Version 3.1-enSolaris 10 Container Guide - 3.1 5. Cookbooks

Effective: 30/11/2009

5.2.7.9.Connection of zones through an external load balancing router using exclusive IP instances

[dd/ug] A web server in zone1 is contacted from the internet and needs the application server in zone2 to fulfill the orders.

Zone1 should be connected to the internet through a separate network.

The connection from zone1 to zone2 should take place through an external load balancing router. For reasons of clarity, no additional instances for web and application servers are contained here.

Direct communication between the local zones should not be possible but rather through the external router instead.

Communication between the global zone and the local zones is not intended.

Implementation:

A separate GLDV3 interface (e.g. bge1, bge2) is provided for each zone. In addition, bge3 is assigned to zone1 for direct communication with zone2. These interfaces must not be used elsewhere in the global zone.

zone1-zonecfg: add net physical=bge1

zone1-zonecfg: add net physical=bge3

zone2-zonecfg: add net physical=bge2

The zone configuration for zone1 and zone2 is converted for the use of exclusive IP instances.

zonecfg: set ip-type=exclusive

In the zone zone1, the IP addresses and the default router are specified in the usual way. Zone2 does not require a default route since the only communication intended is that with zone1. bge3 and bge2 are connected through a load balancing router and configured accordingly.

Zone 1: /etc/hostname.bge1

Zone 1: /etc/hostname.bge3 /etc/defaultrouter

Zone 2: /etc/hostname.bge2

To increase security, the communication between zone1 and zone2 can in addition also be filtered with a separate firewall. Through the use of exclusive IP instances, communication between the zones or between the zones and the global zone will only take place if corresponding routing entries exist in the zones, and if a physical network connection exists between the interfaces of the zones.

The procedure is as follows:

A HTTP request is made to zone1 from the outside.

It is able to process parts of the request by itself but another part must come from the application server that can be reached via the address 192.168.102.1 in zone2.

This address is reached via the interface bge3.

Further cascading via additional zones, zone2.1, zone2.2, zone2.3, etc. is possible.

93

Page 100
Image 100
Sun Microsystems 10 manual Zone 1 /etc/hostname.bge3 /etc/defaultrouter