Bastion+ Multi Provision with Dedicated Portals and APIs

Example of a Bastion+ WebSocket deployment with three provision zones, each with its own relayws zone, a DMZ with the portal, and an API cluster with NDBCluster.

Prerequisites

Retrieve the following Ansible roles:

reemo-infra
reemo-provision
reemo-relayws

Have a valid license key.

Architecture

../../_static/images/infra/bastion_ws_apimultipro.png

Example architecture of an advanced Bastion+ installation

Flow Matrix

DESCRIPTION

TRANSPORT

SOURCE IP

SOURCE PORT

DESTINATION IP

DESTINATION PORT

SERVICES

PORTAL -> API

TCP

10.1.1.1

1024:65535

10.9.1.1,10.9.1.2,10.9.1.3

443

HTTPS

API -> PROVISION1

TCP

10.9.1.1,10.9.1.2,10.9.1.3

1024:65535

10.4.1.1

8443

HTTPS

API -> PROVISION2

TCP

10.9.1.1,10.9.1.2,10.9.1.3

1024:65535

10.7.1.1

8443

HTTPS

API -> PROVISION3

TCP

10.9.1.1,10.9.1.2,10.9.1.3

1024:65535

10.8.1.1

8443

HTTPS

API -> RELAY1

TCP

10.9.1.1,10.9.1.2,10.9.1.3

1024:65535

10.2.1.1

443,8443

HTTPS

API -> RELAY2

TCP

10.9.1.1,10.9.1.2,10.9.1.3

1024:65535

10.5.1.1

443,8443

HTTPS

API -> RELAY3

TCP

10.9.1.1,10.9.1.2,10.9.1.3

1024:65535

10.6.1.1

443,8443

HTTPS

PROVISION1 -> PORTAL

TCP

10.4.1.0/24

1024:65535

10.1.1.1

8443

HTTPS

PROVISION1 -> RELAY1

TCP

10.4.1.0/24

1024:65535

10.2.1.1

443

HTTPS

PROVISION2 -> PORTAL

TCP

10.7.1.0/24

1024:65535

10.1.1.1

8443

HTTPS

PROVISION2 -> RELAY2

TCP

10.7.1.0/24

1024:65535

10.5.1.1

443

HTTPS

PROVISION3 -> PORTAL

TCP

10.8.1.0/24

1024:65535

10.1.1.1

8443

HTTPS

PROVISION3 -> RELAY3

TCP

10.8.1.0/24

1024:65535

10.6.1.1

443

HTTPS

USER -> RELAY1

TCP

WAN

1024:65535

10.2.1.1

443

HTTPS

USER -> RELAY2

TCP

WAN

1024:65535

10.5.1.1

443

HTTPS

USER -> RELAY3

TCP

WAN

1024:65535

10.6.1.1

443

HTTPS

USER -> PORTAL

TCP

WAN

1024:65535

10.1.1.1

443

HTTPS

Ansible Inventory File

all:
    vars:
        INIT_TYPE: "bastion"
        API_LICENSE: "ewogICAg ... Uw5NXhGVDF0NFU2TkxOdjQvZU53PT0iCiAgICC9Cn0="
        REGISTRY_URL: "registry.reemo.io"
        REGISTRY_ENV: "reemoinfra"
        REGISTRY_USERNAME: "< login >" 
        REGISTRY_PASSWORD: "< password >"
        HMACSECRET: "< HMAC between API and PORTAL >"

portal_manager:
    children:
        portaluser_manager:
            vars:
                PORTAL_URL: "url.domain.tld"
                TRAEFIK_SSL_CERTS:
                    - cert_file: "/localpath/to/cert_domain.tld.crt"
                      key_file: "/localpath/to/key_domain.tld.key"
                API_IP:
                    - ip: "10.9.1.1"
                    - ip: "10.9.1.2"
                    - ip: "10.9.1.3"
            hosts:
                portaluser1:
                    ansible_host: "10.1.1.1"

