Versions Compared

Version Old Version 5 New Version 6
Changes made by

John Bell

John Bell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Network Address Allocation - this will need to be defined end-to-end and will involve allocations for public and private address space, including such areas as:

    • Service front end (public IP address space)

    • Load balancer / firewall public address allocation and DMZ subnet(s), including Gateway address assignments and Swarm management server front end (SCS)

      • Note that a route to your authentication store (LDAP, Active Directory et al) will also need to be made available for the Gateway systems

    • Storage subnet assignment - this includes the IP address allocation for the Swarm management system back end (SCS) and the address pool to be used by both Swarm storage and Elasticsearch nodes

  • Name Service / Naming Conventions (DNS) - As a best practice, you will want to have an appropriate DNS zone in place to support the proposed deployment. This is especially required for outside clients to resolve to your service and, more importantly, be properly routed to the storage domain that has been provisioned for them. The end-to-end naming convention that should be employed should be as follows:

    • Fully qualified domain name (FQDN) resolution in public DNS for the customer’s provisioned storage domain (e.g., “customer01.myservice.net”)

    • FQDN formatted name for the customer’s provisioned storage domain in Swarm that maps with the external DNS record (i.e., create a storage domain for the customer named “customer01.myservice.net”)

    • This approach allows for correct host header mapping via Gateway access and insures that the customer properly references the stored data associated with their account

    • Note that a wildcard DNS record (e.g., “*.myservice.net”) can be employed to accommodate provisioning for a group of customers; use of this approach is encouraged for onboarding customers at scale, as this has ramifications for SSL/TLS certificate management for the service

  • SSL/TLS Certificate Management - as mentioned previously, “HTTPS” will likely be the access protocol used by your customer’s client software. Use of wildcard certificates for this purpose is usually employed, as managing individual certificates for each customer’s domain can prove cumbersome. As with DNS, the choice of supporting “vanity domains” is left as a business decision to the reader.

Network Port & Protocol Mapping

Note that Swarm’s port & protocol requirements are documented. That information is outlined here: https://perifery.atlassian.net/wiki/spaces/public/pages/2443808571/Setting+Up+the+Swarm+Network#Network-Communications

It’s strongly recommended to have a logical network diagram produced that incorporates these port & protocol requirements. This will help later for determining network level workflow, address / port / protocol exposure necessary for firewall and load balancer rules, audit materials, etc.

Installation Approach

With the planning exercise from the previous section in hand, we now can focus on executing the installation of the deployment. This is typically done in the following order:

...