0

Background info (pardon my lack of the correct lingo here): I'm going to be running a pair of physical servers, each hosting some simple sites with Nginx. The servers are in a colo and I will have some dedicated IP addresses (up to 16). The servers are connected via a switch. And their network sits behind a Cisco firewall.

My intention (correct me, if this is completely wrong) is to give each server a virtual IP. Then, traffic coming in through the firewall will be prepared to one of the virtual IP addresses (my primary server). This way, if I have a problem with the primary physical server, I can shut it down and use its VIP in the backup physical server (manual failover). My understanding is that if I change the Virtual IP of the failover server to the one that the primary server was using, requests to the public IP address will then be routed to the failover server.

I'm very confused, however, when it comes to understanding networks (as you can probably already tell).

1) If a TCP connection comes to my website's public IP, it'll hit the firewall. Then, it'll be directed to the primary server (based on the VIP). Is this correct?

2) If my servers both sit behind the same firewall, how can they both be accessed at the same IP address (so that I can point my A Record at a single IP)? Or, is this impossible to do with a firewall and only a router can handle that?

3) Would my use case be better suited to use a static IP address or DHCP? What are some downfalls of either?

4) Am I even understanding public IP addresses correctly. Do I assign a single public IP address to my firewall, then forward connections from there back to a single IP behind my firewall? Or, do each of my servers get an IP address and TCP connections simply come through my firewall and into one of the servers based on the IP being connected to?

orokusaki
  • 2,763
  • 4
  • 32
  • 43
  • You need to clarify first: are you trying to Load Balance across the 2 servers where both servers are serving pages at the same time to different clients, or have an Active/Backup where 1 server takes the load normally but the second is ready to take over when the first fails? – fukawi2 May 14 '13 at 03:13
  • @fukawi2 the later is true (active / backup) and failure of will be performed manually (for now, some day we'll set up automatic failover) – orokusaki May 14 '13 at 13:12

1 Answers1

2

You're understanding is correct. Just to note, in networking terms, a virtual IP is essentially a public IP your router has control over and you can lease it out wherever, whenever you want...

There are two types of IP addresses, public IPs (which you usually assign to the router itself), and then you have private IPs, which you have 100% control over in your VLAN. In your case, you'd want to take all of your public IPs, put them in one VLAN, assign them all to your router (and have your router lease them out via static IP routing), and make sure the router is set up for NAT 1:1 redirection (which can take a pubic IP and essentially redirect it to an internal IP address. This way, on your server, you can assign it to let's say, 10.0.0.101 and have your backup server on 10.0.0.102. If your main server goes down, you don't need to switch any public IP addresses, all you would need to do on the router side would be to have your public IP point to your other private IP.

But, there are other ways to do this. If you use something like Nginx's upstream back-end feature (http://wiki.nginx.org/HttpUpstreamModule), you can have a web server load balance between multiple servers as well (and if one back-end went down, Nginx would know that), but then if the main Nginx web server proxying your requests go down, you'd have to some other fancy routing to get that to fail-over nicely as well. You might like to take a read at https://stackoverflow.com/questions/10971298/load-balancing-with-nginx :)

Community
  • 1
Taylor Jasko
  • 696
  • 4
  • 13
  • Thanks Taylor, but I don't have a router - we only need to use one server at at time (the other is just for failover), so we don't need a router or load balancer, etc., right? How does me not having a router affect your suggestion? What should I do differently, having only a firewall? **Note, I do have 2 switches though.** – orokusaki May 14 '13 at 13:26
  • Hmm, that's a bit more advanced question (I only know a little bit of all of this). There might be a way you can do NAT 1:1 on the Cisco switch itself, but I'm honestly not very familiar with Cisco's software. Maybe take a read up on http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic7 and http://www.freeccnaworkbook.com/workbooks/ccna/configuring-network-address-translation-nat-one-to-one. From the looks of it, should be possible. – Taylor Jasko May 14 '13 at 17:13