150 lines
6.6 KiB
Markdown
150 lines
6.6 KiB
Markdown
# 07 - Private Network Port Matrisi
|
|
|
|
Bu dosya test ve prod ortamlarinda Hetzner private network icinde acilmasi gereken portlari tanimlar. Public internete acik portlar sadece `22/tcp`, `80/tcp`, `443/tcp` olacaktir. Vault `8200/tcp` public acilmayacak.
|
|
|
|
Bu matris Terraform Hetzner firewall ve Ansible UFW kurallari icin kaynak kabul edilmelidir.
|
|
|
|
## Network PlanI
|
|
|
|
### Test
|
|
|
|
| Subnet | CIDR | Amac |
|
|
| --- | --- | --- |
|
|
| App/Swarm | `10.10.10.0/24` | `test-swarm-01` |
|
|
| DB | `10.10.20.0/24` | `test-db-01` |
|
|
|
|
### Prod
|
|
|
|
| Subnet | CIDR | Amac |
|
|
| --- | --- | --- |
|
|
| App/Swarm | `10.20.10.0/24` | `prod-swarm-01/02/03` |
|
|
| DB | `10.20.20.0/24` | `prod-db-01/02/03` |
|
|
|
|
## Public Ingress Standardi
|
|
|
|
Tum ortamlar icin public ingress:
|
|
|
|
| Port | Protocol | Kaynak | Hedef | Zorunluluk |
|
|
| --- | --- | --- | --- | --- |
|
|
| `22` | TCP | Admin IP/CIDR | Tum node'lar | SSH yonetim |
|
|
| `80` | TCP | Internet | Gateway entrypoint | HTTP / ACME redirect |
|
|
| `443` | TCP | Internet | Gateway entrypoint | HTTPS |
|
|
|
|
Public olarak acilmayacak kritik portlar:
|
|
|
|
| Port | Servis |
|
|
| --- | --- |
|
|
| `8200/tcp` | Vault |
|
|
| `5432/tcp` | PostgreSQL |
|
|
| `27017/tcp` | MongoDB |
|
|
| `6379/tcp` | Redis |
|
|
| `5672/tcp`, `15672/tcp`, `61613/tcp`, `15674/tcp` | RabbitMQ |
|
|
| `2377/tcp`, `7946/tcp`, `7946/udp`, `4789/udp` | Docker Swarm |
|
|
| `9180/tcp` | APISIX Admin API |
|
|
| `9090/tcp` | Prometheus |
|
|
| `3000/tcp` | Grafana |
|
|
|
|
## Docker Swarm Private Portlari
|
|
|
|
Docker Swarm node'lari arasinda zorunlu portlar:
|
|
|
|
| Port | Protocol | Kaynak | Hedef | Aciklama |
|
|
| --- | --- | --- | --- | --- |
|
|
| `2377` | TCP | Swarm node'lari | Swarm manager node'lari | Swarm control plane / join |
|
|
| `7946` | TCP | Tum Swarm node'lari | Tum Swarm node'lari | Node discovery / gossip |
|
|
| `7946` | UDP | Tum Swarm node'lari | Tum Swarm node'lari | Node discovery / gossip |
|
|
| `4789` | UDP | Tum Swarm node'lari | Tum Swarm node'lari | Overlay VXLAN data path |
|
|
|
|
Testte bu portlar fiilen tek Swarm node icin gerekli olsa da ileride worker eklemeyi kolaylastirmak icin app subnet icinde tanimlanabilir.
|
|
|
|
Prod'da `10.20.10.0/24` app/swarm subnet icinde bu portlar tum `prod-swarm-*` node'lari arasinda acik olmalidir.
|
|
|
|
Kaynak: Docker overlay network dokumani, https://docs.docker.com/engine/network/drivers/overlay/
|
|
|
|
## Uygulama ve Infra Servis Private Portlari
|
|
|
|
Bu portlar public acilmayacak. Sadece private network veya Docker overlay icinde gerekli kaynaklardan erisime izin verilecek.
|
|
|
|
| Port | Protocol | Servis | Kaynak | Hedef | Not |
|
|
| --- | --- | --- | --- | --- | --- |
|
|
| `8200` | TCP | Vault API/UI | Swarm app node'lari / runner | Vault service/node | Public kapali. Runtime servisleri Vault'a private/overlay uzerinden erismeli |
|
|
| `6379` | TCP | Redis | Swarm app node'lari | Redis service/node | Public kapali |
|
|
| `5672` | TCP | RabbitMQ AMQP | Swarm app node'lari | RabbitMQ service/node | Public kapali |
|
|
| `15672` | TCP | RabbitMQ Management | Admin CIDR veya private ops | RabbitMQ service/node | Public kapali; tercihen VPN/bastion |
|
|
| `61613` | TCP | RabbitMQ STOMP | Gerekli app node'lari | RabbitMQ service/node | Public kapali |
|
|
| `15674` | TCP | RabbitMQ Web STOMP | Gerekli app/gateway node'lari | RabbitMQ service/node | Public kapali |
|
|
| `2379` | TCP | etcd client | APISIX service/node | etcd service/node | Public kapali |
|
|
| `2380` | TCP | etcd peer | etcd cluster node'lari | etcd cluster node'lari | Tek replica ise gerekmeyebilir; cluster olursa gerekli |
|
|
| `9180` | TCP | APISIX Admin API | Admin CIDR veya private ops | APISIX service/node | Public kapali |
|
|
| `9090` | TCP | Prometheus UI/API | Admin CIDR veya private ops | Prometheus service/node | Public kapali |
|
|
| `3000` | TCP | Grafana UI | Admin CIDR veya private ops | Grafana service/node | Public kapali |
|
|
|
|
Mevcut `docker-stack-infra.yml` bazi servisleri host mode ile publish ediyor olabilir. Hetzner firewall public ingress'i kapatsa bile private ingress kararini bu tablo belirler.