api_manager:
    vars:
        DB_DIALECT: "NDBCLUSTER"
        MYSQL_NODE_HOSTNAME_DB1: "< hostname api1 >"
        MYSQL_NODE_HOSTNAME_DB2: "< hostname api2 >"
        MYSQL_NODE_HOSTNAME_DB3: "< hostname api3 >"
        PROVISION_SIGNAL_IP:
            - ip: "10.1.1.1"
        INIT_PROVISION:
            provision1:
                relayws: "relayws1"
                type: "SWARM"
                ip:
                    - 10.4.1.1
            provision2:
                relayws: "relayws2"
                type: "SWARM"
                ip:
                    - 10.7.1.1
            provision3:
                relayws: "relayws3"
                type: "SWARM"
                ip: 
                    - 10.8.1.1
        INIT_RELAYWS:
            relayws1:
                type: "WS_SWARM"
                url: "val8-relayws1.reemo.io"
                ip: 
                    - 10.2.1.1
            relayws2:
                type: "WS_SWARM"
                url: "val8-relayws2.reemo.io"
                ip: 
                    - 10.5.1.1
            relayws3:
                type: "WS_SWARM"
                url: "val8-relayws3.reemo.io"
                ip: 
                    - 10.6.1.1
    hosts:
        api1:
            ansible_host: "10.9.1.1"
        api2:
            ansible_host: "10.9.1.2"
        api3:
            ansible_host: "10.9.1.3"

relayws_manager:
    vars:
        TRAEFIK_SSL_CERTS:
            - cert_file: "/localpath/to/relay.domain.tld.crt"
              key_file: "/localpath/to/relay_domain.tld.key"
    
    children:
        relayws1:
            hosts:
                relayws1_manager1: 
                    ansible_host: "10.2.1.1"

        relayws2:
            hosts:
                relayws2_manager1: 
                    ansible_host: "10.5.1.1"

        relayws3:
            hosts:
                relayws3_manager1: 
                    ansible_host: "10.6.1.1"

Provision Environment Inventory Files

all:
    vars:
        PROVISION_REGISTRY_URL: "registry.reemo.io"
        PROVISION_REGISTRY_USERNAME: "< login >" 
        PROVISION_REGISTRY_PASSWORD: "< password >"

provision:
    children:
        provision_manager:
            hosts:
                provision1_manager1:
                    ansible_host: "10.4.1.1"

all:
    vars:
        PROVISION_REGISTRY_URL: "registry.reemo.io"
        PROVISION_REGISTRY_USERNAME: "< login >" 
        PROVISION_REGISTRY_PASSWORD: "< password >"

provision:
    children:
        provision_manager:
            hosts:
                provision2_manager1:
                    ansible_host: "10.7.1.1"

all:
    vars:
        PROVISION_REGISTRY_URL: "registry.reemo.io"
        PROVISION_REGISTRY_USERNAME: "< login >" 
        PROVISION_REGISTRY_PASSWORD: "< password >"

provision:
    children:
        provision_manager:
            hosts:
                provision3_manager1:
                    ansible_host: "10.8.1.1"

Playbook Files

reemo-infra.yml

- name: Reemo Infra
  hosts: portal_manager,api_manager
  gather_facts: yes

  roles:
      - role: reemo-infra
        become: yes

reemo-provision.yml

- name: Reemo Provision
  hosts: provision,provision_manager
  gather_facts: yes

  roles:
      - role: reemo-provision
        become: yes

reemo-relayws.yml

- name: Reemo Relayws
  hosts: relayws_manager
  gather_facts: yes

  roles:
      - role: reemo-relayws
        become: yes

Installation Commands

ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit api_manager --extra-vars "INIT_DB=true" --extra-vars "INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-infra.yml --limit portaluser_manager --extra-vars "INSTALL_DOCKER=true"
ansible-playbook -i inv_provision1.yml playbooks/reemo-provision.yml --extra-vars "PROVISION_INSTALL_DOCKER=true"
ansible-playbook -i inv_provision2.yml playbooks/reemo-provision.yml --extra-vars "PROVISION_INSTALL_DOCKER=true"
ansible-playbook -i inv_provision3.yml playbooks/reemo-provision.yml --extra-vars "PROVISION_INSTALL_DOCKER=true"
ansible-playbook -i inventory.yml playbooks/reemo-relayws.yml --extra-vars "RELAYWS_INSTALL_DOCKER=true" --limit relayws1
ansible-playbook -i inventory.yml playbooks/reemo-relayws.yml --extra-vars "RELAYWS_INSTALL_DOCKER=true" --limit relayws2
ansible-playbook -i inventory.yml playbooks/reemo-relayws.yml --extra-vars "RELAYWS_INSTALL_DOCKER=true" --limit relayws3