Configuring Elastifile FW Rules Manually

Introduction

You should visit that page in case that your service account who deploying the Elastifile system does not have the roles/compute.securityAdmin permission.

If this is the case, you will see the following warning message as part of the validation phase: 


Elastifile requires 4 different FW rules which are restricted to the cluster operational only:

  1. elastifile-storage-management-<cluster_hash>
  2. elastifile-storage-service-<cluster_hash>
  3. elastifile-ra-service-<cluster_hash>
  4. elastifile-storage-client-<cluster_hash>



Solution

In order to overcome that scenario, you need to configure the FW rules manually ones.

Please follow the below 'prerequisites' and 'configuration' sections.



Prerequisites

  1. The user who runs the commands should has the roles/compute.securityAdmin role in the required project.
  2. Note the cluster hash label by clicking the elastifile management server instance in the GCP console.


* If you are using the terraform procedure, the cluster hash will be the cluster name value you provided in the terraform.trvars file.



Configuration

# The following are examples only. Please modify per your own environment.
$ HASH="abcd"
$ PROJECT="support-team-a"
$ VPC_NETWORK="snir-shared"


$ gcloud compute --project=$PROJECT firewall-rules create elastifile-storage-management-$HASH --description="Elastifile Storage Management firewall rules" --direction=INGRESS --priority=1000 --network=$VPC_NETWORK --action=ALLOW --rules=tcp:22,tcp:53,tcp:80,tcp:8080,tcp:443,tcp:10014-10017,udp:53,udp:123,udp:6667,icmp --source-tags=elastifile-storage-node-$HASH,elastifile-replication-node-$HASH,elastifile-clients-$HASH --target-tags=elastifile-management-node-$HASH

$ gcloud compute --project=$PROJECT firewall-rules create elastifile-storage-service-$HASH --description="Elastifile Storage Service firewall rules" --direction=INGRESS --priority=1000 --network=$VPC_NETWORK --action=ALLOW --rules=tcp:22,tcp:111,tcp:443,tcp:2049,tcp:644,tcp:4040,tcp:4045,tcp:12121,tcp:10015-10018,tcp:8000-9224,tcp:10028,tcp:32768-60999,udp:111,udp:2049,udp:644,udp:4040,udp:4045,udp:6667,udp:8000-9224,udp:32768-60999,icmp --source-tags=elastifile-management-node-$HASH,elastifile-clients-$HASH --target-tags=elastifile-storage-node-$HASH,elastifile-replication-node-$HASH

$ gcloud compute --project=$PROJECT firewall-rules create elastifile-ra-service-$HASH --description="Elastifile Replication Agent Service firewall rules" --direction=INGRESS --priority=1000 --network=$VPC_NETWORK --action=ALLOW --rules=udp:10018,udp:10028,icmp --source-tags=elastifile-storage-node-$HASH --target-tags=elastifile-replication-node-$HASH

$ gcloud compute --project=$PROJECT firewall-rules create elastifile-storage-client-$HASH --description="Elastifile Client firewall rules" --direction=INGRESS --priority=1000 --network=$VPC_NETWORK --action=ALLOW --rules=udp,icmp --source-tags=elastifile-storage-node-$HASH --target-tags=elastifile-clients-$HASH,elastifile-replication-node-$HASH




* Note that each Elastifile system requires its set of FW rules per its own hash


Process Validation

At the end of the process, you should have 4 new FW rules contains the cluster hash, as illustrated in the below image:

S
Snir is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.