Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks Effective: 30/11/2009
5.2.7.9. Connection of zones through an external load balancing router using exclusive IP
instances
[dd/ug] A web server in zone1 is contacted from the internet and needs the application server in
zone2 to fulfill the orders.
−Zone1 should be connected to the internet through a separate network.
−The connection from zone1 to zone2 should take place through an external load
balancing router. For reasons of clarity, no additional instances for web and application
servers are contained here.
−Direct communication between the local zones should not be possible but rather through
the external router instead.
−Communication between the global zone and the local zones is not intended.
Implementation:
•A separate GLDV3 interface (e.g. bge1, bge2) is provided for each zone. In addition,
bge3 is assigned to zone1 for direct communication with zone2. These interfaces must not
be used elsewhere in the global zone.
zone1-zonecfg: add net physical=bge1
zone1-zonecfg: add net physical=bge3
zone2-zonecfg: add net physical=bge2
•The zone configuration for zone1 and zone2 is converted for the use of exclusive IP
instances.
zonecfg: set ip-type=exclusive
•In the zone zone1, the IP addresses and the default router are specified in the usual way.
Zone2 does not require a default route since the only communication intended is that with
zone1. bge3 and bge2 are connected through a load balancing router and configured
accordingly.
Zone 1: /etc/hostname.bge1
Zone 1: /etc/hostname.bge3
/etc/defaultrouter
Zone 2: /etc/hostname.bge2
•To increase security, the communication between zone1 and zone2 can in addition also be
filtered with a separate firewall. Through the use o f exclusive IP instances, communication
between the zones or between the zones and the global zone will only take place if
corresponding routing entries exist in the zones, and if a physical network connection exists
between the interfaces of the zones.
The procedure is as follows:
•A HTTP request is made to zone1 from the outside.
•It is able to process parts of the request by itself but another part must come from the
application server that can be reached via the address 192.168.102.1 in zone2.
•This address is reached via the interface bge3.
•Further cascading via additional zones, zone2.1, zone2.2, zone2.3, etc. is possible.
93