Murat ÖZDEMİR
b115a4cbdf
- Add `hetzner-sizing-report.md` defining data-driven server type recommendations for test and prod environments.
- Update Terraform configurations to align with the recommended `CPX` server types and refine firewall rules for Docker Swarm and database interactions.
- Introduce comprehensive documentation and stack files for:
- Single-node PostgreSQL/MongoDB deployment on a test DB worker node.
- High-availability 3-node MongoDB replica set and Patroni+etcd PostgreSQL cluster for production.
- Enhance Ansible bootstrap roles with SELinux disabling, fail2ban configuration, and StorageBox SSH key management for CI/CD.
- Reorganize and rename setup documentation files for improved structure and clarity.
7.4 KiB
07 - Private Network Port Matrisi
Bu dosya test ve prod ortamlarinda Hetzner private network icinde acilmasi gereken portlari tanimlar. Public internete acik portlar sadece 22/tcp, 80/tcp, 443/tcp olacaktir. Vault 8200/tcp public acilmayacak.
Bu matris Terraform Hetzner firewall ve Ansible UFW kurallari icin kaynak kabul edilmelidir.
Network PlanI
Test
| Subnet | CIDR | Amac |
|---|---|---|
| App/Swarm | 10.10.10.0/24 |
iklim-app-01 |
| DB | 10.10.20.0/24 |
test-db-01 |
Prod
| Subnet | CIDR | Amac |
|---|---|---|
| App/Swarm | 10.20.10.0/24 |
iklim-app-01/02/03 |
| DB | 10.20.20.0/24 |
prod-db-01/02/03 |
Public Ingress Standardi
Tum ortamlar icin public ingress:
| Port | Protocol | Kaynak | Hedef | Zorunluluk |
|---|---|---|---|---|
22 |
TCP | Admin IP/CIDR | Tum node'lar | SSH yonetim |
80 |
TCP | Internet | Gateway entrypoint | HTTP / ACME redirect |
443 |
TCP | Internet | Gateway entrypoint | HTTPS |
Public olarak acilmayacak kritik portlar:
| Port | Servis |
|---|---|
8200/tcp |
Vault |
5432/tcp |
PostgreSQL |
27017/tcp |
MongoDB |
6379/tcp |
Redis |
5672/tcp, 15672/tcp, 61613/tcp, 15674/tcp |
RabbitMQ |
2377/tcp, 7946/tcp, 7946/udp, 4789/udp |
Docker Swarm |
9180/tcp |
APISIX Admin API |
9090/tcp |
Prometheus |
3000/tcp |
Grafana |
Docker Swarm Private Portlari
Docker Swarm node'lari arasinda zorunlu portlar:
| Port | Protocol | Kaynak | Hedef | Aciklama |
|---|---|---|---|---|
2377 |
TCP | Swarm node'lari | Swarm manager node'lari | Swarm control plane / join |
7946 |
TCP | Tum Swarm node'lari | Tum Swarm node'lari | Node discovery / gossip |
7946 |
UDP | Tum Swarm node'lari | Tum Swarm node'lari | Node discovery / gossip |
4789 |
UDP | Tum Swarm node'lari | Tum Swarm node'lari | Overlay VXLAN data path |
Testte bu portlar fiilen tek Swarm node icin gerekli olsa da ileride worker eklemeyi kolaylastirmak icin app subnet icinde tanimlanabilir.
Prod'da 10.20.10.0/24 app/swarm subnet icinde bu portlar tum iklim-app-* node'lari arasinda acik olmalidir.
Kaynak: Docker overlay network dokumani, https://docs.docker.com/engine/network/drivers/overlay/
Uygulama ve Infra Servis Private Portlari
Bu portlar public acilmayacak. Sadece private network veya Docker overlay icinde gerekli kaynaklardan erisime izin verilecek.
| Port | Protocol | Servis | Kaynak | Hedef | Not |
|---|---|---|---|---|---|
8200 |
TCP | Vault API/UI | Swarm app node'lari / runner | Vault service/node | Public kapali. Runtime servisleri Vault'a private/overlay uzerinden erismeli |
6379 |
TCP | Redis | Swarm app node'lari | Redis service/node | Public kapali |
5672 |
TCP | RabbitMQ AMQP | Swarm app node'lari | RabbitMQ service/node | Public kapali |
15672 |
TCP | RabbitMQ Management | Admin CIDR veya private ops | RabbitMQ service/node | Public kapali; tercihen VPN/bastion |
61613 |
TCP | RabbitMQ STOMP | Gerekli app node'lari | RabbitMQ service/node | Public kapali |
15674 |
TCP | RabbitMQ Web STOMP | Gerekli app/gateway node'lari | RabbitMQ service/node | Public kapali |
2379 |
TCP | etcd client | APISIX service/node | etcd service/node | Public kapali |
2380 |
TCP | etcd peer | etcd cluster node'lari | etcd cluster node'lari | Tek replica ise gerekmeyebilir; cluster olursa gerekli |
9180 |
TCP | APISIX Admin API | Admin CIDR veya private ops | APISIX service/node | Public kapali |
9090 |
TCP | Prometheus UI/API | Admin CIDR veya private ops | Prometheus service/node | Public kapali |
3000 |
TCP | Grafana UI | Admin CIDR veya private ops | Grafana service/node | Public kapali |
Mevcut docker-stack-infra.yml bazi servisleri host mode ile publish ediyor olabilir. Hetzner firewall public ingress'i kapatsa bile private ingress kararini bu tablo belirler.
