I have decided to talk about the inbound and outbound communication in a SQL Cluster infrastructure because during the last days some people have asked me about this topic, especially about the Firewall rules that they need to apply to enable communication from his server (a SQL server or a web/application one) to a resource running in a Cluster.
To apply the correct firewall rules we have to take into account the components that we will found in a cluster:
- We have two (or more) physical servers where the cluster is implemented and the resources are running.
- We have several resources (or services) as SQL Engine, DTC, Analysis Services, a Shared Folder, etc., etc. running on the cluster.
Each of these resources could have a static IP and a DNS alias assigned; and this should be the problem when we need apply bidirectional firewall rules between our sever and a resource running in a cluster server.
In this case, we have to remember the following:
- Inbound communications: we apply a rule to enable packets from our server IP to Cluster resource IP.
- Outbound communications: the rule must enable packets from Cluster physical servers IPs to our server IP.
This is needed because the cluster resources don’t have a physical network card so they are using the physical nodes one, so for the firewall device the packet has been send from the physical node IP. If it doesn’t have a rule to enable the communication for this IP to the IP of the destination server it will reject it.
This would be a graphical example: we need to communicate our SQL server with a resource named VRSQL running in a cluster server, and in the same way this resource needs to access to some information stored in our SQL server databases:
We would have to apply the following rules in our firewall:
No hay comentarios:
Publicar un comentario