Nutanix Clusters on AWS ã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚°ãƒ«ãƒ¼ãƒ—ã®ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆè¨å®šã«ã¤ã„ã¦ç†è§£ã™ã‚‹

æ¦‚è¦

ã€€å½“ã‚¨ãƒ³ãƒˆãƒªãƒ¼ã§ã¯ã€Nutanix Clusters on AWS (ä»¥å¾ŒNCA) æ§‹ç¯‰æ™‚ã«è‡ªå‹•çš„ã«ä½œæˆ&ã‚¢ã‚¿ãƒƒãƒã•ã‚Œã‚‹ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚°ãƒ«ãƒ¼ãƒ—(ä»¥å¾ŒSG)ã®ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆè¨å®šã«ã¤ã„ã¦è©³ç´°ã«ã¤ã„ã¦AWSã‚¤ãƒ³ãƒ•ãƒ©ç®¡ç†è€…è¦–ç‚¹ã§ç¢ºèªã—ã¦ã„ãã¾ã™ã€‚

NCAã®é€šä¿¡åˆ¶å¾¡ã¯ã©ã†ã‚ã‚‹ã¹ãã‹

ã€€NCAã®ã‚ˆã†ã«AWSã‚¤ãƒ³ãƒ•ãƒ©ä¸Šã«Nutanix Clusterã‚’æ§‹ç¯‰ã•ã‚Œã‚‹ç’°å¢ƒã®å ´åˆã¯ã€ AWSãƒ¬ã‚¤ãƒ¤ãƒ¼ã§ã‚‚Nutanixãƒ¬ã‚¤ãƒ¤ãƒ¼ã§ã‚‚ä¼¼ãŸã‚ˆã†ãªé€šä¿¡åˆ¶å¾¡ã®æ©Ÿèƒ½ã‚’æŒã¤ å½¢ã¨ãªã‚‹ç‚ºã€ã©ã®ã‚ˆã†ã«å®Ÿæ–½ã™ã¹ãã‹ã«ã¤ã„ã¦ã¯æ‚©ã¾ã—ã„ã¨ã“ã‚ãŒã‚ã‚‹ã¨æ€ã„ã¾ã™ã®ã§ç¢ºèªã—ã¤ã¤è€ƒãˆã¦ã„ãã¾ã™ã€‚

ä»¥ä¸‹ãƒžãƒ‹ãƒ¥ã‚¢ãƒ«ã§NCAã®UVMã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã«é–¢ã™ã‚‹è¨€åŠãŒç¢ºèªå‡ºæ¥ã¾ã™ã€‚

portal.nutanix.com

Network security for UVM networks is managed by the cluster itself (networking service). This security covers all UVM traffic that is either entering the cluster or entering a subnet. All traffic between UVMs on the same subnet is allowed. You can achieve more granular network security by using the Flow product. See the Flow Microsegmentation Guide for more information.

AWSã‚¤ãƒ³ãƒ•ãƒ©è¦–ç‚¹ã ã¨ä»¥ä¸‹ã®é€šã‚Šè§£é‡ˆã§ãã¾ã™ã€‚

UVMãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã¯ã€ã‚¯ãƒ©ã‚¹ã‚¿ãƒ¼è‡ªä½“ï¼ˆãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚µãƒ¼ãƒ“ã‚¹ï¼‰ã«ã‚ˆã£ã¦ç®¡ç†ã•ã‚Œã‚‹ã€‚ã“ã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã¯ã€ã‚¯ãƒ©ã‚¹ã‚¿ã«å…¥ã‚‹ã¾ãŸã¯ã‚µãƒ–ãƒãƒƒãƒˆã«å…¥ã‚‹ã™ã¹ã¦ã®UVMãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’ã‚«ãƒãƒ¼ã™ã‚‹
- -> NCAãŠã‚ˆã³å†…éƒ¨ã®UVMã¯ã€æ§‹ç¯‰æ™‚ã«è‡ªå‹•ä½œæˆã•ã‚ŒãŸSGã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯åˆ¶å¾¡ãŒé©ç”¨ã•ã‚Œã¦ã„ã‚‹
UVMç”¨ã‚µãƒ–ãƒãƒƒãƒˆä¸Šã®UVMé–“ã®ã™ã¹ã¦ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ãŒè¨±å¯ã•ã‚Œã‚‹
- -> UVMã‚µãƒ–ãƒãƒƒãƒˆå†…ã®é€šä¿¡ã¯å…¨ã¦ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ãŒè¨±å¯ã•ã‚Œã¦ã„ã‚‹
Flowè£½å“ã‚’ä½¿ç”¨ã™ã‚‹ã¨ã€ã‚ˆã‚Šãã‚ç´°ã‹ã„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚’å®Ÿç¾ã§ãã‚‹
- -> ç´°ã‹ã„ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯åˆ¶å¾¡ã‚’å®Ÿç¾ã—ãŸã„å ´åˆã¯ã€Nutanixã® Flowã¨ã„ã†è£½å“ã‚’åˆ©ç”¨ã—ã¦åˆ¶å¾¡ã‚’å®Ÿæ–½ã™ã¹ãã§ã‚ã‚‹ (1ã¤ã®ENIã®ã‚»ã‚«ãƒ³ãƒ€ãƒªIPã‚¢ãƒ‰ãƒ¬ã‚¹ã¨ã—ã¦UVMãŒé–¢é€£ä»˜ã‘ã‚‰ã‚Œã‚‹ä»•æ§˜ã®ç‚ºã€SGã§ã¯UVMå˜ä½ã®ç´°ã‹ã„åˆ¶å¾¡ã¯ä¸å¯)

www.nutanix.com

ã¾ãŸã€è‡ªå‹•ä½œæˆã•ã‚Œã‚‹SGã®ãƒ«ãƒ¼ãƒ«ã«é–¢ã—ã¦ä»¥ä¸‹è¨€åŠãŒã‚ã‚Šã¾ã™ã€‚

If you want to modify these default rules, you must modify the user security group for management from the AWS console or APIs directly.

