Configuring Elastifile FW Rules Manually

Introduction

You should visit that page in case that your service account who deploying the Elastifile system does not have the roles/compute.securityAdmin permission.

If this is the case, you will see the following warning message as part of the validation phase: 

checking prerequisites

 

Elastifile requires 4 different FW rules which are restricted to the cluster operational only:

  1. elastifile-storage-management-<cluster_hash>
  2. elastifile-storage-service-<cluster_hash>
  3. elastifile-ra-service-<cluster_hash>
  4. elastifile-storage-client-<cluster_hash>

Solution

In order to overcome that scenario, you need to configure the FW rules manually ones.

Please follow the below 'prerequisites' and 'configuration' sections.

 

Prerequisites

  1. The user who runs the commands should has the roles/compute.securityAdmin role in the required project.
  2. Note the cluster hash label by clicking the elastifile management server instance in the GCP console.

VM instance label cluster-hash

 

 

Configuration

# The following are examples only. Please modify per your own environment.
$ HASH="8b77e1d1"
$ PROJECT="support-team-a"
$ VPC_NETWORK="snir-network"
$ VPC_SUBNET_RANGE="10.164.0.0/20"


$ gcloud compute --project=$PROJECT firewall-rules create elastifile-storage-management-$HASH --description="Elastifile Storage Management firewall rules" --direction=INGRESS --priority=1000 --network=$VPC_NETWORK --action=ALLOW --rules=tcp:22,tcp:53,tcp:80,tcp:443,tcp:10014-10017,udp:53,udp:123,udp:6667,icmp --source-ranges=$VPC_SUBNET_RANGE --source-tags=elastifile-storage-node-$HASH,elastifile-replication-node-$HASH,elastifile-management-node-$HASH --target-tags=elastifile-management-node-$HASH

$ gcloud compute --project=$PROJECT firewall-rules create elastifile-storage-service-$HASH --description="Elastifile Storage Service firewall rules" --direction=INGRESS --priority=1000 --network=$VPC_NETWORK --action=ALLOW --rules=tcp:22,tcp:12121,tcp:10015-10018,tcp:1112-1132,tcp:2221-2241,tcp:8000-9224,tcp:10028,tcp:32768-60999,udp:6667,udp:8000-9224,udp:32768-60999,icmp --source-ranges=$VPC_SUBNET_RANGE --source-tags=elastifile-management-node-$HASH,elastifile-storage-node-$HASH,elastifile-replication-node-$HASH --target-tags=elastifile-storage-node-$HASH

$ gcloud compute --project=$PROJECT firewall-rules create elastifile-ra-service-$HASH --description="Elastifile Replication Agent Service firewall rules" --direction=INGRESS --priority=1000 --network=$VPC_NETWORK --action=ALLOW --rules=tcp:22,tcp:80,tcp:443,tcp:10018,tcp:10015,tcp:10028,tcp:12121,icmp --source-ranges=$VPC_SUBNET_RANGE --source-tags=elastifile-storage-node-$HASH,elastifile-management-node-$HASH --target-tags=elastifile-replication-node-$HASH

$ gcloud compute --project=$PROJECT firewall-rules create elastifile-storage-client-$HASH --description="Elastifile Client firewall rules" --direction=INGRESS --priority=1000 --network=$VPC_NETWORK --action=ALLOW --rules=tcp:111,tcp:644,tcp:2049,tcp:4040,tcp:4045,udp:111,udp:644,udp:2049,udp:4040,udp:4045,icmp --source-ranges=$VPC_SUBNET_RANGE --source-tags=elastifile-clients-$HASH,elastifile-replication-node-$HASH --target-tags=elastifile-storage-node-$HASH

 

* Note that each Elastifile system requires its set of FW rules per its own hash

Was this helpful?

How can we improve it?
true
Search
Clear search
Close search
Google apps
Main menu
221883516348246232
true
Search Help Center
true
true
true
false
false