Does deis support multi-location deployment?
70 views
Skip to first unread message
Nathan Samson
Dec 30, 2014, 3:27:02 PM12/30/14
to deis-...@googlegroups.com
Hi All,
This is a continuation of https://github.com/deis/deis/issues/2311.
I think multi-location deployments are essential to the success store of Deis. You can not really be HA if all your operations are in one datacenter, even under the assumption everything in the datacenter (power, cooling, network, ...) is redundant.
The ideal solution would be where I can run Deis on multiple datacenters totally independant of each other (eg offload between AWS and DigitalOcean; as we have seen in the past where AWS was down more than one Availability Zone). This solution could also be used to have a few (relatively expensive) nodes running on AWS, and the bulk on the cheaper DigitalOcean (DO). If DO goes down everything can be offloaded to AWS immediatly (assuming at least one copy of the data exists in AWS - this means some smart maintenance must be provided to choose where the data nodes are running).
As explained in aforementioned bug report, the only thing you need is that your nodes can communicate with each other (hence in theory combination of DO & AWS must already be possible).
Doing this over unencrypted / public internet is not great (read: it is very bad) from a security point of view as pointed out.
My questions:
* what can we do to protect ourselves from this? Is there a way to secure etcd/fleet with SSL encryption so no-one can intercept the traffic?
I guess providing a VPN solution where the private network is basically going over a VPN connection. Obviously this would need a VPN server which would form a bottleneck...
* Would there be any latency issue to consider? Mostly network, but encrpytion / decrption speed might also have an impact
* Are there any plans to provide this functionality in the base provisioning scripts?
* How will this be affected by "external" schedulres like mesos?
Nathan
This is a continuation of https://github.com/deis/deis/issues/2311.
I think multi-location deployments are essential to the success store of Deis. You can not really be HA if all your operations are in one datacenter, even under the assumption everything in the datacenter (power, cooling, network, ...) is redundant.
The ideal solution would be where I can run Deis on multiple datacenters totally independant of each other (eg offload between AWS and DigitalOcean; as we have seen in the past where AWS was down more than one Availability Zone). This solution could also be used to have a few (relatively expensive) nodes running on AWS, and the bulk on the cheaper DigitalOcean (DO). If DO goes down everything can be offloaded to AWS immediatly (assuming at least one copy of the data exists in AWS - this means some smart maintenance must be provided to choose where the data nodes are running).
As explained in aforementioned bug report, the only thing you need is that your nodes can communicate with each other (hence in theory combination of DO & AWS must already be possible).
Doing this over unencrypted / public internet is not great (read: it is very bad) from a security point of view as pointed out.
My questions:
* what can we do to protect ourselves from this? Is there a way to secure etcd/fleet with SSL encryption so no-one can intercept the traffic?
I guess providing a VPN solution where the private network is basically going over a VPN connection. Obviously this would need a VPN server which would form a bottleneck...
* Would there be any latency issue to consider? Mostly network, but encrpytion / decrption speed might also have an impact
* Are there any plans to provide this functionality in the base provisioning scripts?
* How will this be affected by "external" schedulres like mesos?
Nathan
Joe Blue
Jul 16, 2016, 6:40:01 AM7/16/16
to Deis Users List
libreswan can be run in Docker.
Its also the easiest and most stable VPN software stack out there IMHO.
The other is "zerotier", but it seems to have a dependency on their central server, and does not give you the security of ipsec etc that libreswan gives you.
BTW libreswan usied to be strongswan, etc. But their were legal disputes and the team of devs all jumped and created libreswan. SO libreswan is the right train to be on IMHO
hope this helps.
Getting it working in a DC with deis should be pretty easy i think.
Reply all
Reply to author
Forward
0 new messages