0

Apologies for sounding naive in advance, I am a newbie in servers/networking and have a generic question around Load Balancers, DNS and NATting.

We have an app deployed on our private data center. The DNS/endpoint points to our load balancer (HAProxy). We have a new client who want to access our endpoint but it is not possible to establish direct connectivity from their hosts to our endpoint (as they are outside our network). So, we thought of implementing NATting. Now the client has established some sort of NATting where they connect to the NAT host and it routes traffic to our load balancer.

However, this is not enough as traffic is served over https on our load balancer and the dns has to resolve along with the certificates (SSL). Their network does not have direct access to our network and thus their hosts do not understand what our endpoint is.

So, how do we make this to work? How can we make our DNS accessible to them securely so that the requests flow from their network into NAT servers and then onto our load balancer?

Koshur
  • 101
  • 2
  • 1
    It's not clear (to me) from your description: Does the load balancer have a public IP reachable from the client? Also, read about "split-brain DNS" – Ron Trunk Feb 17 '21 at 14:53
  • Yeah i wonder too if the LB has a public IP. Because it says that there is a "dns/endpoint" pointing at the LB. So there is a hostname pointing at it? So it must have a public IP? :) And if it does, it should probably terminate the SSL too right? – Alexander Kolodziej Feb 17 '21 at 14:56
  • Yes, the load balancer IP is reachable from the client. After the configuration done by NAT folks, a nslookup on our endpoint from the client side shows our load balancer IP. It should have been mapped to the NAT IP instead to make it work, right? – Koshur Feb 17 '21 at 15:08
  • An important (to me at least) question that seems to be missing is: Exactly why can't the client connect to your network? Some sort of outgoing restrictions on THEIR end? Or YOUR network is not allowing them to connect? Where exactly is this NAT host located? Has a proxy server (which solves the DNS/certificate problem) been considered? – Brandon Xavier Feb 17 '21 at 15:56
  • @BrandonXavier Yes, there is a restriction on our side (organization level). Any incoming and outgoing traffic from external network has to flow via NAT hosts as per the internal security policies. I am not sure where NAT hosts are located but client must connect to NAT only and not our load balancer. – Koshur Feb 17 '21 at 16:16
  • Assuming in your company's terminology, "NAT hosts" is similar to what many people would refer to as "firewalls", that makes sense. Just wanted to make sure the client wasn't cobbling together some kind of NAT solution to bypass egress restrictions. If the DNS can be pointed to the NAT host's external IP, it shoudl "just work" for the new client. If you have internal clients that require the address be pointed directly to HAProxy, you may have to look at a split-_view_ DNS solution as @Ron Trunk suggested. – Brandon Xavier Feb 17 '21 at 16:30

0 Answers0