Murat ÖZDEMİR
b115a4cbdf
- Add `hetzner-sizing-report.md` defining data-driven server type recommendations for test and prod environments.
- Update Terraform configurations to align with the recommended `CPX` server types and refine firewall rules for Docker Swarm and database interactions.
- Introduce comprehensive documentation and stack files for:
- Single-node PostgreSQL/MongoDB deployment on a test DB worker node.
- High-availability 3-node MongoDB replica set and Patroni+etcd PostgreSQL cluster for production.
- Enhance Ansible bootstrap roles with SELinux disabling, fail2ban configuration, and StorageBox SSH key management for CI/CD.
- Reorganize and rename setup documentation files for improved structure and clarity.
164 lines
7.4 KiB
Markdown
164 lines
7.4 KiB
Markdown
# 07 - Private Network Port Matrisi
|
|
|
|
Bu dosya test ve prod ortamlarinda Hetzner private network icinde acilmasi gereken portlari tanimlar. Public internete acik portlar sadece `22/tcp`, `80/tcp`, `443/tcp` olacaktir. Vault `8200/tcp` public acilmayacak.
|
|
|
|
Bu matris Terraform Hetzner firewall ve Ansible UFW kurallari icin kaynak kabul edilmelidir.
|
|
|
|
## Network PlanI
|
|
|
|
### Test
|
|
|
|
| Subnet | CIDR | Amac |
|
|
| --- | --- | --- |
|
|
| App/Swarm | `10.10.10.0/24` | `iklim-app-01` |
|
|
| DB | `10.10.20.0/24` | `test-db-01` |
|
|
|
|
### Prod
|
|
|
|
| Subnet | CIDR | Amac |
|
|
| --- | --- | --- |
|
|
| App/Swarm | `10.20.10.0/24` | `iklim-app-01/02/03` |
|
|
| DB | `10.20.20.0/24` | `prod-db-01/02/03` |
|
|
|
|
## Public Ingress Standardi
|
|
|
|
Tum ortamlar icin public ingress:
|
|
|
|
| Port | Protocol | Kaynak | Hedef | Zorunluluk |
|
|
| --- | --- | --- | --- | --- |
|
|
| `22` | TCP | Admin IP/CIDR | Tum node'lar | SSH yonetim |
|
|
| `80` | TCP | Internet | Gateway entrypoint | HTTP / ACME redirect |
|
|
| `443` | TCP | Internet | Gateway entrypoint | HTTPS |
|
|
|
|
Public olarak acilmayacak kritik portlar:
|
|
|
|
| Port | Servis |
|
|
| --- | --- |
|
|
| `8200/tcp` | Vault |
|
|
| `5432/tcp` | PostgreSQL |
|
|
| `27017/tcp` | MongoDB |
|
|
| `6379/tcp` | Redis |
|
|
| `5672/tcp`, `15672/tcp`, `61613/tcp`, `15674/tcp` | RabbitMQ |
|
|
| `2377/tcp`, `7946/tcp`, `7946/udp`, `4789/udp` | Docker Swarm |
|
|
| `9180/tcp` | APISIX Admin API |
|
|
| `9090/tcp` | Prometheus |
|
|
| `3000/tcp` | Grafana |
|
|
|
|
## Docker Swarm Private Portlari
|
|
|
|
Docker Swarm node'lari arasinda zorunlu portlar:
|
|
|
|
| Port | Protocol | Kaynak | Hedef | Aciklama |
|
|
| --- | --- | --- | --- | --- |
|
|
| `2377` | TCP | Swarm node'lari | Swarm manager node'lari | Swarm control plane / join |
|
|
| `7946` | TCP | Tum Swarm node'lari | Tum Swarm node'lari | Node discovery / gossip |
|
|
| `7946` | UDP | Tum Swarm node'lari | Tum Swarm node'lari | Node discovery / gossip |
|
|
| `4789` | UDP | Tum Swarm node'lari | Tum Swarm node'lari | Overlay VXLAN data path |
|
|
|
|
Testte bu portlar fiilen tek Swarm node icin gerekli olsa da ileride worker eklemeyi kolaylastirmak icin app subnet icinde tanimlanabilir.
