How do I connect from the cloud to a local device?
The network topology
Here, the local device is outside of Bright Cluster Manager control, and just sitting connected to the local office LAN. The head node is assumed to be connected to the LAN too, and able to reach the local device.
If a cloud node in Amazon needs to communicate with the local device in the office network, then this can be configured by the administrator modifying the netmap section of the shorewall firewall on the head node of the Bright cluster. Netmap and cloud networking structure is described in the section on Address Resolution In Cluster Extension Networks in the Cloudbursting chapter of the Bright Administrator manual.
This method does not make it possible for the local device to initiate the connection to the cloud node. This is the same as for the regular nodes of the cluster, and caused by the fact that the nodes are behind a NAT.
The modification to be made is in /etc/shorewall/netmap. The following lines are appended to the file:
SNAT <local-ip-of-device> tun0 <cloud-ip-of-device>
DNAT <cloud-ip-of-device> tun0 <local-ip-of-device>
and shorewall is restarted (service shorewall restart) to read the new configuration. In the appended lines:
- <local-ip-of-device> is replaced with the IP address of the device as it is known on the office network. In other words, this is the IP address that is used to reach the device from the head node of the cluster.
- <cloud-ip-of-device> is replaced with an IP address in the range of the netmap network. The range is by default 172.31.x.x (172.31.0.0/16 or 172.31.0.0–172.31.255.255) .
The modification: IP Address Restrictions
For the <cloud-ip-of-device>, to check the actual netmap range settings in case they differ from the default, the following command can be typed in cmsh:
[root@bright60 ~]# cmsh
[bright60]% network get netmap baseaddress
The <cloud-ip-of-device> address chosen has these restrictions:
- It must fall in the address range of the actual netmap network.
- It must not conflict with other ip addresses in /etc/shorewall/netmap.
As a rule of thumb, the lower range of addresses (172.31.0.x by default) is used for compute nodes, the higher range for cloud directors and head nodes (172.31.255.x by default). The file /etc/shorewall/netmap always shows if the chosen IP address is already taken.
For example, assuming that the device is locally reachable (from the head node) at <local-ip-of-device>=192.168.1.14 and the netmap network is configured with the default range, and a non-conflicting address <cloud-ip-of-device>=172.31.200.1 is decided. Then the entries to add to /etc/shorewall/netmap are:
SNAT 192.168.1.14 tun0 172.31.200.1
DNAT 172.31.200.1 tun0 192.168.1.14
After this, shorewall is restarted. The device can then be reached from a cloud node by using its cloud IP address:
[root@cloudnode001 ~]# ssh 172.31.200.1 hostname
Here, the IP address is logged into with ssh, the hostname command is run after login, and the name of the device -- assumed to be 'localdevice' -- is shown as output.