ç·¨é›†ã™ã‚‹ãªã¨ã„ã†è¨³ã§ã¯ãªãã€ã€Œã‚‚ã—å¤‰æ›´ãŒå¿…è¦ãªå ´åˆã¯AWSå´ã®ã‚ªãƒšãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ã§å®Ÿæ–½ã—ã¦ãã ã•ã„ãã€ã¨ã„ã£ãŸå†…å®¹ã§ã™ã€‚

çµè«–

å¾“ã£ã¦ã€ã–ã£ãã‚ŠNCAã®é€šä¿¡åˆ¶å¾¡ã®åŽŸå‰‡ã¨ã—ã¦ã¯ä»¥ä¸‹2ç‚¹ã‚’æ„è˜ã™ã‚‹ã®ãŒè‰¯ã•ãã†ã§ã™ã€‚

UVMé–“ã®é€šä¿¡ã¯ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§å…¨ã¦è¨±å¯ã•ã‚Œã¦ã„ã‚‹ã€‚ã‚‚ã—åˆ¶å¾¡ã—ãŸã„å ´åˆã¯AWSã®æ©Ÿèƒ½(SGã‚„ã‚‰NACL)ã§ã¯ãªãã€Nutanixã®æ©Ÿèƒ½(Flow)ã‚’åˆ©ç”¨ã™ã‚‹
Nutanixã‚ˆã‚ŠNCAã®ç‚ºã«è‡ªå‹•ä½œæˆã•ã‚ŒãŸSGã«ã¤ã„ã¦ã¯ã€å¿…è¦ãªå ´åˆã®ã¿AWSå´ã®ã‚ªãƒšãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ã§å¤‰æ›´ã™ã‚‹

ç¶šã‘ã¦ã€NCAãŒç¨¼åƒã™ã‚‹ãŸã‚ã«Nutanixå´ã‹ã‚‰è‡ªå‹•ä½œæˆã•ã‚Œã‚‹SGã®è©³ç´°ã‚’è¦‹ã¦ã„ãã¾ã™ã€‚

NCAã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚°ãƒ«ãƒ¼ãƒ—ä¸€è¦§

ã€€NCAæ§‹ç¯‰å¾Œã¯ä»¥ä¸‹ã®ã‚ˆã†ãªã«3ã¤ã®ç”¨é€”ã§ä½œæˆã•ã‚Œã¾ã™ã€‚
(åŽ³å¯†ã«ã¯4ã¤ã§ã™ãŒdefaultã¯Nutanixã®äºˆç´„ENIç”¨é€”ã®ç‰©ãŒä¾¿å®œä¸Šåˆ©ç”¨ã—ã¦ã„ã‚‹ã ã‘ãªã®ã§ä»Šå›žã¯çœç•¥)

No	åç§°	ã‚ªãƒ•ã‚£ã‚·ãƒ£ãƒ«ã®ç”¨é€”èª¬æ˜Ž
1	Internal Management	ã‚¯ãƒ©ã‚¹ã‚¿ãƒ¼å†…ã®AHVã¨CVMé–“ã®ã™ã¹ã¦ã®é€šä¿¡ã‚’è¨±å¯
2	User Management	UVMã‹ã‚‰CVMã¸ã®é€šä¿¡ã«ç‰¹å®šã®ãƒãƒ¼ãƒˆã‚’è¨±å¯
3	UVM	User VMé–“ã®é€šä¿¡ã‚’å¯èƒ½ã¨ã™ã‚‹

SG IDã‹ã‚‰è¨±å¯ã™ã‚‹è¨å®šãŒã‚ã‚‹ç‚ºã€IDã‚‚æ˜Žè¨˜ã¨ã—ã¾ã™ã€‚

[cloudshell-user@ip-10-0-121-89 tmp]$ echo "VpcId^GroupName^GroupId^Description" > /tmp/awscli.tmp;\
> aws ec2 describe-security-groups --query "SecurityGroups[].[VpcId,GroupName,GroupId,Description]" --output text | tr "\t" "^" >> /tmp/awscli.tmp ;\
> column -s^ -t /tmp/awscli.tmp;\
> rm /tmp/awscli.tmp
VpcId                  GroupName                                         GroupId               Description
vpc-06d2c707a03ca8651  default                                           sg-04f38705e55fdba86  default VPC security group
vpc-06d2c707a03ca8651  Nutanix Cluster CC229F2B7E01 Internal Management  sg-06177da99a42251aa  Internal management security group
vpc-06d2c707a03ca8651  Nutanix Cluster CC229F2B7E01 UVM                  sg-0c74189b464692708  UVM security group
vpc-06d2c707a03ca8651  Nutanix Cluster CC229F2B7E01 User Management      sg-0d435f750d4503cd8  Security group for management interfaces
[cloudshell-user@ip-10-0-121-89 tmp]$

NCAæ§‹ç¯‰æ™‚ã«ä½œæˆã•ã‚Œã‚‹SGã®ãƒ«ãƒ¼ãƒ«ä¸€è¦§

ã€€ä»Šå›žã¯ä»¥ä¸‹ã‚³ãƒžãƒ³ãƒ‰ã§å¿…è¦æœ€å°é™ã®ã‚«ãƒ©ãƒ ã ã‘ã‚’è¦‹ã¦ã„ãã¾ã™ã€‚

åˆ©ç”¨ã‚³ãƒžãƒ³ãƒ‰(AWS CLI)

echo "GroupId^IpProtocol^FromPort^ToPort^CidrIpv4^SourceGroupId^Description" > /tmp/awscli.tmp ;\
aws ec2 describe-security-group-rules \
--query "SecurityGroupRules[].\
[GroupId,\
IpProtocol,\
FromPort,\
ToPort,\
CidrIpv4,\
ReferencedGroupInfo.GroupId,\
Description]" \
--output text | tr "\t" "^" >> /tmp/awscli.tmp ;\
column -s^ -t /tmp/awscli.tmp ;\
rm /tmp/awscli.tmp

