Proposal: Internal and External Interfaces

We had some discussions internally about simplifying the current situation of having both internal and external network interfaces, and replacing them with a single interface. Is anyone actually using these in a manner which doesn’t bind them to the same network interface at the moment?



Is there any documentation on how this is meant to be used? I know there are examples, which use different ports for internal/external http/tcp comms, but there’s nothing that explains how that could be used. I.e. if the internal and external IP are the same, should the internal and external ports be the same?

Neil its basically just a segregation of traffic. Client traffic is on
external replication traffic etc is on internal. This allows you to:

a) use separate nics
b) use separate interfaces (eg lock down internal traffic)
c) lock down public interfaces (certain messages are only accepted
over internal vs external)

"if the internal and external IP are the same, should the internal and
external ports be the same?"

No even if the ips are the same they should still be different ports.

And damn Neil thats twice in the last week or so I have seen you
respond to an email that was 6+ months old :slight_smile:

I know, I know. Last time it was an accident, this time I thought it better to continue a thread rather than start a new one. Damn sure that if I’d started a new one the first three replies would be “see this old post over here”. This is the internet, after all. :slight_smile:

Thank you for the reply, though. I think it might benefit from some docs, tbh. More for our sysadmins than anything. Otherwise we’re all just using the documentation “parrot-fashion” without any real understanding of how firewall rules, reverse proxies, etc might fit around GES.

I'll add something today.

In short its better for security, its better for scalability, its
better for isolation.

Its a pain in the ass. Today I would just use one port for everything
as thats what most everyone wants and the setup is way simpler.

How is this @Neil ?

Bloody excellent. Only one suggestion - you might want to link to the “AdminOnExt” and “GossipOnExt” arguments ( where relevant.

Great stuff.


Please let us know any other spots you think docs can improve.