|
|
|
|
Prod'da `10.20.10.0/24` app/swarm subnet icinde bu portlar tum `iklim-app-*` node'lari arasinda acik olmalidir.
|
|
|
|
Kaynak: Docker overlay network dokumani, https://docs.docker.com/engine/network/drivers/overlay/
|
|
|
|
## Uygulama ve Infra Servis Private Portlari
|
|
|
|
Bu portlar public acilmayacak. Sadece private network veya Docker overlay icinde gerekli kaynaklardan erisime izin verilecek.
|
|
|
|
| Port | Protocol | Servis | Kaynak | Hedef | Not |
|
|
| --- | --- | --- | --- | --- | --- |
|
|
| `8200` | TCP | Vault API/UI | Swarm app node'lari / runner | Vault service/node | Public kapali. Runtime servisleri Vault'a private/overlay uzerinden erismeli |
|
|
| `6379` | TCP | Redis | Swarm app node'lari | Redis service/node | Public kapali |
|
|
| `5672` | TCP | RabbitMQ AMQP | Swarm app node'lari | RabbitMQ service/node | Public kapali |
|
|
| `15672` | TCP | RabbitMQ Management | Admin CIDR veya private ops | RabbitMQ service/node | Public kapali; tercihen VPN/bastion |
|
|
| `61613` | TCP | RabbitMQ STOMP | Gerekli app node'lari | RabbitMQ service/node | Public kapali |
|
|
| `15674` | TCP | RabbitMQ Web STOMP | Gerekli app/gateway node'lari | RabbitMQ service/node | Public kapali |
|
|
| `2379` | TCP | etcd client | APISIX service/node | etcd service/node | Public kapali |
|
|
| `2380` | TCP | etcd peer | etcd cluster node'lari | etcd cluster node'lari | Tek replica ise gerekmeyebilir; cluster olursa gerekli |
|
|
| `9180` | TCP | APISIX Admin API | Admin CIDR veya private ops | APISIX service/node | Public kapali |
|
|
| `9090` | TCP | Prometheus UI/API | Admin CIDR veya private ops | Prometheus service/node | Public kapali |
|
|
| `3000` | TCP | Grafana UI | Admin CIDR veya private ops | Grafana service/node | Public kapali |
|
|
|
|
Mevcut `docker-stack-infra.yml` bazi servisleri host mode ile publish ediyor olabilir. Hetzner firewall public ingress'i kapatsa bile private ingress kararini bu tablo belirler.
|
|
|
|
## DB Node Portlari
|
|
|
|
DB altyapisi manuel kurulacagi icin kesin cluster teknolojisi bu dokumanin disindadir. Yine de firewall icin varsayilan portlar asagidadir.
|
|
|
|
### PostgreSQL / PostGIS (Patroni + etcd)
|
|
|
|
Prod ortami Patroni + etcd ile yonetilen PostgreSQL kullanir. Test ortaminda tek node oldugu icin replication ve HA portlari gerekmez.
|
|
|
|
| Port | Protocol | Kaynak | Hedef | Not |
|
|
| --- | --- | --- | --- | --- |
|
|
| `5432` | TCP | App/Swarm subnet | PostgreSQL node'lari (Patroni yonetimli) | Uygulama JDBC — tum node'lara baglanir, driver primary'i bulur |
|
|
| `5432` | TCP | DB subnet | PostgreSQL node'lari | Patroni replication (pg_basebackup ve wal streaming) |
|
|
| `8008` | TCP | DB subnet | PostgreSQL node'lari | Patroni REST API — leader election, saglik kontrolu |
|
|
| `2379` | TCP | DB subnet | etcd node'lari | etcd client — Patroni → etcd erisimi |
|
|
| `2380` | TCP | DB subnet | etcd node'lari | etcd peer — etcd cluster icindeki raft protokolu |
|
|
|
|
### MongoDB
|
|
|
|
| Port | Protocol | Kaynak | Hedef | Not |
|
|
| --- | --- | --- | --- | --- |
|
|
| `27017` | TCP | App/Swarm subnet | MongoDB node/replica set endpoint | Uygulama DB baglantisi |
|
|
| `27017` | TCP | DB subnet | MongoDB replica set node'lari | Replica set internal trafik |
|
|
|
|
Ileride sharding yapilirsa `27018/27019` gibi ek MongoDB rolleri gundeme gelebilir; bu asamada acilmayacak.