çµæžœ

ä»¥ä¸‹ã®æ¡ä»¶ã§æ§‹ç¯‰ã—ãŸNCAã§è‡ªå‹•çš„ã«ä½œæˆã•ã‚ŒãŸã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚°ãƒ«ãƒ¼ãƒ—ã®ãƒ«ãƒ¼ãƒ«ä¸€è¦§ã¯ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚

Public ã‹ã‚‰ Prismã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’è¨±å¯
NCAã§ã® Management Serviceèµ·å‹•ã‚’æœ‰åŠ¹åŒ–ã‹ã¤ 10.0.0.0/22 ã‹ã‚‰ã®ã¿æŽ¥ç¶šã‚’è¨±å¯

GroupId               IsEgress  IpProtocol  FromPort  ToPort  CidrIpv4        SourceGroupId         Description
sg-0c74189b464692708  False     tcp         9440      9440    None            sg-0d435f750d4503cd8  RESP API calls and Prism access
sg-0d435f750d4503cd8  False     tcp         2020      2020    10.0.0.0/22     None                  Disaster Recovery
sg-0c74189b464692708  False     tcp         2027      2027    None            sg-0d435f750d4503cd8  CVM to FSVM management
sg-0c74189b464692708  True      -1          -1        -1      0.0.0.0/0       None                  None
sg-0d435f750d4503cd8  False     tcp         3205      3205    10.0.0.0/22     None                  Stargate iscsi access for Files
sg-04f38705e55fdba86  False     -1          -1        -1      None            sg-04f38705e55fdba86  None
sg-06177da99a42251aa  False     -1          -1        -1      None            sg-06177da99a42251aa  Allow hosts and CVMs to communicate
sg-0d435f750d4503cd8  False     tcp         3205      3205    None            sg-0c74189b464692708  Stargate iscsi access for Files
sg-0d435f750d4503cd8  False     tcp         111       111     10.0.0.0/22     None                  Nutanix Move appliance
sg-0c74189b464692708  False     tcp         22        22      None            sg-0d435f750d4503cd8  SSH from CVM/PE to UVMs
sg-0d435f750d4503cd8  False     tcp         3260      3260    10.0.0.0/22     None                  Stargate iscsi access for Files
sg-0c74189b464692708  False     icmp        0         0       None            sg-0d435f750d4503cd8  eco reply (to ping)
sg-0d435f750d4503cd8  False     tcp         22        22      10.0.0.0/22     None                  SSH to both CVM and Hypervisor
sg-0d435f750d4503cd8  False     tcp         8443      8443    None            sg-0c74189b464692708  Cluster remote support
sg-0d435f750d4503cd8  False     tcp         2073      2073    None            sg-0c74189b464692708  NGT tools
sg-0c74189b464692708  False     icmp        8         0       None            sg-0d435f750d4503cd8  eco request
sg-0c74189b464692708  False     tcp         2100      2100    None            sg-0d435f750d4503cd8  Cluster configuration
sg-0d435f750d4503cd8  False     udp         111       111     None            sg-0c74189b464692708  Nutanix Move appliance
sg-0d435f750d4503cd8  False     udp         2049      2049    None            sg-0c74189b464692708  Nutanix Move appliance
sg-0c74189b464692708  False     tcp         3000      3000    None            sg-0d435f750d4503cd8  Analytics clients Analytics UI
sg-0d435f750d4503cd8  False     tcp         2020      2020    None            sg-0c74189b464692708  Disaster Recovery
sg-0d435f750d4503cd8  False     tcp         2090      2090    None            sg-0c74189b464692708  Ergon access
sg-0d435f750d4503cd8  False     icmp        0         0       None            sg-0c74189b464692708  eco reply (to ping)
sg-0d435f750d4503cd8  False     udp         123       123     None            sg-0c74189b464692708  NTP Service
sg-0d435f750d4503cd8  False     udp         111       111     10.0.0.0/22     None                  Nutanix Move appliance
sg-04f38705e55fdba86  True      -1          -1        -1      0.0.0.0/0       None                  None
sg-0c74189b464692708  False     tcp         7502      7502    None            sg-0d435f750d4503cd8  Access services running on Files
sg-0d435f750d4503cd8  False     tcp         2009      2009    None            sg-0c74189b464692708  Disaster Recovery
sg-0d435f750d4503cd8  False     tcp         9440      9440    None            sg-0c74189b464692708  Prism web console, Citrix MCS
sg-0d435f750d4503cd8  False     tcp         2036      2036    None            sg-0c74189b464692708  Anduril access
sg-0c74189b464692708  False     tcp         443       443     None            sg-0d435f750d4503cd8  Analytics clients Gateway API access
sg-0d435f750d4503cd8  False     tcp         2049      2049    None            sg-0c74189b464692708  Nutanix Move appliance
sg-0c74189b464692708  False     udp         123       123     None            sg-0d435f750d4503cd8  NTP Service
sg-0d435f750d4503cd8  False     tcp         80        80      10.0.0.0/22     None                  Cluster remote support
sg-0d435f750d4503cd8  False     tcp         8443      8443    10.0.0.0/22     None                  Cluster remote support
sg-06177da99a42251aa  True      -1          -1        -1      0.0.0.0/0       None                  None
sg-0d435f750d4503cd8  False     tcp         7501      7501    None            sg-0c74189b464692708  AFS services on CVM access for Files
sg-0c74189b464692708  False     tcp         7501      7501    None            sg-0d435f750d4503cd8  Access services running on Files
sg-0d435f750d4503cd8  False     tcp         2009      2009    10.0.0.0/22     None                  Disaster Recovery
sg-0d435f750d4503cd8  False     tcp         5000      5000    None            sg-0c74189b464692708  NTG user VM
sg-0d435f750d4503cd8  False     tcp         111       111     None            sg-0c74189b464692708  Nutanix Move appliance
sg-0d435f750d4503cd8  False     tcp         9440      9440    10.0.3.207/32   None                  Prism access for Load balancer nodes
sg-0d435f750d4503cd8  False     tcp         3260      3260    None            sg-0c74189b464692708  Stargate iscsi access for Files
sg-0d435f750d4503cd8  False     tcp         2030      2030    None            sg-0c74189b464692708  Acropolis access
sg-0d435f750d4503cd8  False     udp         2049      2049    10.0.0.0/22     None                  Nutanix Move appliance
sg-0d435f750d4503cd8  False     icmp        8         0       None            sg-0c74189b464692708  eco request
sg-0c74189b464692708  False     -1          -1        -1      None            sg-0c74189b464692708  Allow UVMs to communicate
sg-0c74189b464692708  False     tcp         29092     29092   None            sg-0d435f750d4503cd8  FSVM internal IPs Kafka broker access
sg-0d435f750d4503cd8  False     tcp         22        22      None            sg-0c74189b464692708  SSH to both CVM and Hypervisor
sg-0c74189b464692708  False     tcp         7         7       None            sg-0d435f750d4503cd8  TCP echo request from CVM/PE to UVMs
sg-0c74189b464692708  False     tcp         2090      2090    None            sg-0d435f750d4503cd8  CVM to file server management and task status
sg-0d435f750d4503cd8  False     tcp         2074      2074    None            sg-0c74189b464692708  NGT tools
sg-0d435f750d4503cd8  False     udp         123       123     10.0.0.0/22     None                  NTP Service
sg-0d435f750d4503cd8  False     tcp         2049      2049    10.0.0.0/22     None                  Nutanix Move appliance
sg-0d435f750d4503cd8  True      -1          -1        -1      0.0.0.0/0       None                  None
sg-0d435f750d4503cd8  False     tcp         7501      7501    10.0.0.0/22     None                  AFS services on CVM access for Files
sg-0d435f750d4503cd8  False     tcp         80        80      None            sg-0c74189b464692708  Cluster remote support

