Linode Forum

[phy7tes]

Hi,

I'm looking to deploy a 30 - 40 linode system which will consist of a pair of load balancers (linux virtual server) and multiple pairs|groups of servers for each software function that I need to deploy. The load balancers will sit in between everything, ideally communication between my own Linodes will be on a private network.

I have a few questions.

* Am I allocated a range of IP addresses for my own Linodes which will allow me to add a simple subnet to my iptables rules, thus restricting access from only my Linodes ? If not, how do people recommend managing their firewall rules when using a large number of hosts ?

* Am I able to keep these IP addresses for my account and switch between different Linodes ?

* How many 'physical' NICs does each Linode have ? Can I have a private network as well as a public network ? How does this affect charges for data ?

Apologies for my ignorance, I haven't signed up an account yet so maybe some of this stuff is obvious ....

[JshWright]

Each Linode will get one public IP, and (optionally) one private IP. These are not generally guaranteed to be within any particular subnet, but given the size of your deployment, it's likely they could work something out for you (I'm just a community member, so don't take my word for it).

Additional public IP's are $1/mo, and can be configured in so that multiple Linode's are allowed to bring them up (obviously only one Linode at a time, this is designed to provide "failover" capability).

Additional addresses (either public or private) are brought up as aliases. Private network traffic is free.

You may want to check out some of the Linode Library articles regarding networking and HA setups to get a feel for how some of this works with Linode.

For instance:
http://library.linode.com/networking/configuring-static-ip-interfaces/
http://library.linode.com/linux-ha/ip-failover-heartbeat-pacemaker-ubuntu-10.04
http://library.linode.com/linux-ha/highly-available-load-balancer-ubuntu-10.04

For an "official" answer re: ip allocation arrangements, your best bet would probably be sales@linode.com

[phy7tes]

Thanks for the reply, it's answered a few things and created some more questions !

* Is data only free when communicating between private IP addresses ? Does this not also include communication between public IP addresses in the same DC ?

* Can you perform the 'IP Failover Linkage' with private IP addresses as well as public ? Can I assign a failover IP to more than 1 additional host ?

[mnordhoff]

phy7tes wrote: * Is data only free when communicating between private IP addresses ? Does this not also include communication between public IP addresses in the same DC ?

Right, transfer is only free over your private IPs. Public traffic, even within the same data center, is not free.

Your other questions are interesting, but I do not know the answers!

[hoopycat]

I've had decent luck using APF's global trust files for syncing up allow lists across hosts. It isn't well-documented, and there's a lot of bells and whistles and hoopla with APF that may annoy people who prefer raw iptables, but it works.

Your configuration management/deployment system should probably be able to handle that kind of thing, too. Since it will know about new servers before anything else does, that might be the most effective way to go...

Also: the private network is, from a security standpoint, a public network. Don't try to save iptables space that way ;-)

[hoopycat]

I've had decent luck using APF's global trust files for syncing up allow lists across hosts. It isn't well-documented, and there's a lot of bells and whistles and hoopla with APF that may annoy people who prefer raw iptables, but it works.

Your configuration management/deployment system should probably be able to handle that kind of thing, too. Since it will know about new servers before anything else does, that might be the most effective way to go...

Also: the private network is, from a security standpoint, a public network. Don't try to save iptables space that way ;-)

[hoopycat]

I've had decent luck using APF's global trust files for syncing up allow lists across hosts. It isn't well-documented, and there's a lot of bells and whistles and hoopla with APF that may annoy people who prefer raw iptables, but it works.

Your configuration management/deployment system should probably be able to handle that kind of thing, too. Since it will know about new servers before anything else does, that might be the most effective way to go...

Also: the private network is, from a security standpoint, a public network. Don't try to save iptables space that way ;-)

[BarkerJr]

phy7tes wrote: * Can you perform the 'IP Failover Linkage' with private IP addresses as well as public ? Can I assign a failover IP to more than 1 additional host ?
Indeed. Failover works the same for public and private IPs.