DB Node Portlari
DB altyapisi manuel kurulacagi icin kesin cluster teknolojisi bu dokumanin disindadir. Yine de firewall icin varsayilan portlar asagidadir.
PostgreSQL / PostGIS (Patroni + etcd)
Prod ortami Patroni + etcd ile yonetilen PostgreSQL kullanir. Test ortaminda tek node oldugu icin replication ve HA portlari gerekmez.
| Port | Protocol | Kaynak | Hedef | Not |
|---|---|---|---|---|
5432 |
TCP | App/Swarm subnet | PostgreSQL node'lari (Patroni yonetimli) | Uygulama JDBC — tum node'lara baglanir, driver primary'i bulur |
5432 |
TCP | DB subnet | PostgreSQL node'lari | Patroni replication (pg_basebackup ve wal streaming) |
8008 |
TCP | DB subnet | PostgreSQL node'lari | Patroni REST API — leader election, saglik kontrolu |
2379 |
TCP | DB subnet | etcd node'lari | etcd client — Patroni → etcd erisimi |
2380 |
TCP | DB subnet | etcd node'lari | etcd peer — etcd cluster icindeki raft protokolu |
MongoDB
| Port | Protocol | Kaynak | Hedef | Not |
|---|---|---|---|---|
27017 |
TCP | App/Swarm subnet | MongoDB node/replica set endpoint | Uygulama DB baglantisi |
27017 |
TCP | DB subnet | MongoDB replica set node'lari | Replica set internal trafik |
Ileride sharding yapilirsa 27018/27019 gibi ek MongoDB rolleri gundeme gelebilir; bu asamada acilmayacak.
Test Private Kurallari
Test ortaminda minimum:
| Kaynak | Hedef | Portlar |
|---|---|---|
10.10.10.0/24 |
10.10.10.0/24 |
2377/tcp, 7946/tcp, 7946/udp, 4789/udp |
10.10.10.0/24 |
10.10.20.0/24 |
5432/tcp, 27017/tcp |
10.10.10.0/24 |
10.10.10.0/24 |
8200/tcp, 6379/tcp, 5672/tcp, 61613/tcp, 15674/tcp |
| Admin CIDR veya VPN | 10.10.10.0/24 |
15672/tcp, 9180/tcp, 9090/tcp, 3000/tcp |
Testte DB node tek oldugu icin DB subnet icindeki PostgreSQL/MongoDB replication portlari aktif kullanilmayabilir.
Prod Private Kurallari
Prod ortaminda minimum (Patroni + etcd dahil):
App subnet (swarm firewall) — kendi icindeki trafik:
| Kaynak | Hedef | Portlar |
|---|---|---|
10.20.10.0/24 |
10.20.10.0/24 |
2377/tcp, 7946/tcp, 7946/udp, 4789/udp (Swarm) |
10.20.10.0/24 |
10.20.10.0/24 |
8200/tcp, 6379/tcp, 5672/tcp, 61613/tcp, 15674/tcp, 2379/tcp (uygulama servisleri) |
| Admin CIDR veya VPN | 10.20.10.0/24 |
15672/tcp, 9180/tcp, 9090/tcp, 3000/tcp |
App → DB trafigi (swarm firewall'da ilgili kural bulunmaz; db firewall'da izin verilir):
| Kaynak | Hedef | Portlar |
|---|---|---|
10.20.10.0/24 |
10.20.20.0/24 |
5432/tcp, 27017/tcp (DB erisimi) |
10.20.10.0/24 |
10.20.20.0/24 |
2377/tcp, 7946/tcp, 7946/udp, 4789/udp (Swarm — DB worker join) |
DB subnet (db firewall) — DB node'lari arasi trafik:
| Kaynak | Hedef | Portlar |
|---|---|---|
10.20.20.0/24 |
10.20.20.0/24 |
5432/tcp, 27017/tcp (DB replication) |
10.20.20.0/24 |
10.20.20.0/24 |
2379/tcp, 2380/tcp (etcd client/peer) |
10.20.20.0/24 |
10.20.20.0/24 |
8008/tcp (Patroni REST API) |
DB → App trafigi (swarm firewall'da izin verilir):
| Kaynak | Hedef | Portlar |
|---|---|---|
10.20.20.0/24 |
10.20.10.0/24 |
2377/tcp, 7946/tcp, 7946/udp, 4789/udp (Swarm — manager portlari) |
Kabul Kriterleri
- Public firewall
8200/tcpacmaz. - DB portlari public acik degildir.
- Swarm portlari sadece private app/swarm subnet icinde aciktir.
- App/Swarm subnet DB subnet'e sadece gerekli DB portlarindan erisir.
- DB subnet app subnet'e genis yetkiyle acilmaz.
- Admin UI portlari public yerine admin CIDR/VPN/private ops ile sinirlandirilir.