP address possible)

Connection to Cassandra and Opensearch/Elasticsearch happens over ETH2.  A virtual IP address for the failover pair will be assigned to ETH2.

On the active agent, which source IP will be used to connect to the database?  The normal IP address? Or the Virtual IP? Or both?  Do we have any control over which source IP is used?

Strangely enough - when checking wireshark on a similar setup - I saw database connection traffic from both the normal IP as well as the virtual IP.  Can we prevent this such that only the normal IP is used for the database connection?

This is important for firewall configuration.  Currently only the "normal" IP address are whitelisted and allowed to connect to the databases.

Thanks for the feedback!

Koen Bouckhout [SLC] [DevOps Advocate] Selected answer as best 6 days ago

1 Answer

2
9.25K 1 Comment

Not the easiest topic you have here... And I'm not an expert as well, but the 'SkipAsSource' flag might potentially help out here. This flag indicates to the Windows OS if a NIC should or should not be used as source. We also have a tool to check the flag. More info here:

SLSkipAsSourceTool | DataMiner Docs

This is maybe not immediately a solution, but it might help you to get there. Just be careful, if you flag all NICs with SkipAsSource, I believe Windows is no longer able to communicate with the outside world. So be careful with this flag! And I'm not sure if existing connections remain active when changing the flag or if it's only for new connections...

Bert

Koen Bouckhout [SLC] [DevOps Advocate] Selected answer as best 6 days ago
Koen Bouckhout [SLC] [DevOps Advocate] commented

Thanks for the hint! I have played around with the SkipAsSourceTool but I didn't get the expected results so far. Anyway the final and best solution according to me is to also allow the VIP to communicate with the databases. But in the meanwhile this intermediate solution is worth to experiment with.
You are viewing 1 out of 1 answers, click here to view all answers.