This week on the podcast, Dwayne chats with Marc Trouard-Riolle, about Nutanix Cloud Clusters (NC2) on Azure and how to get started. Nutanix Cloud Clusters (NC2) on Microsoft Azure enables your applications to be run where you want them, on-premises or in the public cloud, all operated as a single cloud.<\/p>

<\/oembed><\/p>

棱镜元素,棱镜中央和HTTP代理白名单。

  • 2020年4月8日
  • 0答复
  • 3345意见
杰里米
秩
UserLevel 3
徽章 +4

如果您的Nutanix基础架构位于包括HTTP代理的环境中,则需要了解Prism中的HTTP代理和代理白名单配置。如果您的集群已注册到Prism Central,这一点尤其重要。如果将代理设置和代理白名单配置不正确,则PE和PC之间的通信可能是不可靠的或完全无法使用的。

澄清说明:在本文中,我们讨论了环境内部和外部的网络通信。为了防止任何混乱,“环境”是指内部网络,即物理本地LAN,VLAN或VPN,这些网络与其他系统分开,并由防火墙和代理分开。环境中的任何东西都是“本地”,而防火墙过去的任何东西都是“外部”。

那么,为什么这很重要?

如果您的环境具有HTTP代理,则可能还有一条防火墙规则阻止任何未通过代理的HTTP流量。在这种环境中,没有代理配置,外部HTTP通信将被阻止。1键升级UI无法显示或下载新的AOS,Foundation和NCC版本。生命周期经理(LCM)可以运行库存,但是固件和软件更新将需要使用深色站点捆绑包托管环境中。通常通过HTTPS发送的脉冲高清数据将被防火墙阻止。为了获得这些功能,需要在Prism中添加代理配置。

设置代理配置后,Prism发起的所有HTTP通信将通过代理服务器发送。这不会影响CVM到CVM通信,但是PRISM的任何HTTP连接都将通过代理路由,直到白名单入口表示否则,即使目标IP在本地子网中,这可能导致PE/PC通信失败,因此为此,我们需要白名单配置。

首先,让我们回顾一下HTTP代理设置。

此设置仅影响Nutanix群集或Prism Central实例上的棱镜服务。此设置的更改不会影响Nutanix集群上托管的VM,数据服务或其他服务。

要在Prism元素或Prism Central上配置HTTP代理,请转到设置,然后单击左侧栏中的网络标题下方的HTTP代理,然后单击“+ New Proxy”。出现创建HTTP代理UI。

填写所提供的字段中的信息。除非您的代理需要身份验证,否则可以跳过用户名和密码。单击保存以完成此步骤。

现在进入白名单的设置。

如果您的Prism元素群集未在Prism Central注册,则可能不需要添加任何白名单。对于Prism元素,为任何主机Prism添加白名单条目都需要使用HTTP(S)内部到达。

如果我们正在研究Prism Central或注册到Prism Central的集群,那么我们几乎肯定需要添加白名单。一个例外是,如果只能通过代理副主义来达到棱镜中心。

白名单条目是由IP地址标识的单个主机或网络地址和子网掩码标识的网络。添加白名单条目意味着“忽略此地址或网络的代理设置”。

我通常建议添加子网而不是主机记录。这样可以节省时间,提供可靠性,并且在功能上是防止的,以防您添加新节点,扩展Prism Central或以后添加另一个群集。

要添加Whitelist条目,请在您添加的代理条目旁边找到编辑图标。在更新的HTTP代理UI中,您将看到您最近输入的设置以及底部的新部分,即白名单。单击创建以添加第一个白名单条目。

如果您想白名单单个IP地址,只需输入该地址。例如,您可以输入“ 10.20.30.123”,然后单击“保存”,然后将任何HTTP(S)流量直接发送到该IP地址,而不是通过代理发送。

要白名单整个子网,请提供网络地址和子网掩码。您想要的格式就是这样:“ 10.20.30.0/255.255.255.0”。添加此条目并保存配置后,将直接发送到10.20.30.0/24子网的所有通信,而不是通过代理进行路由。

从棱镜元素添加了Prism Central拥有的所有IPS。从Prism Central添加了每个注册群集的群集虚拟IP的条目,以及集群中每个CVM的条目。同样,您可以将网络白名单节省时间,并确保以后添加到网络中的任何节点也将被列入白名单。

设置代理和白名单的步骤已记录在棱镜网络控制台指南棱镜中央指南

If your Nutanix infrastructure resides in an environment that includes an HTTP proxy, you\u2019ll need to understand the HTTP proxy and proxy whitelist configurations in Prism. This is especially important if your cluster is registered to Prism Central. If the proxy setting and proxy whitelist are configured incorrectly, communication between PE and PC could be unreliable or entirely unusable.<\/p>

