This weekend a friend of mine asked me to help deploy a high-availability environment with virtualization in the cloud. His scenario is to have two big servers hosted in different data centers and with virtualization to be able to have a high availability system. The challenge here is the server synchronization, and to be more accurate the routing.
As this must satisfy disponibility, the design of this deployment must have the less points of failures as possible. You may think that the tunnelling can be done with OpenVPN and you are right, it could. But having OpenVPN adds an extra daemon to take care of. Don't take it wrong, OpenVPN is the software I use to do VPN but in this case, I think there is something better. After thinking, I decided to use GRE tunnels. GRE tunnels have been in the Linux system for years, and although they are not very known you may be a user of it without knowing. PPTP, the VPN protocol uses GRE to transmit information.
The GRE approach will make this very easy. As in this deployment, there are no plans to add a third server, using GRE to set up a point-to-point interface is very easy and reliable and it will make all the internal networks within the servers routable to each other.
The GRE Configuration
The first thing is to define the IP addresses you will have for your point-to-point interface. You must choose IPs that won't conflict at all. In this example, I will use 192.168.77.253 and 192.168.7.254.
Edit your /etc/sysconfig/network-scripts/ifcfg-sever1 and /etc/sysconfig/network-scripts/ifconfig-server2 in each server with the following content. Remember to put your correct address.
DEVICE=serverX
BOOTPROTO=none
ONBOOT=yes
TYPE=GRE
PEER_OUTER_IPADDR=OTHER_PEER_PUBLIC_IP
PEER_INNER_IPADDR=OTHER_LOCAL_PTP_IP
MY_INNER_IPADDR=MY_LOCAL_PTP_IP
Where:
- DEVICE is the name of the interface. Please note that the name of the file must match this value.
- PEER_OUTER_IPADDR is the other physical server IP
- PEER_INNER_IPADDR is the IP inside the tunnel, it could be in this example 192.168.77.253 or 192.168.77.254
- MY_INNER_IPADDR is the local IP inside the tunnel, it must be different than PEER_INNER_IPADDR. Each file in the configuration file must swap these values.
After that, do an ifup serverX in each server. You will see the new interface, you can do PING tests. Don't forget to open your IPtables rule to allow GRE protocol traffic, something like iptables -I INPUT -i eth0 -p gre -j ACCEPT will do the magic.
Routing Configuration
Let's say you will put networks 192.168.7.0/24 and 192.168.8.0/24 inside each server. All you need to do is to add files /etc/sysconfig/network-scripts/route-serverX on each server with the following content (change it to your needs):
192.168.7.0/24 via 192.168.77.253
Remember routing must be done both ways. After that, you can try an ifdown and ifup command to let the system add proper routing records. Don't forget to put the proper IPtables rules.
After this, if all is correctly configured you will be able to reach virtual machines inside the other physical server without public IP addressing.
Good Luck!