Creating Red Hat CoreOS enabled Locations with reduced firewall footprint
Configure a Red Hat CoreOS enabled Location to connect to a single network destination instead of multiple destinations to reduce the number of outbound IP addresses to allow on your firewall.
To connect to a single network destination, use a host link agent. A host link agent is a binary image of link client that runs as systemd on your hosts. The agent connects to the tunnel server and rewrites your hosts DNS so that
all Location bootstrap traffic is redirected to use the Link established by the agent to reach IBM back-end services. As a result, all outbound traffic from the Location connects to a single destination, which is the Tunnel server public endpoint
on port 443. Therefore, you do not need to allow all the outbound IP addresses that are mentioned in Required outbound connectivity for hosts in all regions.
Follow these steps to set up a Red Hat CoreOS enabled Location with reduced firewall footprint.
-
Create a Red Hat CoreOS enabled Satellite Location. For more information, see Creating a Satellite location.
-
Get the
healthcheckLocation endpoint by running theibmcloud sat endpoint ls --location LOCATION_NAMEcommand.Example command:
ibmcloud sat endpoint ls --location my-sat-linkExample output:
ID Name Destination Type Address cdn1e2dw0vmieu3g98p0_drock satellite-healthcheck-cdn1e2dw0vmieu3g98p0 location HTTP c-01.private.us-south.link.satellite.cloud.ibm.com:32877From the output, take a note of the Location endpoint. For example,
c-01.private.us-south.link.satellite.cloud.ibm.com:32877. Replace.privatewith-wsand remove the port. For example,c-01.private.us-south.link.satellite.cloud.ibm.com:32877becomesc-01-ws.us-south.link.satellite.cloud.ibm.com. This value is used as the value forENDPOINT_TO_POINT_TOin thesat host attachcommand in the next step. -
Download the host attachment script for your Location by using the
ibmcloud sat host attach --location LOCATION_NAME --operating-system RHCOS --host-link-agent-endpoint ENDPOINT_TO_POINT_TOcommand in the CLI.Example command:
ibmcloud sat host attach --location my-sat-link --operating-system RHCOS --host-link-agent-endpoint c-01-ws.region.link.satellite.cloud.ibm.comExample output:
Creating host registration script... OK The script to attach hosts to Satellite location 'my-sat-link' was downloaded to the following location: /var/folders/7y/90mtvpqj1jx05gvgk1jyk7b80000gn/T/register-host_my-sat-link_1782841498.ign -
Attach your hosts to your Location by running the downloaded script.
- If your hosts are in another cloud provider, follow the provider-specific steps to run the script and attach your hosts.
- If your hosts are in an on-premises data center, see Attaching on-premises RHCOS hosts.
-
Find the IP addresses of the tunnel endpoint by running the
dig c-01-ws.REGION.link.satellite.cloud.ibm.com +shortcommand.Example command:
dig c-01-ws.us-south.link.satellite.cloud.ibm.com +shortExample output:
prod-us-south-sl-935783-6b64a6ccc9c596bf59a86625d8fa2202-0000.us-south.containers.appdomain.cloud. prod-us-south-sl-935783-6b64a6ccc9c596bf59a86625d8fa2202-0000.c303u02d04o7tl16uqm0.akadns.net. 169.61.156.226 169.61.31.178 169.46.88.106In this example, the IP addresses of the tunnel endpoint are
169.61.156.226,169.61.31.178, and169.46.88.106onport 443. -
Configure your firewall to allow outgoing traffic to the IP addresses of the tunnel endpoint on port 443. The IP addresses can be found in the output of the previous step.
NTP must also be allowed. You can choose to allow access to the Red Hat network time protocol (NTP) servers listed in Required outbound connectivity for hosts overview or you can configure access to a custom Network Time Protocol (NTP) server. See Specifying a custom Network Time Protocol (NTP) server if you want to configure a local NTP server.