Continuous replication over WAN ?
-
Hello everyone,
I'm thinking about my future architecture, is it possible to do continuous replication between two clusters across a WAN? and if so, how is this possible?
Thank you!
-
Hi!
It's now called "Incremental replication", and yes, you can use it regardless the link type
-
You can do this, first things first though I'd highly recommend using a VPN instead of just letting it do it over the public internet. Wireguard is pretty easy to get going and very fast.
-
If you have XO proxies on the other end, it's pretty secure. Also the traffic itself is encrypted. I would simply avoid to expose host APIs on the internet (therefore using XO proxies or a VPN or any tunneling solution)
-
@olivierlambert true, proxies help a lot, I personally still just prefer to avoid things on the WAN as much as I can and IMO VPNs aren't too hard nowadays.
But either is fine for sure.
-
So, if I understand correctly, we can, from site A, replicate on site B with incremental replication using an XOProxy present on site B?
This proxy is exposed on the internet, is that right? Can the proxy manage an IP address whitelist?
-
Either way you should have a firewall on both sides right? So you could just use the firewall to whitelist things with rules to the proxy.
I think personally I'd take the VPN route here, but @olivierlambert may disagree and if I'm honest I haven't used XO Proxy much so maybe I'm way off here lol.
-
If you use a proxy, you don't need to white list anything, because there's a secret token to allow connect to the proxy from the main XOA. That's the great thing about the proxy: it's pretty small (reducing the attack surface) and only communicating with a valid token in HTTPS. So it's pretty safe to expose the Proxy (and nothing else on the remote site).
-
@olivierlambert That's actually something I didn't know about XO Proxy, learn something new everyday haha!
-
Again, both solutions are valid: tunnels or XO proxies. XO Proxies are meant to simplify the case where you can't extend your current network with tunnels and/or VPNs. So you can build your XCP-ng infrastructure across different places and different network while still enjoy a central XO console to manage AND backup them all
-
Thank you Olivier,
I still need to clarify two points:
How can we manage an XCP-NG infrastructure present on a site B, from an XOA present on a site A?
How to deploy XOProxy on site B infrastructure from site A?
-
See https://xen-orchestra.com/blog/xo-proxy-a-concrete-guide/
We use that setup for our own remote site which is only reachable via internet, so the proxy on site B allows us to manage everything from the main site.
-
Thank you very much Olivier, this is exactly what I want to do!