|
|
|
|
## Test Private Kurallari
|
|
|
|
Test ortaminda minimum:
|
|
|
|
| Kaynak | Hedef | Portlar |
|
|
| --- | --- | --- |
|
|
| `10.10.10.0/24` | `10.10.10.0/24` | `2377/tcp`, `7946/tcp`, `7946/udp`, `4789/udp` |
|
|
| `10.10.10.0/24` | `10.10.20.0/24` | `5432/tcp`, `27017/tcp` |
|
|
| `10.10.10.0/24` | `10.10.10.0/24` | `8200/tcp`, `6379/tcp`, `5672/tcp`, `61613/tcp`, `15674/tcp` |
|
|
| Admin CIDR veya VPN | `10.10.10.0/24` | `15672/tcp`, `9180/tcp`, `9090/tcp`, `3000/tcp` |
|
|
|
|
Testte DB node tek oldugu icin DB subnet icindeki PostgreSQL/MongoDB replication portlari aktif kullanilmayabilir.
|
|
|
|
## Prod Private Kurallari
|
|
|
|
Prod ortaminda minimum (Patroni + etcd dahil):
|
|
|
|
App subnet (swarm firewall) — kendi icindeki trafik:
|
|
|
|
| Kaynak | Hedef | Portlar |
|
|
| --- | --- | --- |
|
|
| `10.20.10.0/24` | `10.20.10.0/24` | `2377/tcp`, `7946/tcp`, `7946/udp`, `4789/udp` (Swarm) |
|
|
| `10.20.10.0/24` | `10.20.10.0/24` | `8200/tcp`, `6379/tcp`, `5672/tcp`, `61613/tcp`, `15674/tcp`, `2379/tcp` (uygulama servisleri) |
|
|
| Admin CIDR veya VPN | `10.20.10.0/24` | `15672/tcp`, `9180/tcp`, `9090/tcp`, `3000/tcp` |
|
|
|
|
App → DB trafigi (swarm firewall'da ilgili kural bulunmaz; db firewall'da izin verilir):
|
|
|
|
| Kaynak | Hedef | Portlar |
|
|
| --- | --- | --- |
|
|
| `10.20.10.0/24` | `10.20.20.0/24` | `5432/tcp`, `27017/tcp` (DB erisimi) |
|
|
| `10.20.10.0/24` | `10.20.20.0/24` | `2377/tcp`, `7946/tcp`, `7946/udp`, `4789/udp` (Swarm — DB worker join) |
|
|
|
|
DB subnet (db firewall) — DB node'lari arasi trafik:
|
|
|
|
| Kaynak | Hedef | Portlar |
|
|
| --- | --- | --- |
|
|
| `10.20.20.0/24` | `10.20.20.0/24` | `5432/tcp`, `27017/tcp` (DB replication) |
|
|
| `10.20.20.0/24` | `10.20.20.0/24` | `2379/tcp`, `2380/tcp` (etcd client/peer) |
|
|
| `10.20.20.0/24` | `10.20.20.0/24` | `8008/tcp` (Patroni REST API) |
|
|
|
|
DB → App trafigi (swarm firewall'da izin verilir):
|
|
|
|
| Kaynak | Hedef | Portlar |
|
|
| --- | --- | --- |
|
|
| `10.20.20.0/24` | `10.20.10.0/24` | `2377/tcp`, `7946/tcp`, `7946/udp`, `4789/udp` (Swarm — manager portlari) |
|
|
|
|
## Kabul Kriterleri
|
|
|
|
- Public firewall `8200/tcp` acmaz.
|
|
- DB portlari public acik degildir.
|
|
- Swarm portlari sadece private app/swarm subnet icinde aciktir.
|
|
- App/Swarm subnet DB subnet'e sadece gerekli DB portlarindan erisir.
|
|
- DB subnet app subnet'e genis yetkiyle acilmaz.
|
|
- Admin UI portlari public yerine admin CIDR/VPN/private ops ile sinirlandirilir.
|
|
|