Help us understand the problem. What is going on with this article?

Consulが使うポートとセキュリティグループの設定

まだ検証した段階だけど、こんな感じで運用してみようと思う。

consul agent -server を Server 。
consul agent を Client 。
2つ合わせて Agent と呼ぶことにする。

Consulが使うポート

機能 TCP/UDP ポート 説明
Server RPC TCP 8300 Server が他の Agent からRPCのリクエストを受け付ける
Serf LAN TCP & UDP 8301 LAN用のゴシッププロトコル
全 Agent 同士が使う
Serf WAN TCP & UDP 8302 WAN用のゴシッププロトコル
Server 同士が使う
CLI RPC TCP 8400 consulコマンド実行時にローカルの Agent との通信に使われる
HTTP API TCP 8500 Client が HTTP リクエストを受け付ける
DNS TCP & UDP 8600 Agent が DNSクエリを受け付ける

https://www.consul.io/docs/install/ports.html

セキュリティグループの設定

Server と Client でセキュリティグループを2つ用意した。
セキュリティグループは5つまでしか装備できないので Client 用に1つ使ってしまうのはもったいないが、セキュリティグループ単位で対象を絞れるのでこれはこれで欠かせないと思う。
22 や 80 は省略。

Server 用セキュリティグループ

Server 同士は全通信を可能にした。
HTTP/DNS API はローカルと通信するのでポートは開けないでよさそう。
Serf WAN の設定をする場合 8302 番ポートの設定が必要で、この場合 IP アドレスで指定するしかないかも。

Type Protocol Port Range Source
All Traffic All All sg-xxxxxx(consul-server)
Custom TCP Rule TCP 8300 sg-xxxxxx(consul-client)
Custom TCP Rule TCP 8301 sg-xxxxxx(consul-client)
Custom UDP Rule UDP 8301 sg-xxxxxx(consul-client)

Client 用セキュリティグループ

Agent 同士が Serf LAN を使えればよさそう。

Type Protocol Port Range Source
Custom TCP Rule TCP 8301 sg-xxxxxx(consul-server)
Custom UDP Rule UDP 8301 sg-xxxxxx(consul-server)
Custom TCP Rule TCP 8301 sg-xxxxxx(consul-client)
Custom UDP Rule UDP 8301 sg-xxxxxx(consul-client)

CloudFormation テンプレート

CloudFormationのテンプレートからセキュリティグループの部分を抜粋したもの。
AWS::EC2::SecurityGroup の中で自分自身を参照(Ref, Fn::GetAtt)するとエラーになるので AWS::EC2::SecurityGroupIngress を別リソースとして定義した。

