In this section:
The High-Availability Front End (HFE) node is a public-facing node that allows sub-second switchover between Active and Standby SBC instances of an HA pair, as it negates the need for any IP reassignment. GCP requires each interface of a instance in a separate Virtual Private Network (VPC). Create a minimum of six VPCs for a full HFE set up (assuming all management interfaces for the SBC and the HFE node are in the same VPC). HFE 2.1 has two HFE nodes, each responsible for a different type of traffic: Both HFE nodes require three interfaces, as follows: Standard/Ubuntu Interface Name NIC PKT0 HFE node Function To use a HFE 2.1 environment, the startup-script for the SBCs requires the fields HFE Node Network Setup
HFE 2.1 Network Setup
PKT1 HFE node Function Requires External IP? eth0 / ens4 nic0 Public Interface for SBC PKT0 Private interface in for SBC PKT1; only instances in the same subnet can connect. Yes (only on PKT0 HFE node) eth1 / ens5 nic1 Management interface to HFE. Management interface to HFE. Optional eth2 / ens6 nic2 Interface to SBC PKT0; ensure that the interface is in the same VPC and subnet as SBC pkt0. Interface to SBC PKT1; ensure that the interface is in the same VPC and subnet as SBC pkt1. No Pkt0HfeInstanceName
and Pkt1HfeInstanceName
. For more information, refer to the table in the section "User Data" on the page Instantiating SBC SWe in GCP.
For HFE nodes, Ribbon supports the following operating systems:
The mandatory requirement for supported OS are as follows:
apt
or yum
. If any required packages are not in the repository, the HFE script fails with message "Required packages <Package Name> is missing" in the HFE_conf.log
.https://cloud.google.com/compute/docs/startupscript
.Ensure that the following are configured before creating the HFE node:
This section describes the manual creation of HFE nodes.
n1-standard-4
The value for Machine Type are for illustration purposes only. For recommended configurations, refer to Instance Types Supported for SBC SWe in GCP.
Set the Size as 10 (GB).
ssh-rsa ... <user-name>
.Check Block project-wide SSH keys.
Ephemeral (Automatic)
.Set IP forwarding to On
.
Ephemeral (Automatic)
.None
.Set IP forwarding to On
.
Ephemeral (Automatic)
.Set the External IP as Ephemeral (Automatic)
.
Ephemeral (Automatic)
.Set the External IP as None
.
Ephemeral (Automatic)
.Set the External IP as None
.
Since the the SBCs are not yet configured, errors are logged in the file HFE.log. After the HFE node instance is created, stop the instance from running until the SBCs are created and configured.
The HFE_GCE.sh
script fails and SSH to mgmt interface does not work until the SBCs are created (due to the inability to read the information from the SBC); the HFE node is accessed via NIC0.
The term "user-data" is deprecated; use the term "startup script" to refer to the code snippet below.
Refer to the following page for startup script examples:
To use the HFE, add specific extra rules at the Google Network level. Ensure that routes and firewall rules are configured on the VPC networks containing the subnets in which PKT0 and PKT1 interfaces on the SBC are located.
Refer to Firewall Rules Overview for complete firewall details.
Create routes to send the traffic from PKT0 and PKT1 interfaces return through the HFE:
Set an Instance tag. This is used to specify which instances use this rule.
When creating an instance, set this tag as the Network Tag.
Specify an instance - Use an instance already created with an interface in this VPC. However, if the instance is deleted and another is created with the same name, traffic is routed to the new instance.
To use the "Specify Instance" method, create the HFE instance before specifying it.
Specify an IP address - Specify the private IP address of nic3 / nic4 (for the VPCs of PKT0 and PKT1 respectively) interface on the HFE.
You cannot edit VPC route rules on the Goggle Cloud Platform.
By default, the Google network drops all packets unless firewall rules are configured. Ensure that rules are set for the VPCs to allow traffic from specific locations to reach the instances.
Set Protocols and ports as "Allow all".
Repeat for the VPC used for the SBC PKT1 interface.
For specialized deployments, users may need to add specific custom static routes to the HFE at the OS level. The HFE script supports this by using the HFE variable CUSTOM_ROUTES
. It enables the HFE script to add these routes as part of its start-up process and verify these routes continue to be on the HFE throughout the uptime.
CUSTOM_ROUTES
is a comma separated list of values in the form <DESTINATION_IP_CIDR>_<INTERFACE_NAME>. For example: 1.1.1.0/26_eth1, 2.2.2.0/28_eth2, 3.3.3.4/32_eth3.
To add the CUSTOM_ROUTES to the HFE startup-script, add the following line below /bin/echo "SBC_PKT_PORT_NAME=\"<SBC_PKT_PORT_NAME>\"" >> $NAT_VAR
. For example:
/bin/echo "SBC_PKT_PORT_NAME=\"<SBC_PKT_PORT_NAME>\"" >> $NAT_VAR /bin/echo "CUSTOM_ROUTES=\"<DESTINATION_IP_CIDR>_<INTERFACE_NAME>, <DESTINATION_IP_CIDR>_<INTERFACE_NAME>\"" >> $NAT_VAR /bin/echo $(timestamp) "Copied natVars.input" >> $LOG_FILE
For <INTERFACE_NAME>
, use the standard eth0, eth1, and so on always even if the Linux distribution does not use this naming convention. The HFE_GCE.sh
determines the interface to add the route.
The HFE_GCE.sh
script (part of cloudTemplates.tar.gz)
can create an archive of useful logs to help with debugging (similar to the SBC sysdump). Run the following command to collect the logs:
sudo /opt/HFE/HFE_GCE.sh sysdump
The following details are collected:
/opt/HFE/*
(without previous sysdumps)The sysdumps archives are stored in the .tar.gz
format under /opt/HFE/sysdump/
.
The DNS queries on the SBC PKT port are sent using the primary IP. The HFE variable ENABLE_PKT_DNS_QUERY
is used to enable the support for the HFE to forward these requests.
To enable it on a new HFE setup, add "ENABLE_PKT_DNS_QUERY=1
" to the startup-script, below the SBC_PKT_PORT_NAME
. For example:
/bin/echo "SBC_PKT_PORT_NAME=\"<SBC_PKT_PORT_NAME>\"" >> $NAT_VAR /bin/echo "ENABLE_PKT_DNS_QUERY=1" >> $NAT_VAR /bin/echo $(timestamp) "Copied natVars.input" >> $LOG_FILE
The HFE generates the following logs under /opt/HFE/log/
:
HFE_conf.log
.Ribbon tested the following upgrade scenarios on the HFE node, using ICMP packets to contact the PKT0/PKT1 ports on the SBC:
Ubuntu 19.04 > 19.10
While updating Google-specific packages, the routes are removed. To restore them, reboot the instance after update.
Ribbon recommends rebooting the HFE instance after installation or update of any package that affects networking.
Installation of all updates available on CentOS 8.
Ribbon does not support full OS upgrades on CentOS.
Create a cloud NAT gateway for the VPC used by nic0 on the PKT1 HFE node. This allows the PKT1 HFE node to access the Google servers to retrieve the script and query instance information, and also prevents the instance from getting exposed to the outer world.
To create a cloud NAT gateway, perform the following steps:
Click Create.
Click Create.