Murat ÖZDEMİR
720c79d460
- This commit introduces the Terraform configuration to provision a production environment on Hetzner Cloud, building on the existing test setup. - Key improvements and new features include: * **Multi-node clusters:** Scaling to 3-node Swarm application and database clusters for improved resilience. * **High availability:** Utilizing a Hetzner Floating IP for the application entry point and `spread` placement groups for fault tolerance across physical hosts. * **Enhanced network security:** Internal management services (RabbitMQ, APISIX, Prometheus, Grafana) are restricted to the application subnet, expected to be accessed via an internal reverse proxy (SWAG). * **Internal database replication:** New firewall rules enable PostgreSQL replication and MongoDB replica set traffic within the database subnet. * **Refined test environment:** Updates to align `test` configuration with the new `prod` structure, including a dedicated floating IP and adjusted firewall rules. * **Configuration standardization:** Environment-specific details moved to `locals.tf` for clarity, with upgraded server types and migration to Rocky Linux as the base image. - Updates were also made to the latest version of Terraform to ensure consistency in the documentation
6.6 KiB
07 - Private Network Port Matrisi
Bu dosya test ve prod ortamlarinda Hetzner private network icinde acilmasi gereken portlari tanimlar. Public internete acik portlar sadece 22/tcp, 80/tcp, 443/tcp olacaktir. Vault 8200/tcp public acilmayacak.
Bu matris Terraform Hetzner firewall ve Ansible UFW kurallari icin kaynak kabul edilmelidir.
Network PlanI
Test
| Subnet | CIDR | Amac |
|---|---|---|
| App/Swarm | 10.10.10.0/24 |
iklim-app-01 |
| DB | 10.10.20.0/24 |
test-db-01 |
Prod
| Subnet | CIDR | Amac |
|---|---|---|
| App/Swarm | 10.20.10.0/24 |
iklim-app-01/02/03 |
| DB | 10.20.20.0/24 |
prod-db-01/02/03 |
Public Ingress Standardi
Tum ortamlar icin public ingress:
| Port | Protocol | Kaynak | Hedef | Zorunluluk |
|---|---|---|---|---|
22 |
TCP | Admin IP/CIDR | Tum node'lar | SSH yonetim |
80 |
TCP | Internet | Gateway entrypoint | HTTP / ACME redirect |
443 |
TCP | Internet | Gateway entrypoint | HTTPS |
Public olarak acilmayacak kritik portlar:
| Port | Servis |
|---|---|
8200/tcp |
Vault |
5432/tcp |
PostgreSQL |
27017/tcp |
MongoDB |
6379/tcp |
Redis |
5672/tcp, 15672/tcp, 61613/tcp, 15674/tcp |
RabbitMQ |
2377/tcp, 7946/tcp, 7946/udp, 4789/udp |
Docker Swarm |
9180/tcp |
APISIX Admin API |
9090/tcp |
Prometheus |
3000/tcp |
Grafana |
Docker Swarm Private Portlari
Docker Swarm node'lari arasinda zorunlu portlar:
| Port | Protocol | Kaynak | Hedef | Aciklama |
|---|---|---|---|---|
2377 |
TCP | Swarm node'lari | Swarm manager node'lari | Swarm control plane / join |
7946 |
TCP | Tum Swarm node'lari | Tum Swarm node'lari | Node discovery / gossip |
7946 |
UDP | Tum Swarm node'lari | Tum Swarm node'lari | Node discovery / gossip |
4789 |
UDP | Tum Swarm node'lari | Tum Swarm node'lari | Overlay VXLAN data path |
Testte bu portlar fiilen tek Swarm node icin gerekli olsa da ileride worker eklemeyi kolaylastirmak icin app subnet icinde tanimlanabilir.
Prod'da 10.20.10.0/24 app/swarm subnet icinde bu portlar tum iklim-app-* node'lari arasinda acik olmalidir.
Kaynak: Docker overlay network dokumani, https://docs.docker.com/engine/network/drivers/overlay/
Uygulama ve Infra Servis Private Portlari
Bu portlar public acilmayacak. Sadece private network veya Docker overlay icinde gerekli kaynaklardan erisime izin verilecek.
| Port | Protocol | Servis | Kaynak | Hedef | Not |
|---|---|---|---|---|---|
8200 |
TCP | Vault API/UI | Swarm app node'lari / runner | Vault service/node | Public kapali. Runtime servisleri Vault'a private/overlay uzerinden erismeli |
6379 |
TCP | Redis | Swarm app node'lari | Redis service/node | Public kapali |
5672 |
TCP | RabbitMQ AMQP | Swarm app node'lari | RabbitMQ service/node | Public kapali |
15672 |
TCP | RabbitMQ Management | Admin CIDR veya private ops | RabbitMQ service/node | Public kapali; tercihen VPN/bastion |
61613 |
TCP | RabbitMQ STOMP | Gerekli app node'lari | RabbitMQ service/node | Public kapali |
15674 |
TCP | RabbitMQ Web STOMP | Gerekli app/gateway node'lari | RabbitMQ service/node | Public kapali |
2379 |
TCP | etcd client | APISIX service/node | etcd service/node | Public kapali |
2380 |
TCP | etcd peer | etcd cluster node'lari | etcd cluster node'lari | Tek replica ise gerekmeyebilir; cluster olursa gerekli |
9180 |
TCP | APISIX Admin API | Admin CIDR veya private ops | APISIX service/node | Public kapali |
9090 |
TCP | Prometheus UI/API | Admin CIDR veya private ops | Prometheus service/node | Public kapali |
3000 |
TCP | Grafana UI | Admin CIDR veya private ops | Grafana service/node | Public kapali |
Mevcut docker-stack-infra.yml bazi servisleri host mode ile publish ediyor olabilir. Hetzner firewall public ingress'i kapatsa bile private ingress kararini bu tablo belirler.
DB Node Portlari
DB altyapisi manuel kurulacagi icin kesin cluster teknolojisi bu dokumanin disindadir. Yine de firewall icin varsayilan portlar asagidadir.
PostgreSQL / PostGIS
| Port | Protocol | Kaynak | Hedef | Not |
|---|---|---|---|---|
5432 |
TCP | App/Swarm subnet | PostgreSQL node/cluster endpoint | Uygulama DB baglantisi |
5432 |
TCP | DB subnet | PostgreSQL node'lari | Streaming replication ayni portu kullanabilir |
Eger Patroni kullanilirsa ek portlar daha sonra DB runbook'unda netlestirilmelidir:
| Port | Protocol | Amac |
|---|---|---|
8008 |
TCP | Patroni REST API |
2379-2380 |
TCP | Patroni icin etcd kullanilirsa etcd client/peer |
5000-5001 |
TCP | HAProxy veya benzeri DB endpoint kullanilirsa |
Bu ek portlar ancak ilgili teknoloji secildiginde acilmalidir.
MongoDB
| Port | Protocol | Kaynak | Hedef | Not |
|---|---|---|---|---|
27017 |
TCP | App/Swarm subnet | MongoDB node/replica set endpoint | Uygulama DB baglantisi |
27017 |
TCP | DB subnet | MongoDB replica set node'lari | Replica set internal trafik |
Ileride sharding yapilirsa 27018/27019 gibi ek MongoDB rolleri gundeme gelebilir; bu asamada acilmayacak.
Test Private Kurallari
Test ortaminda minimum:
| Kaynak | Hedef | Portlar |
|---|---|---|
10.10.10.0/24 |
10.10.10.0/24 |
2377/tcp, 7946/tcp, 7946/udp, 4789/udp |
10.10.10.0/24 |
10.10.20.0/24 |
5432/tcp, 27017/tcp |
10.10.10.0/24 |
10.10.10.0/24 |
8200/tcp, 6379/tcp, 5672/tcp, 61613/tcp, 15674/tcp |
| Admin CIDR veya VPN | 10.10.10.0/24 |
15672/tcp, 9180/tcp, 9090/tcp, 3000/tcp |
Testte DB node tek oldugu icin DB subnet icindeki PostgreSQL/MongoDB replication portlari aktif kullanilmayabilir.
Prod Private Kurallari
Prod ortaminda minimum:
| Kaynak | Hedef | Portlar |
|---|---|---|
10.20.10.0/24 |
10.20.10.0/24 |
2377/tcp, 7946/tcp, 7946/udp, 4789/udp |
10.20.10.0/24 |
10.20.20.0/24 |
5432/tcp, 27017/tcp |
10.20.20.0/24 |
10.20.20.0/24 |
5432/tcp, 27017/tcp |
10.20.10.0/24 |
10.20.10.0/24 |
8200/tcp, 6379/tcp, 5672/tcp, 61613/tcp, 15674/tcp, 2379/tcp |
| Admin CIDR veya VPN | 10.20.10.0/24 |
15672/tcp, 9180/tcp, 9090/tcp, 3000/tcp |
Patroni, HAProxy, Mongo sharding veya ayri monitoring agent mimarisi secilirse bu matrise ek portlar kontrollu sekilde eklenmelidir.
Kabul Kriterleri
- Public firewall
8200/tcpacmaz. - DB portlari public acik degildir.
- Swarm portlari sadece private app/swarm subnet icinde aciktir.
- App/Swarm subnet DB subnet'e sadece gerekli DB portlarindan erisir.
- DB subnet app subnet'e genis yetkiyle acilmaz.
- Admin UI portlari public yerine admin CIDR/VPN/private ops ile sinirlandirilir.