"Resources": {
  "ClientSecurityGroup": {
    "Type" : "AWS::EC2::SecurityGroup",
    "Properties" : {
      "GroupDescription" : "for consul-client",
      "VpcId" : {"Ref" : "VpcId"},
      "Tags" : [
        {"Key" : "Name", "Value" : "consul-client"}
      ]
    }
  },
  "ClientSecurityGroupIngressSerfLanTcpFromServer": {
    "Type": "AWS::EC2::SecurityGroupIngress",
    "Properties": {
      "IpProtocol" : "tcp",
      "FromPort" : "8301",
      "ToPort" : "8301",
      "SourceSecurityGroupId": {
        "Fn::GetAtt": ["ServerSecurityGroup", "GroupId"]
      },
      "GroupId": {
        "Fn::GetAtt": ["ClientSecurityGroup", "GroupId"]
      }
    }
  },
  "ClientSecurityGroupIngressSerfLanUdpFromServer": {
    "Type": "AWS::EC2::SecurityGroupIngress",
    "Properties": {
      "IpProtocol" : "udp",
      "FromPort" : "8301",
      "ToPort" : "8301",
      "SourceSecurityGroupId": {
        "Fn::GetAtt": ["ServerSecurityGroup", "GroupId"]
      },
      "GroupId": {
        "Fn::GetAtt": ["ClientSecurityGroup", "GroupId"]
      }
    }
  },
  "ServerSecurityGroupIngressSerfLanTcpFromClient": {
    "Type": "AWS::EC2::SecurityGroupIngress",
    "Properties": {
      "IpProtocol" : "tcp",
      "FromPort" : "8301",
      "ToPort" : "8301",
      "SourceSecurityGroupId": {
        "Fn::GetAtt": ["ClientSecurityGroup", "GroupId"]
      },
      "GroupId": {
        "Fn::GetAtt": ["ClientSecurityGroup", "GroupId"]
      }
    }
  },
  "ServerSecurityGroupIngressSerfLanUdpFromClient": {
    "Type": "AWS::EC2::SecurityGroupIngress",
    "Properties": {
      "IpProtocol" : "udp",
      "FromPort" : "8301",
      "ToPort" : "8301",
      "SourceSecurityGroupId": {
        "Fn::GetAtt": ["ClientSecurityGroup", "GroupId"]
      },
      "GroupId": {
        "Fn::GetAtt": ["ClientSecurityGroup", "GroupId"]
      }
    }
  },
  "ServerSecurityGroup": {
    "Type" : "AWS::EC2::SecurityGroup",
    "Properties" : {
      "GroupDescription" : "for consul-server",
      "VpcId" : {"Ref" : "VpcId"},
      "Tags" : [
        {"Key" : "Name", "Value" : "consul-server"}
      ]
    }
  },
  "ServerSecurityGroupIngressHttp": {
    "Type": "AWS::EC2::SecurityGroupIngress",
    "Properties": {
      "IpProtocol" : "tcp",
      "FromPort" : "80",
      "ToPort" : "80",
      "CidrIp" : "192.168.0.0/16",
      "GroupId": {
        "Fn::GetAtt": ["ServerSecurityGroup", "GroupId"]
      }
    }
  },
  "ServerSecurityGroupIngressServerRpc": {
    "Type": "AWS::EC2::SecurityGroupIngress",
    "Properties": {
      "IpProtocol" : "tcp",
      "FromPort" : "8300",
      "ToPort" : "8300",
      "SourceSecurityGroupId": {
        "Fn::GetAtt": ["ClientSecurityGroup", "GroupId"]
      },
      "GroupId": {
        "Fn::GetAtt": ["ServerSecurityGroup", "GroupId"]
      }
    }
  },
  "ServerSecurityGroupIngressSerfLanTcp": {
    "Type": "AWS::EC2::SecurityGroupIngress",
    "Properties": {
      "IpProtocol" : "tcp",
      "FromPort" : "8301",
      "ToPort" : "8301",
      "SourceSecurityGroupId": {
        "Fn::GetAtt": ["ClientSecurityGroup", "GroupId"]
      },
      "GroupId": {
        "Fn::GetAtt": ["ServerSecurityGroup", "GroupId"]
      }
    }
  },
  "ServerSecurityGroupIngressSerfLanUdp": {
    "Type": "AWS::EC2::SecurityGroupIngress",
    "Properties": {
      "IpProtocol" : "udp",
      "FromPort" : "8301",
      "ToPort" : "8301",
      "SourceSecurityGroupId": {
        "Fn::GetAtt": ["ClientSecurityGroup", "GroupId"]
      },
      "GroupId": {
        "Fn::GetAtt": ["ServerSecurityGroup", "GroupId"]
      }
    }
  },
  "ServerSecurityGroupIngressEachOther": {
    "Type": "AWS::EC2::SecurityGroupIngress",
    "Properties": {
      "IpProtocol" : "-1",
      "FromPort" : "0",
      "ToPort" : "65535",
      "SourceSecurityGroupId": {
        "Fn::GetAtt": ["ServerSecurityGroup", "GroupId"]
      },
      "GroupId": {
        "Fn::GetAtt": ["ServerSecurityGroup", "GroupId"]
      }
    }
  }
}
ryo0301
lifull
日本最大級の不動産・住宅情報サイト「LIFULL HOME'S」を始め、人々の生活に寄り添う様々な情報サービス事業を展開しています。
https://lifull.com/
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした