This weekend a friend of mine asked me to help to deploy a high availability environment with virtualization in the cloud. His scenario is to have tow big servers hosted in different data centers and with virtualization to be able to have a high availability system. The challenge here is the server synchronization, and to be more accurate the routing.
As this must satisfy disponibility, the design of this deployment must have the less point of failures as possible. You may think that the tunneling can be done with OpenVPN and you are right, it could. But having OpenVPN adds an extra daemon to take care. Don't take it wrong, OpenVPN is the software I use to do VPN but in this case, I think there is something better. After thinking, I decided to use GRE tunnels. GRE tunnels have been in the Linux system for years, and although they are not very known you may be a user of it without knowing. PPTP, the VPN protocol uses GRE to transmit information.
The GRE approach will make this very easy. As in this deployment, there are no plans to add a third server, using GRE to set up a point-to-point interface is very easy, reliable and it will make all the internal network within the servers to be routable each other.
The GRE Configuration
The firs thing is to define the IP addresses you will have to your point-to-point interface. You must choose IP's that won't conflict at all. In this example, I will use 192.168.77.253 and 192.168.7.254.
Edit your /etc/sysconfig/network-scripts/ifcfg-sever1 and /etc/sysconfig/network-scripts/ifconfig-server2 in each server with the following content. Remember to put your correct addressing.
- DEVICE is the name of the interface. Please note that the name of the file must match this value.
- PEER_OUTER_IPADDR is the other physical server IP
- PEER_INNER_IPADDR is the IP inside the tunnel, it could be in this example 192.168.77.253 or 192.168.77.254
- MY_INNER_IPADDR is the local IP inside the tunnel, it must be different than PEER_INNER_IPADDR. Each file in the configuration file must swap this values.
After that, do an ifup serverX in each server. You will see the new interface, you can do PING tests. Don't forget to open your IPtables rule to allow GRE protocol traffic, something like iptables -I INPUT -i eth0 -p gre -j ACCEPT will do the magic.
Let's say you will put networks 192.168.7.0/24 and 192.168.8.0/24 inside each server. All you need to do is to add files /etc/sysconfig/network-scripts/route-serverX on each server with the following content (change it to your needs):
192.168.7.0/24 via 192.168.77.253
Remember routing must be done both ways. After that, you can try an ifdown and ifup command to let the system add proper routing records. Don't forget to put the proper IP tables rules.
After this, if all is correctly configured you will be able to reach virtual machines inside the other physical server without public ip addressing.
Good Luck!blog comments powered by Disqus