-
Notifications
You must be signed in to change notification settings - Fork 402
FAQ
How can I see a short list of ASGs, ELBs, instances, security groups, or clusters, filtered by a single application name?
On the application list screen, click the icon for the ASGs or instances associated with your application.
Notice that if your application is called "helloworld" the URLs are
- http://asgard/us-east-1/autoScaling/list/helloworld
- http://asgard/us-east-1/instance/list/helloworld
That same URL pattern be applied to other list URLs such as the following.
- http://asgard/us-east-1/loadBalancer/list/helloworld
- http://asgard/us-east-1/security/list/helloworld
- http://asgard/us-east-1/cluster/list/helloworld
Amazon Web Services does not currently allow adding ELBs to or removing ELBs from an existing ASG. If you already have an ASG and you wish to associate an ELB, you'll need to create a new ASG with all the relevant ELBs attached at ASG creation time.
How do I restrict access to my Eureka instances in the cloud so that Asgard can call them but outsiders cannot?
What options are there for securing the communication between Asgard and Eureka. Assuming HTTPS is already in place, are there options for authentication? The scenario I have is that running Asgard from my desktop, for Asgard to communicate with Eureka its communicating over an open public address. Do you set up a security group entry to only allow certain IP addresses through? If I am sitting behind a dynamic IP address are there other options?
Don't allow global access to Eureka over a public IP address.
A security group entry is a good way to restrict access to Eureka instances running in the cloud. That's what Netflix does. There isn't currently any facility for authenticating with Eureka, so your Network architecture is important for security.
For example, at Netflix, all our cloud instances including Eureka have a set of security groups that Asgard applies to all ASGs. You can configure Asgard to apply your own special "apply everywhere" security groups. On your Asgard machine, edit Config.groovy which is located in your $ASGARD_HOME directory. By default that directory is ~/.asgard
Inside the "cloud" configuration section, add a defaultSecurityGroups entry like this:
cloud {
accountName="prod"
publicResourceAccounts=[]
// These are the names of the security groups that should automatically be
// used for all instances in all regions we use.
defaultSecurityGroups = ['dev-boxes', 'cloud-infrastructure']
}
Asgard does not use the Amazon "default" security group because "default" has the undesirable characteristic of allowing all instances to call each other. From Netflix's point of view, that would be an unwise and unnecessary security risk. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
Your dynamic IP address is a problem if its possible values have a broad range that could include people you don't trust. Arrange for your Asgard instances (including your laptop) to have IP addresses in restricted ranges where you trust those IPs to call Eureka responsibly.
A Netflix Original Production
Tech Blog | Twitter @NetflixOSS | Jobs