Continuous replication over WAN ?
-
If you have XO proxies on the other end, it's pretty secure. Also the traffic itself is encrypted. I would simply avoid to expose host APIs on the internet (therefore using XO proxies or a VPN or any tunneling solution)
-
@olivierlambert true, proxies help a lot, I personally still just prefer to avoid things on the WAN as much as I can and IMO VPNs aren't too hard nowadays.
But either is fine for sure.
-
So, if I understand correctly, we can, from site A, replicate on site B with incremental replication using an XOProxy present on site B?
This proxy is exposed on the internet, is that right? Can the proxy manage an IP address whitelist?
-
Either way you should have a firewall on both sides right? So you could just use the firewall to whitelist things with rules to the proxy.
I think personally I'd take the VPN route here, but @olivierlambert may disagree and if I'm honest I haven't used XO Proxy much so maybe I'm way off here lol.
-
If you use a proxy, you don't need to white list anything, because there's a secret token to allow connect to the proxy from the main XOA. That's the great thing about the proxy: it's pretty small (reducing the attack surface) and only communicating with a valid token in HTTPS. So it's pretty safe to expose the Proxy (and nothing else on the remote site).
-
@olivierlambert That's actually something I didn't know about XO Proxy, learn something new everyday haha!
-
Again, both solutions are valid: tunnels or XO proxies. XO Proxies are meant to simplify the case where you can't extend your current network with tunnels and/or VPNs. So you can build your XCP-ng infrastructure across different places and different network while still enjoy a central XO console to manage AND backup them all
-
Thank you Olivier,
I still need to clarify two points:
How can we manage an XCP-NG infrastructure present on a site B, from an XOA present on a site A?
How to deploy XOProxy on site B infrastructure from site A?
-
See https://xen-orchestra.com/blog/xo-proxy-a-concrete-guide/
We use that setup for our own remote site which is only reachable via internet, so the proxy on site B allows us to manage everything from the main site.
-
Thank you very much Olivier, this is exactly what I want to do!
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login