â€» IsEgress ãŒ Trueã®å†…å®¹ãŒã‚¢ã‚¦ãƒˆãƒã‚¦ãƒ³ãƒ‰åˆ¶å¾¡ã¨ãªã‚Šã¾ã™ãŒã€ä»¥ä¸‹ã®é€šã‚Šä»Šå›žã¯ã™ã¹ã¦ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã®ã‚¢ã‚¦ãƒˆãƒã‚¦ãƒ³ãƒ‰åˆ¶å¾¡ã‚’å®Ÿæ–½ã—ãªã„(ALLè¨±å¯)è¨å®šã¨ãªã£ã¦ã„ã¾ã—ãŸã®ã§ä»¥å¾Œã®ç¢ºèªã‹ã‚‰ã¯å‰²æ„›ã—ã¾ã™ã€‚

GroupId               IsEgress  IpProtocol  FromPort  ToPort  CidrIpv4        SourceGroupId         Description
sg-0c74189b464692708  True      -1          -1        -1      0.0.0.0/0       None                  None
sg-04f38705e55fdba86  True      -1          -1        -1      0.0.0.0/0       None                  None
sg-06177da99a42251aa  True      -1          -1        -1      0.0.0.0/0       None                  None
sg-0d435f750d4503cd8  True      -1          -1        -1      0.0.0.0/0       None                  None

ã–ã£ãã‚Šã‚¤ãƒ¡ãƒ¼ã‚¸

ã€€NCAã¯EC2ãƒ™ã‚¢ãƒ¡ã‚¿ãƒ«ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã‚’åˆ©ç”¨ã™ã‚‹AWSã‚¤ãƒ³ãƒ•ãƒ©è¦–ç‚¹ã§å°‘ã—ç‰¹æ®Šãªç’°å¢ƒãªã®ã§å›³ã§æ•´ç†ã—ã¦ã¿ã¾ã™ã€‚

å„SGã®Fromå˜ä½ã§ã–ã£ãã‚Šä½•ã‚’è¨±å¯ã—ã¦ã„ã‚‹ã‹ã«ã¤ã„ã¦åˆ†ã‘ã¦è€ƒãˆè©³ç´°ã‚’è¦‹ã¦ã„ãã¾ã™ã€‚

f:id:swx-tamura:20211110094536p:plain

ã‚³ãƒãƒ©ã®å›³ã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒªã‚½ãƒ¼ã‚¹ã«é–¢ã™ã‚‹è©³ç´°ã¯ä»¥ä¸‹blogã‚’å‚ç…§ã—ã¦ãã ã•ã„

blog.serverworks.co.jp

1. SG: Internal Management (sg-06177da99a42251aa)

ã€€ç”¨é€”ã«é–¢ã™ã‚‹ã‚ªãƒ•ã‚£ã‚·ãƒ£ãƒ«ã®è¨˜è¼‰ã¯ä»¥ä¸‹ã§ã™

internal_management: Allows all communication between AHV and CVM within a cluster

ã‚¯ãƒ©ã‚¹ã‚¿ãƒ¼å†…ã®AHV(Acropolis Hypervisor) ã¨CVM(Controler VM)é–“ã®ã™ã¹ã¦ã®é€šä¿¡ã‚’è¨±å¯ã™ã‚‹ã¨ã„ã£ãŸå†…å®¹ã§ã™ã€‚

â‘ SG: Internal Management (è‡ªèº«)ã‹ã‚‰å…¨ã¦ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’è¨±å¯