|
|
|
|
## DB Node Portlari
|
|
|
|
DB altyapisi manuel kurulacagi icin kesin cluster teknolojisi bu dokumanin disindadir. Yine de firewall icin varsayilan portlar asagidadir.
|
|
|
|
### PostgreSQL / PostGIS
|
|
|
|
| Port | Protocol | Kaynak | Hedef | Not |
|
|
| --- | --- | --- | --- | --- |
|
|
| `5432` | TCP | App/Swarm subnet | PostgreSQL node/cluster endpoint | Uygulama DB baglantisi |
|
|
| `5432` | TCP | DB subnet | PostgreSQL node'lari | Streaming replication ayni portu kullanabilir |
|
|
|
|
Eger Patroni kullanilirsa ek portlar daha sonra DB runbook'unda netlestirilmelidir:
|
|
|
|
| Port | Protocol | Amac |
|
|
| --- | --- | --- |
|
|
| `8008` | TCP | Patroni REST API |
|
|
| `2379-2380` | TCP | Patroni icin etcd kullanilirsa etcd client/peer |
|
|
| `5000-5001` | TCP | HAProxy veya benzeri DB endpoint kullanilirsa |
|
|
|
|
Bu ek portlar ancak ilgili teknoloji secildiginde acilmalidir.
|
|
|
|
### MongoDB
|
|
|
|
| Port | Protocol | Kaynak | Hedef | Not |
|
|
| --- | --- | --- | --- | --- |
|
|
| `27017` | TCP | App/Swarm subnet | MongoDB node/replica set endpoint | Uygulama DB baglantisi |
|
|
| `27017` | TCP | DB subnet | MongoDB replica set node'lari | Replica set internal trafik |
|
|
|
|
Ileride sharding yapilirsa `27018/27019` gibi ek MongoDB rolleri gundeme gelebilir; bu asamada acilmayacak.
|
|
|
|
## Test Private Kurallari
|
|
|
|
Test ortaminda minimum:
|
|
|
|
| Kaynak | Hedef | Portlar |
|
|
| --- | --- | --- |
|
|
| `10.10.10.0/24` | `10.10.10.0/24` | `2377/tcp`, `7946/tcp`, `7946/udp`, `4789/udp` |
|
|
| `10.10.10.0/24` | `10.10.20.0/24` | `5432/tcp`, `27017/tcp` |
|
|
| `10.10.10.0/24` | `10.10.10.0/24` | `8200/tcp`, `6379/tcp`, `5672/tcp`, `61613/tcp`, `15674/tcp` |
|
|
| Admin CIDR veya VPN | `10.10.10.0/24` | `15672/tcp`, `9180/tcp`, `9090/tcp`, `3000/tcp` |
|
|
|
|
Testte DB node tek oldugu icin DB subnet icindeki PostgreSQL/MongoDB replication portlari aktif kullanilmayabilir.
|
|
|
|
## Prod Private Kurallari
|
|
|
|
Prod ortaminda minimum:
|
|
|
|
| Kaynak | Hedef | Portlar |
|
|
| --- | --- | --- |
|
|
| `10.20.10.0/24` | `10.20.10.0/24` | `2377/tcp`, `7946/tcp`, `7946/udp`, `4789/udp` |
|
|
| `10.20.10.0/24` | `10.20.20.0/24` | `5432/tcp`, `27017/tcp` |
|
|
| `10.20.20.0/24` | `10.20.20.0/24` | `5432/tcp`, `27017/tcp` |
|
|
| `10.20.10.0/24` | `10.20.10.0/24` | `8200/tcp`, `6379/tcp`, `5672/tcp`, `61613/tcp`, `15674/tcp`, `2379/tcp` |
|
|
| Admin CIDR veya VPN | `10.20.10.0/24` | `15672/tcp`, `9180/tcp`, `9090/tcp`, `3000/tcp` |
|
|
|
|
Patroni, HAProxy, Mongo sharding veya ayri monitoring agent mimarisi secilirse bu matrise ek portlar kontrollu sekilde eklenmelidir.
|
|
|
|
## Kabul Kriterleri
|
|
|
|
- Public firewall `8200/tcp` acmaz.
|
|
- DB portlari public acik degildir.
|
|
- Swarm portlari sadece private app/swarm subnet icinde aciktir.
|
|
- App/Swarm subnet DB subnet'e sadece gerekli DB portlarindan erisir.
|
|
- DB subnet app subnet'e genis yetkiyle acilmaz.
|
|
- Admin UI portlari public yerine admin CIDR/VPN/private ops ile sinirlandirilir.
|
|
|