Routing of NATS cluster
41 views
Skip to first unread message
Herbert Helmstreit
Mar 21, 2024, 9:30:27 AM3/21/24
to nats
Hello Team,
We are working on a replacement for a TIBCO/Rendezvous Network.
NATS was seemingly perfect until it came to WAN routing.
The situation here is as follows: There are two sites (say A and B) with average-sized networks. We organized them in clusters (Cluster_A and Cluster_B).
Most of the traffic is of local interest regarding A and B only.
Nearly everything should be gated, except a small set of subjects that have to go from A to B and another different set should be allowed to pass from B to A.
For example, the subject "external.a.b" should be routed from Cluster_A to Cluster_B and "external.b.a" from Cluster_B to Cluster_A.
Every other subject should only be accessible in the clusters internally.
We tried it with Leaf Nodes, but without real success.
For this, we defined a Leaf Node connection, which makes the message traffic from Cluster_A flow to Cluster_B and vice versa.
We only found the configuration parameter deny_export/deny_import, which allows blocking certain subjects.
But if configured like this, we have to manually configure all the subjects we use internally in deny_export/deny_import except the ones we want to allow.
Furthermore, if we introduce new subjects in Cluster_A and Cluster_B we also have to reconfigure the Leaf Node.
We would be looking for a mechanism like in a TIBCO rvrd, where you can define "export" and "import" [forward only if our export and the import subjects of the neighbor match].
In short, we would like to have a whitelist instead of a blacklist. Until now we did not find a feasible solution.
Did we miss something?
Best Regards,
Herbert Helmstreit
We are working on a replacement for a TIBCO/Rendezvous Network.
NATS was seemingly perfect until it came to WAN routing.
The situation here is as follows: There are two sites (say A and B) with average-sized networks. We organized them in clusters (Cluster_A and Cluster_B).
Most of the traffic is of local interest regarding A and B only.
Nearly everything should be gated, except a small set of subjects that have to go from A to B and another different set should be allowed to pass from B to A.
For example, the subject "external.a.b" should be routed from Cluster_A to Cluster_B and "external.b.a" from Cluster_B to Cluster_A.
Every other subject should only be accessible in the clusters internally.
We tried it with Leaf Nodes, but without real success.
For this, we defined a Leaf Node connection, which makes the message traffic from Cluster_A flow to Cluster_B and vice versa.
We only found the configuration parameter deny_export/deny_import, which allows blocking certain subjects.
But if configured like this, we have to manually configure all the subjects we use internally in deny_export/deny_import except the ones we want to allow.
Furthermore, if we introduce new subjects in Cluster_A and Cluster_B we also have to reconfigure the Leaf Node.
We would be looking for a mechanism like in a TIBCO rvrd, where you can define "export" and "import" [forward only if our export and the import subjects of the neighbor match].
In short, we would like to have a whitelist instead of a blacklist. Until now we did not find a feasible solution.
Did we miss something?
Best Regards,
Herbert Helmstreit
Derek Collison
Mar 21, 2024, 12:16:35 PM3/21/24
to nat...@googlegroups.com, Jean-Noel Moyne
Yes you can do what you need. The credentials you use for the leafnodes can contain both allow and/pr deny permissions and should fit the bill.
--
You received this message because you are subscribed to the Google Groups "nats" group.
To unsubscribe from this group and stop receiving emails from it, send an email to natsio+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/natsio/e436e29e-5803-48a1-a010-dd9c5af19c25n%40googlegroups.com.
Jean-Noel Moyne
Mar 22, 2024, 5:13:43 PM3/22/24
to nats
To expand on Derek's answer, you would:
- make cluster B be a leaf node to cluster A
- On cluster A, in the account create a new user that the leaf node will use to connect.
- In that user you have both 'allow' and 'deny' functionality for subjects. Whatever subjects you allow/deny for that user is what the LN will be able to send/receive to/from cluster A
Reply all
Reply to author
Forward
Message has been deleted
0 new messages