ãƒ™ã‚¢ãƒ¡ã‚¿ãƒ«ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã®ENIã«ã‚¢ã‚¿ãƒƒãƒã•ã‚Œã‚‹SGã®ãŸã‚ã€ãã®ENIã‚’ä»‹ã—ã¦åˆ©ç”¨ã•ã‚Œã‚‹Nutanixã®é€šä¿¡ã‚’å…¨ã¦è¨±å¯ã—ã¦ã„ã‚‹å†…å®¹ã¨ç†è§£å‡ºæ¥ã¾ã™ã€‚

GroupId               IsEgress  IpProtocol  FromPort  ToPort  CidrIpv4        SourceGroupId         Description
sg-06177da99a42251aa  False     -1          -1        -1      None            sg-06177da99a42251aa  Allow hosts and CVMs to communicate

2. SG: User Management (sg-0d435f750d4503cd8)

ã€€ç”¨é€”ã«é–¢ã™ã‚‹ã‚ªãƒ•ã‚£ã‚·ãƒ£ãƒ«ã®è¨˜è¼‰ã¯ä»¥ä¸‹ã§ã™

user_management: Allows specific ports for UVM to CVM communication

UVMã‹ã‚‰CVMã¸ã®é€šä¿¡ã«ç‰¹å®šã®ãƒãƒ¼ãƒˆã‚’è¨±å¯ã™ã‚‹ã‚‚ã®ã¨ã‚ã‚Šã¾ã™

â‘¡ SG:UVM ã‹ã‚‰Nutanixç‹¬è‡ªé€šä¿¡ã‚’è¨±å¯

SG: UVMç”¨ãªã®ã§ UVMã¨ã—ã¦èµ·å‹•ã—ã¦ãã‚‹ãƒžã‚·ãƒ³ -> EC2ãƒ™ã‚¢ãƒ¡ã‚¿ãƒ«ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã®ä¸ã§ç¨¼åƒã™ã‚‹NCAã®æ–¹å‘ã§å¿…è¦ãªä»¥ä¸‹é€šä¿¡ãŒè¨±å¯ã•ã‚Œã¦ã„ã¾ã™ã€‚

ä¸€èˆ¬çš„ãªãƒ—ãƒãƒˆã‚³ãƒ«ã¯ICMPã¨NTPãã‚‰ã„ã§ã€ä»–ã¯Nutanixç‹¬è‡ªã®ãƒãƒ¼ãƒˆã¨ãªã£ã¦ã„ã¾ã™ã€‚

GroupId               IsEgress  IpProtocol  FromPort  ToPort  CidrIpv4        SourceGroupId         Description
sg-0d435f750d4503cd8  False     tcp         3205      3205    None            sg-0c74189b464692708  Stargate iscsi access for Files
sg-0d435f750d4503cd8  False     tcp         8443      8443    None            sg-0c74189b464692708  Cluster remote support
sg-0d435f750d4503cd8  False     tcp         2073      2073    None            sg-0c74189b464692708  NGT tools
sg-0d435f750d4503cd8  False     udp         111       111     None            sg-0c74189b464692708  Nutanix Move appliance
sg-0d435f750d4503cd8  False     udp         2049      2049    None            sg-0c74189b464692708  Nutanix Move appliance
sg-0d435f750d4503cd8  False     tcp         2020      2020    None            sg-0c74189b464692708  Disaster Recovery
sg-0d435f750d4503cd8  False     tcp         2090      2090    None            sg-0c74189b464692708  Ergon access
sg-0d435f750d4503cd8  False     icmp        0         0       None            sg-0c74189b464692708  eco reply (to ping)
sg-0d435f750d4503cd8  False     udp         123       123     None            sg-0c74189b464692708  NTP Service
sg-0d435f750d4503cd8  False     tcp         2009      2009    None            sg-0c74189b464692708  Disaster Recovery
sg-0d435f750d4503cd8  False     tcp         9440      9440    None            sg-0c74189b464692708  Prism web console, Citrix MCS
sg-0d435f750d4503cd8  False     tcp         2036      2036    None            sg-0c74189b464692708  Anduril access
sg-0d435f750d4503cd8  False     tcp         2049      2049    None            sg-0c74189b464692708  Nutanix Move appliance
sg-0d435f750d4503cd8  False     tcp         7501      7501    None            sg-0c74189b464692708  AFS services on CVM access for Files
sg-0d435f750d4503cd8  False     tcp         5000      5000    None            sg-0c74189b464692708  NTG user VM
sg-0d435f750d4503cd8  False     tcp         111       111     None            sg-0c74189b464692708  Nutanix Move appliance
sg-0d435f750d4503cd8  False     tcp         3260      3260    None            sg-0c74189b464692708  Stargate iscsi access for Files
sg-0d435f750d4503cd8  False     tcp         2030      2030    None            sg-0c74189b464692708  Acropolis access
sg-0d435f750d4503cd8  False     icmp        8         0       None            sg-0c74189b464692708  eco request
sg-0d435f750d4503cd8  False     tcp         22        22      None            sg-0c74189b464692708  SSH to both CVM and Hypervisor
sg-0d435f750d4503cd8  False     tcp         2074      2074    None            sg-0c74189b464692708  NGT tools
sg-0d435f750d4503cd8  False     tcp         80        80      None            sg-0c74189b464692708  Cluster remote support

â‘¢ Core Nutanix Serviceã¸ã®é€šä¿¡è¨±å¯ (æœ‰åŠ¹åŒ–ã—ãŸå ´åˆã®ã¿)

