Manualshelf

User guide

ManualsBrandsAmazon ManualsTV5.0
21222324252627282930
corporate VPN gateway is acting in NAT mode, the JON server does not have direct visibility of agents.
Port forwarding needs to be configured so that, for each agent, one port on the gateway is forwarded to
the JON agent's address or port on the managed machine. T he JON agent also needs to be configured
to tell the server the forwarded port number and IP address (see rhq.communications.connector.*
description in agent-configuration.xml for more information).
7.3. DNS
JON servers and JON agents need to be able to resolve each others' hostnames but DNS resolution is
complicated in a VPN configuration. Connected servers can use the Amazon EC2 DNS servers, the
corporate network's DNS servers or use a split DNS configuration where the corporate DNS servers are
used for resolving names in particular domains and the Amazon EC2 DNS servers are used for
resolving all other names.
7.4. Routing in EC2
All EC2 servers have, by default, a "source/destination checking" routing feature activated. This feature
drops any packets to the server which have a destination different from the machine's IP address. If the
VPN solution selected for connecting agents to the JON Server includes a router, this feature needs to
be turned off for the server(s) acting as routers/VPN gateways. This configuration setting can be
accessed via the Amazon AWS console by right-clicking on the instance. Disabled source/destination
checking is also required in a Virtual Private Cloud (VPC).
Some VPN configurations, by default, route traffic intended for the Internet through the corporate VPN.
Avoid this for EC2 instances because it's generally much slower and less efficient.
While the use of a proper addressing schema is not a concern specific to JON, poor schemas can affect
it. Amazon EC2 assigns IP addresses from the 10.0.0.0/8 network. Instances usually have a public IP
address also but only network traffic on the internal IP address within the same availability zone is free.
To avoid using the 10.0.0.0/8 network in private addressing, there are a few things to consider:
When creating a VPC, avoid allocating addresses already in use in the private network to avoid
connectivity problems;
If an instance needs access to availability zone local resources, make sure EC2 private addresses
are used and traffic is not routed through the VPN;
If an EC2 instance will access a small subset of corporate private network addresses (for example
only JON servers), only these addresses should be routed through the VPN for increased security
and a lower chance of EC2/private network address space collisions.
7.5. Terminating and restarting instances
In a cloud environment it is very easy to terminate a machine instance and, if required, launch a new
instance identical to the initial one.
There is, however, a potential problem if a new instance tries to register with JON servers using the
same agent name as a previously running agent. If this happens the JON server will not allow an agent
to reconnect with a missing or non-matching identification token.
TO avoid this, ensure that terminated agents are removed from the JON inventory before trying to
connect an agent with the same name or specify the correct identification token when starting new agent.
Another problem is when an agent machine is assigned a new VPN IP address (i.e. machine is restarted
or VPN connection is terminated). Refer to the Configuring JON Servers and Agents Guide document
JBoss Enterprise Application Platform 5 Getting Started on Amazon EC2
26