0

I created 2 VMs (CentOS6.5) on Windows Azure for Postgresql database and HA cluster, everything works fine except when I set iptables service on, the endpoint load-balanced set is down.

for security issue, I blocked all input access except trust domain and intranet.

:INPUT DROP [1:40] 
:FORWARD ACCEPT [0:0] 
:OUTPUT ACCEPT [1:152]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s myTrustDomain.cloudapp.net -j ACCEPT

I'm pretty sure the problem comes from firewall because once I turn iptables service off, all client will be able to connect to port 5432. but I really need load-balanced set endpoint to switch node when one of them goes down in HA cluster.

Does anyone know how to configure firewall properly when I use load-balanced set endpoint?

Ryan Rogers
  • 3
  • 2

1 Answers1

0

The following is documented:

Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address.

It looks like you are trying to allow only traffic from another cloud service to access the VMs through the load-balanced endpoint. You can achieve this by implementing an ACL directly on the endpoint. This would prevent any disallowed traffic from even reaching your VM.

A more secure architecture may be to deploy your various cloud services in a VNET and configure an internal load balancer to balance traffic to these two VMs. Doing that would allow you to completely remove the external endpoint for PostgreSQL. You can still firewall other traffic not coming from the load balancer

Dene
  • 129
  • 2
Neil Mackenzie
  • 349
  • 1
  • 2