ä»¥ä¸‹ã€My Nutanixç”»é¢ã®NCAæ§‹ç¯‰æ™‚ã«æŒ‡å®šã™ã‚‹é …ç›®ã¨ãªã‚Šã¾ã™ã€‚ NCAå†…ã§Management Serviceã‚’ç¨¼åƒã•ã›ã‚‹ã‹å¦ã‹ã‚’æŒ‡å®šå‡ºæ¥ã‚‹é …ç›®ãŒã‚ã‚Šã€ã“ã¡ã‚‰ã®æŒ‡å®šå†…å®¹ã«ã‚ˆã£ã¦SGã¸è‡ªå‹•çš„ã«ãƒ«ãƒ¼ãƒ«ãŒè¿½åŠ ã•ã‚Œã¾ã™ã€‚

f:id:swx-tamura:20211109144956p:plain

Disableã§ã‚ã‚Œã°ä»¥ä¸‹è¨˜è¼‰ã™ã‚‹ãƒ«ãƒ¼ãƒ«ã¯è¿½åŠ ã•ã‚Œãšã€Enableã§ã‚ã‚Œã°æš—é»™ã§Restrictedã¨ãªã‚ŠæŽ¥ç¶šå‡ºæ¥ã‚‹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯CIDRã®æŒ‡å®šãŒæ±‚ã‚ã‚‰ã‚Œã¾ã™ã€‚

VPCã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯CIDRã®æŒ‡å®šã¯å¿…é ˆã¨ãªã‚Šã€æ›´ã«è¿½åŠ ã—ãŸã„å ´åˆã¯ã“ã¡ã‚‰ã«æŒ‡å®šã™ã‚‹äº‹ã§VPCã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯CIDRã¨ã¯åˆ¥ã«ãƒ«ãƒ¼ãƒ«ãŒè‡ªå‹•çš„ã«ä½œæˆã•ã‚Œã¾ã™ã€‚

GroupId               IsEgress  IpProtocol  FromPort  ToPort  CidrIpv4        SourceGroupId         Description
sg-0d435f750d4503cd8  False     tcp         2020      2020    10.0.0.0/22     None                  Disaster Recovery
sg-0d435f750d4503cd8  False     tcp         3205      3205    10.0.0.0/22     None                  Stargate iscsi access for Files
sg-0d435f750d4503cd8  False     tcp         111       111     10.0.0.0/22     None                  Nutanix Move appliance
sg-0d435f750d4503cd8  False     tcp         3260      3260    10.0.0.0/22     None                  Stargate iscsi access for Files
sg-0d435f750d4503cd8  False     tcp         22        22      10.0.0.0/22     None                  SSH to both CVM and Hypervisor
sg-0d435f750d4503cd8  False     udp         111       111     10.0.0.0/22     None                  Nutanix Move appliance
sg-0d435f750d4503cd8  False     tcp         80        80      10.0.0.0/22     None                  Cluster remote support
sg-0d435f750d4503cd8  False     tcp         8443      8443    10.0.0.0/22     None                  Cluster remote support
sg-0d435f750d4503cd8  False     tcp         2009      2009    10.0.0.0/22     None                  Disaster Recovery
sg-0d435f750d4503cd8  False     udp         2049      2049    10.0.0.0/22     None                  Nutanix Move appliance
sg-0d435f750d4503cd8  False     udp         123       123     10.0.0.0/22     None                  NTP Service
sg-0d435f750d4503cd8  False     tcp         2049      2049    10.0.0.0/22     None                  Nutanix Move appliance
sg-0d435f750d4503cd8  False     tcp         7501      7501    10.0.0.0/22     None                  AFS services on CVM access for Files

AWSã‚¤ãƒ³ãƒ•ãƒ©è¦–ç‚¹ã ã¨User Managementç”¨ã®SGã¨Core Nutanix Serviceç”¨ã®SGã¯åˆ¥ç‰©ã¨ã—ã¦åˆ†ã‹ã‚Œã¦ã„ãŸæ–¹ãŒ å€‹äººçš„ã«è¨è¨ˆã¨ã—ã¦ç¶ºéº—ãªã‚ˆã†ã«ã‚‚æ€ãˆã‚‹ã®ã§ã™ãŒä½•ã‹Nutanixå´ã§ä½•ã‹äº‹æƒ…ãŒã‚ã‚‹ã®ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ã€‚

â‘£ Prismã‚¢ã‚¯ã‚»ã‚¹ç”¨NLBã‹ã‚‰ã®é€šä¿¡ã‚’è¨±å¯

ä»Šå›žã®ç’°å¢ƒã§è‡ªå‹•ä½œæˆã•ã‚ŒãŸNLBã® Private IPã‚¢ãƒ‰ãƒ¬ã‚¹ãŒ 10.0.3.207/32 ã§ã‚ã£ãŸç‚ºã€ãã®ã‚ˆã†ã«ãƒ«ãƒ¼ãƒ«ã«åŸ‹ã‚è¾¼ã¾ã‚Œã¦ã„ã¾ã™ã€‚

GroupId               IsEgress  IpProtocol  FromPort  ToPort  CidrIpv4        SourceGroupId         Description
sg-0d435f750d4503cd8  False     tcp         9440      9440    10.0.3.207/32   None                  Prism access for Load balancer nodes

NLBã¨ã‚‚é€£å‹•ã—ã¦ã„ã‚‹ã®ã§Nutanixç‹¬è‡ªãƒãƒ¼ãƒˆã®ä¸ã§ã‚‚AWSã‚¤ãƒ³ãƒ•ãƒ©æ‹…å½“ã¨ã—ã¦æŠŠæ¡ã—ã¦ãŠããŸã„ãƒãƒ¼ãƒˆç•ªå·ã«ãªã‚Šã¾ã™ã€‚

