Open Stack

Hi,

Now i understand , but agree with Danny Webb, this is unnecessary ...


Michal Arbet
Openstack Engineer

Ultimum Technologies a.s.
Na Poříčí 1047/26, 11000 Praha 1
Czech Republic

+420 604 228 897
michal.arbet at ultimum.io
*https://ultimum.io <https://ultimum.io/>*

LinkedIn <https://www.linkedin.com/company/ultimum-technologies> | Twitter
<https://twitter.com/ultimumtech> | Facebook
<https://www.facebook.com/ultimumtechnologies/timeline>


st 16. 11. 2022 v 20:02 odesílatel Danny Webb <Danny.Webb at thehutgroup.com>
napsal:

> In a way kolla already does this by separating certain things onto
> "internal" VIPs vs "external" VIPs.  So even though a single haproxy
> instance is running both internal and external, they are separated into
> their own connection paths that enforce segregation.   Ultimately running a
> separate haproxy won't really add much security as you'll essentially be
> doing what kolla is already doing.
> ------------------------------
> *From:* Mariusz Karpiarz <m.karpiarz at eschercloud.ai>
> *Sent:* 16 November 2022 17:23
> *To:* Michal Arbet <michal.arbet at ultimum.io>
> *Cc:* openstack-discuss <openstack-discuss at lists.openstack.org>
> *Subject:* Re: [Kolla][kolla-ansible][HAProxy] Splitting the load
> balancer into internal and external?
>
>
> * CAUTION: This email originates from outside THG *
> ------------------------------
>
> Michal,
> Thank you for your message.
>
>
> To explain what I mean a little better, let’s look at a use case of a
> web-based service running in a cloud but not using a Database-as-a-Service
> offering. In this setup (a sample diagram:
> https://www.cozumpark.com/wp-content/uploads/2020/02/image-5.png) a good
> security practice is to use a different (“internal”) load balancer for
> database servers and different (“public”) - for all the web servers serving
> user requests. The database doesn’t need to be accessible from the outside
> world, so this split provides a physical separation of traffic and this is
> exactly what I’m suggesting here.
>
>
>
> As for how to archive this, we can keep one HAProxy process in one
> container (and use regular Kolla images) but there will simply be two
> HAProxy containers (one “external” and one “public”) running either on the
> same controllers or on different ones.
>
>
>
> I hope this explanation helps but please do let me know if you want me to
> elaborate on any particular aspect of it.
>
> Danny Webb
> Principal OpenStack Engineer
> The Hut Group <http://www.thehutgroup.com/>
>
> Tel:
> Email: Danny.Webb at thehutgroup.com
>
>
> For the purposes of this email, the "company" means The Hut Group Limited,
> a company registered in England and Wales (company number 6539496) whose
> registered office is at Fifth Floor, Voyager House, Chicago Avenue,
> Manchester Airport, M90 3DQ and/or any of its respective subsidiaries.
>
> *Confidentiality Notice*
> This e-mail is confidential and intended for the use of the named
> recipient only. If you are not the intended recipient please notify us by
> telephone immediately on +44(0)1606 811888 or return it to us by e-mail.
> Please then delete it from your system and note that any use,
> dissemination, forwarding, printing or copying is strictly prohibited. Any
> views or opinions are solely those of the author and do not necessarily
> represent those of the company.
>
> *Encryptions and Viruses*
> Please note that this e-mail and any attachments have not been encrypted.
> They may therefore be liable to be compromised. Please also note that it is
> your responsibility to scan this e-mail and any attachments for viruses. We
> do not, to the extent permitted by law, accept any liability (whether in
> contract, negligence or otherwise) for any virus infection and/or external
> compromise of security and/or confidentiality in relation to transmissions
> sent by e-mail.
>
> *Monitoring*
> Activity and use of the company's systems is monitored to secure its
> effective use and operation and for other lawful business purposes.
> Communications using these systems will also be monitored and may be
> recorded to secure effective use and operation and for other lawful
> business purposes.
> hgvyjuv
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20221117/a0a6269d/attachment.htm>