A note of clarification: in this post we\u00a0discuss network communication inside and outside an environment. To prevent any confusion,\u00a0the \u201cenvironment\u201d refers to the internal\u00a0network, either physical local LAN, VLAN, or VPN, which is separated from other systems and the internet\u00a0by a firewall and proxy. Anything within the environment is \u201clocal\u201d and anything past the firewall is \u201cexternal\u201d.<\/p>

So, why does this matter?<\/p>

If your environment\u00a0has an HTTP proxy there is probably also a firewall rule blocking any HTTP(S) traffic that is\u00a0not\u00a0going through the proxy. Without proxy configuration\u00a0in this kind of environment, external HTTP communication is blocked. The 1-click upgrade UI is unable to display or download newer AOS, Foundation, and NCC versions. Life Cycle Manager (LCM) could run an inventory but firmware and software updates would need to be hosted inside the environment using the dark-site bundle. Pulse HD data used for identifying potential cluster issues, usually sent via HTTPS, would get blocked by the firewall. To get these features working the proxy configuration needs to be added in Prism.<\/p>

Once the proxy configuration is set, all HTTP communication initiated by Prism will be sent through the proxy server. This does not affect CVM to CVM communications, but any HTTP(S) connections from Prism will be routed through the proxy until a whitelist entry indicates otherwise, even if the destination IP is in the local subnet. This can cause PE\/PC communication to fail, so for this we need the whitelist configuration.<\/p>

First, let\u2019s review the HTTP proxy setting.\u00a0<\/p>

\"//www.jhbzcj.com/next/prism-infrastructure-management-26/\"<\/figure>

This setting affects Prism services on the Nutanix cluster or Prism Central instance only. Changes to this setting will not affect hosted VMs, data service, or other services on the Nutanix cluster.\u00a0<\/p>

To configure an HTTP Proxy on Prism Element or Prism Central, go to Settings and click HTTP Proxy under the Network heading in the left sidebar, then click \u201c+ New Proxy\u201d. The Create HTTP Proxy UI appears.<\/p>

\"//www.jhbzcj.com/next/prism-infrastructure-management-26/\"<\/figure>

Fill out the information in the fields provided. Username and Password can be skipped unless your proxy requires authentication. Click save to finish this step.\u00a0<\/p>

Now to the whitelist settings.<\/p>

You likely do not need to add any whitelist entries if your Prism Element cluster is not registered with Prism Central. For Prism Element on its own, add a whitelist entry for any hosts Prism will need to reach internally using HTTP(S).<\/p>

If we are working on Prism Central, or on a cluster registered to Prism Central we almost certainly\u00a0need to add whitelist entries. An exception would be if Prism Central can only be reached by Prism Element through the proxy\u00a0vice versa.<\/p>

A whitelist entry is a single host identified by IP address or a network identified by the network address and subnet mask. Adding a whitelist entry means \u201cignore proxy settings for this address or network\u201d.<\/p>

I would generally recommend adding subnets rather than host records. This saves time, provides reliability, and is functionally future-proofed in case you add new nodes, scale out Prism Central, or add another cluster later.<\/p>

To add a whitelist entry, find the edit icon next to the Proxy entry you just added. In the Update HTTP Proxy UI that appears you will see the settings you recently entered as well as a new section at the bottom, Whitelist. Click Create to add the first whitelist entry.<\/p>

\"//www.jhbzcj.com/next/prism-infrastructure-management-26/\"<\/figure>

If you want to whitelist a single IP address, just enter the address. For example, you could enter \u201c10.20.30.123\u201d and click save, and then any HTTP(S) traffic to that IP address would be sent directly rather than through the proxy.<\/p>

To whitelist an entire subnet, provide the network address and the subnet mask. The format you\u2019ll want is like this: \u201c10.20.30.0\/255.255.255.0\u201d. Once this entry is added and the configuration is saved, all communication to the 10.20.30.0\/24 subnet will be sent directly rather than routing through the proxy.<\/p>

From Prism Element add all the IPs owned by Prism Central. From Prism Central add an entry for the cluster virtual IP of each registered cluster, as well as an entry for every CVM in the cluster. Again, you can whitelist a network to save time and ensure that any nodes added into the network later are also whitelisted.<\/p>

Steps to set up the proxy and whitelist are documented in the\u00a0Prism Web Console Guide<\/a>\u00a0and the\u00a0Prism Central Guide<\/a>.\u00a0<\/p>","quoteUsername":"JeremyJ","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

该主题已关闭以供评论
条款和条件
Learn more about our cookies.<\/a>","cookiepolicy.button":"Accept cookies","cookiepolicy.button.deny":"Deny all","cookiepolicy.link":"Cookie settings","cookiepolicy.modal.title":"Cookie settings","cookiepolicy.modal.content":"We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.<\/a>","cookiepolicy.modal.level1":"Basic
Functional","cookiepolicy.modal.level2":"Normal
Functional + analytics","cookiepolicy.modal.level3":"Complete
Functional + analytics + social media + embedded videos"}}}">
Baidu