3. SG: UVM (sg-0c74189b464692708)

ã€€ç”¨é€”ã«é–¢ã™ã‚‹ã‚ªãƒ•ã‚£ã‚·ãƒ£ãƒ«ã®è¨˜è¼‰ã¯ä»¥ä¸‹ã§ã™

UVM: Allows communication between user VMs

UVMé–“ã®é€šä¿¡ã‚’è¨±å¯ã™ã‚‹ã‚‚ã®ã¨ã‚ã‚Šã¾ã™

â‘¤ SG: User Management ã‹ã‚‰UVMã«å¯¾ã™ã‚‹é€šä¿¡è¨±å¯

ã“ã¡ã‚‰ã®SGãŒã‚¢ã‚¿ãƒƒãƒã•ã‚Œã‚‹ãŒEC2ãƒ™ã‚¢ãƒ¡ã‚¿ãƒ«ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã®ENIã¨ãªã‚‹ã®ã§ã€NCA->UVMã®æ–¹å‘ã§è¨±å¯ã•ã‚Œã¦ã„ã‚‹å†…å®¹ãŒä»¥ä¸‹ãƒ«ãƒ¼ãƒ«ã¨ãªã‚Šã¾ã™ã€‚

GroupId               IsEgress  IpProtocol  FromPort  ToPort  CidrIpv4        SourceGroupId         Description
sg-0c74189b464692708  False     tcp         9440      9440    None            sg-0d435f750d4503cd8  RESP API calls and Prism access
sg-0c74189b464692708  False     tcp         2027      2027    None            sg-0d435f750d4503cd8  CVM to FSVM management
sg-0c74189b464692708  False     tcp         22        22      None            sg-0d435f750d4503cd8  SSH from CVM/PE to UVMs
sg-0c74189b464692708  False     icmp        0         0       None            sg-0d435f750d4503cd8  eco reply (to ping)
sg-0c74189b464692708  False     icmp        8         0       None            sg-0d435f750d4503cd8  eco request
sg-0c74189b464692708  False     tcp         2100      2100    None            sg-0d435f750d4503cd8  Cluster configuration
sg-0c74189b464692708  False     tcp         3000      3000    None            sg-0d435f750d4503cd8  Analytics clients Analytics UI
sg-0c74189b464692708  False     tcp         7502      7502    None            sg-0d435f750d4503cd8  Access services running on Files
sg-0c74189b464692708  False     tcp         443       443     None            sg-0d435f750d4503cd8  Analytics clients Gateway API access
sg-0c74189b464692708  False     udp         123       123     None            sg-0d435f750d4503cd8  NTP Service
sg-0c74189b464692708  False     tcp         7501      7501    None            sg-0d435f750d4503cd8  Access services running on Files
sg-0c74189b464692708  False     tcp         29092     29092   None            sg-0d435f750d4503cd8  FSVM internal IPs Kafka broker access
sg-0c74189b464692708  False     tcp         7         7       None            sg-0d435f750d4503cd8  TCP echo request from CVM/PE to UVMs
sg-0c74189b464692708  False     tcp         2090      2090    None            sg-0d435f750d4503cd8  CVM to file server management and task status

ã“ã¡ã‚‰ã®ãƒ«ãƒ¼ãƒ«ãŒã‚ã‚‹äº‹ã§ã€UVMé–“ãŒå…¨ã¦é€šä¿¡å¯èƒ½ãªçŠ¶æ…‹ã¨ãªã£ã¦ã„ã¾ã™ã€‚

ç•°ãªã‚‹UVMã‚µãƒ–ãƒãƒƒãƒˆã‚’ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯é–¢é€£ä»˜ã‘ã¦æ‹¡å¼µã—ãŸå ´åˆã§ã‚‚è‡ªå‹•ä½œæˆã•ã‚ŒãŸENIã«åŒã˜SGãŒã‚¢ã‚¿ãƒƒãƒã•ã‚Œã‚‹æ§‹æˆã¨ãªã‚‹ç‚ºã€ç•°ãªã‚‹UVMã‚µãƒ–ãƒãƒƒãƒˆé–“ã§ã‚‚åŒæ§˜ã«é€šä¿¡ã¯å…¨ã¦è¨±å¯ã•ã‚Œã¾ã™ã€‚

GroupId               IsEgress  IpProtocol  FromPort  ToPort  CidrIpv4        SourceGroupId         Description
sg-0c74189b464692708  False     -1          -1        -1      None            sg-0c74189b464692708  Allow UVMs to communicate

ã¾ã¨ã‚

NCAã¯ã€1ã¤ã®ENIã§è¤‡æ•°ã®å½¹å‰²ã‚’æ‹…ã†æ§‹æˆã¨ãªã£ã¦ã„ã‚‹äº‹ã‹ã‚‰ã€ãã‚Œã«ã‚¢ã‚¿ãƒƒãƒã•ã‚Œã‚‹SGã‚‚å›³ã¨ã‹ã§æ•´ç†ã—ã¦ãŠã‹ãªã„ã¨ã„ã–ãƒˆãƒ©ãƒ–ãƒ«ã‚·ãƒ¥ãƒ¼ãƒ†ã‚£ãƒ³ã‚°ã®éš›ã«æ··ä¹±ã—ã¦ã—ã¾ã†å¯èƒ½æ€§ãŒã‚ã‚‹ã®ã§å‚™ãˆã¦ãŠããŸã„ã‚‚ã®ã§ã™ã€‚

é–¢é€£ã‚¨ãƒ³ãƒˆãƒªãƒ¼

blog.serverworks.co.jp

æ¦‚è¦

NCAã®é€šä¿¡åˆ¶å¾¡ã¯ã©ã†ã‚ã‚‹ã¹ãã‹

çµè«–

NCAã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚°ãƒ«ãƒ¼ãƒ—ä¸€è¦§

NCAæ§‹ç¯‰æ™‚ã«ä½œæˆã•ã‚Œã‚‹SGã®ãƒ«ãƒ¼ãƒ«ä¸€è¦§

åˆ©ç”¨ã‚³ãƒžãƒ³ãƒ‰(AWS CLI)

çµæžœ

ã–ã£ãã‚Šã‚¤ãƒ¡ãƒ¼ã‚¸

1. SG: Internal Management (sg-06177da99a42251aa)

â‘ SG: Internal Management (è‡ªèº«)ã‹ã‚‰å…¨ã¦ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’è¨±å¯

2. SG: User Management (sg-0d435f750d4503cd8)

â‘¡ SG:UVM ã‹ã‚‰Nutanixç‹¬è‡ªé€šä¿¡ã‚’è¨±å¯

â‘¢ Core Nutanix Serviceã¸ã®é€šä¿¡è¨±å¯ (æœ‰åŠ¹åŒ–ã—ãŸå ´åˆã®ã¿)

â‘£ Prismã‚¢ã‚¯ã‚»ã‚¹ç”¨NLBã‹ã‚‰ã®é€šä¿¡ã‚’è¨±å¯

3. SG: UVM (sg-0c74189b464692708)

â‘¤ SG: User Management ã‹ã‚‰UVMã«å¯¾ã™ã‚‹é€šä¿¡è¨±å¯

â‘¥ SG:UVM (è‡ªèº«) ã‹ã‚‰å…¨ã¦ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’è¨±å¯

ã¾ã¨ã‚

é–¢é€£ã‚¨ãƒ³ãƒˆãƒªãƒ¼

AWS Configã®ä¿æŒè¨å®šã¨ã€S3ã®ãƒ©ã‚¤ãƒ•ã‚µã‚¤ã‚¯ãƒ«è¨å®šã®é–¢ä¿‚æ€§ã«ã¤ã„ã¦

AWS Service Catalogå…¥é–€ãƒ©ã‚¤ãƒ–ãƒ©ãƒªã¨ã¯ï¼Ÿ

ã€2025å¹´2æœˆæœ€æ–°ï¼ã€‘AWS Certified DevOps Engineer - Professional (DOP-C02) åˆæ ¼è¨˜ã€€å¦ç¿’æ–¹æ³•ã¨æ‰€æ„Ÿ

Amazon States Language(ASL)ã§StepFunctionsã®ã‚¹ãƒ†ãƒ¼ãƒˆãƒžã‚·ãƒ³ã‚’ä½œã£ã¦ã¿ã‚ˆã† ~ASLã®åŸºæœ¬çš„ãªæ›¸ãæ–¹~

shadcn/ui ã® Sidebar ã‚’ä½¿ãŠã†ã¨ã—ãŸã‚‰ã‚¹ã‚¿ã‚¤ãƒ«ãŒå´©ã‚Œã¦ã—ã¾ã£ãŸè©±

æ¦‚è¦

NCAã®é€šä¿¡åˆ¶å¾¡ã¯ã©ã†ã‚ã‚‹ã¹ãã‹

çµè«–

NCAã®ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£ã‚°ãƒ«ãƒ¼ãƒ—ä¸€è¦§

NCAæ§‹ç¯‰æ™‚ã«ä½œæˆã•ã‚Œã‚‹SGã®ãƒ«ãƒ¼ãƒ«ä¸€è¦§

åˆ©ç”¨ã‚³ãƒžãƒ³ãƒ‰(AWS CLI)

çµæžœ

ã–ã£ãã‚Šã‚¤ãƒ¡ãƒ¼ã‚¸

1. SG: Internal Management (sg-06177da99a42251aa)

â‘ SG: Internal Management (è‡ªèº«)ã‹ã‚‰å…¨ã¦ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’è¨±å¯

2. SG: User Management (sg-0d435f750d4503cd8)

â‘¡ SG:UVM ã‹ã‚‰Nutanixç‹¬è‡ªé€šä¿¡ã‚’è¨±å¯

â‘¢ Core Nutanix Serviceã¸ã®é€šä¿¡è¨±å¯ (æœ‰åŠ¹åŒ–ã—ãŸå ´åˆã®ã¿)

â‘£ Prismã‚¢ã‚¯ã‚»ã‚¹ç”¨NLBã‹ã‚‰ã®é€šä¿¡ã‚’è¨±å¯

3. SG: UVM (sg-0c74189b464692708)

â‘¤ SG: User Management ã‹ã‚‰UVMã«å¯¾ã™ã‚‹é€šä¿¡è¨±å¯

â‘¥ SG:UVM (è‡ªèº«) ã‹ã‚‰å…¨ã¦ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’è¨±å¯

ã¾ã¨ã‚

é–¢é€£ã‚¨ãƒ³ãƒˆãƒªãƒ¼

æ¦‚è¦

NCAã®é€šä¿¡åˆ¶å¾¡ã¯ã©ã†ã‚ã‚‹ã¹ãã‹

çµè«–

NCAã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚°ãƒ«ãƒ¼ãƒ—ä¸€è¦§

NCAæ§‹ç¯‰æ™‚ã«ä½œæˆã•ã‚Œã‚‹SGã®ãƒ«ãƒ¼ãƒ«ä¸€è¦§

çµæžœ

ã–ã£ãã‚Šã‚¤ãƒ¡ãƒ¼ã‚¸

â‘ SG: Internal Management (è‡ªèº«)ã‹ã‚‰å…¨ã¦ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’è¨±å¯

â‘¡ SG:UVM ã‹ã‚‰Nutanixç‹¬è‡ªé€šä¿¡ã‚’è¨±å¯

â‘¢ Core Nutanix Serviceã¸ã®é€šä¿¡è¨±å¯ (æœ‰åŠ¹åŒ–ã—ãŸå ´åˆã®ã¿)

â‘£ Prismã‚¢ã‚¯ã‚»ã‚¹ç”¨NLBã‹ã‚‰ã®é€šä¿¡ã‚’è¨±å¯

â‘¤ SG: User Management ã‹ã‚‰UVMã«å¯¾ã™ã‚‹é€šä¿¡è¨±å¯

â‘¥ SG:UVM (è‡ªèº«) ã‹ã‚‰å…¨ã¦ã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚’è¨±å¯

ã¾ã¨ã‚