Skip to content

Infrai2c-proxy-infra

I2c proxy infra to communicate between i2c and aks

This document explains the i2c proxy set up in the azure to relay data between i2c and aks cluster.

1. Create a VM cale set with a load balancer using template.
2. Create a load balancer with private frontend IP
3. Craete a scale set extension for Custom Script to run the iptables.

1. Create a VM cale set with no load balancer using template.

Start creating the scale set with a LB from the azure protal and export as template.

User cammoand -> az group deployment create
Provide the resource group as "rebtel-bank-be".

2.

We do not want the load balancer to have a public IP. We can assign this load balancer o have aprivate IP from the subnet which I2c uses to communicate. From azure portal it is not possible to create the scale set load balancer with private IP. This is the reason we will use template to create ascaleset and load balancer. In the downloaded template we have to replace the json code to create the public IP for LB with the code to create aprivate IP. Use this code:-

"frontendIPConfigurations": [
                    {
                        "name": "LoadBalancerFrontEnd",
                        "properties": {
                            "privateIPAllocationMethod": "Static",
                            "subnet": {
                                "id": "/subscriptions/4b8057b9-0709-426c-80a9-e4021f48b462/resourceGroups/rebtel-bank-be/providers/Microsoft.Network/virtualNetworks/rebtel-bank-be-vnet/subnets/rebtel-bank-be-subnet-1"
                            },
                            "privateIPAddress": "10.200.64.7"
                        }
                    }
                ],

Here we define the private IP we want the load balancer to assign. I2c will use this IP to send the callbacks.

Now deploy the template

User cammoand -> az group deployment create 
Provide the resource group as "rebtel-bank-be"

3. Create a scale set extension for Custom Script to run the iptables.

Use this cammaond to create a vm customScript extenstion

az vmss extension set --resource-group rebtel-bank-be --vmss-name I2cPrxyscaleSet --name CustomScript --publisher Microsoft.Azure.Extensions --settings ./iptableRules.json

The iptableRules.json, contain the all the cammaonds that we need to run when the the new instance of VM scale set is created. We need to run all the cammads to set up the IPtable rules. The iptablesRule.json for dev looks like below:-

{"commandToExecute": "sudo su && sysctl -w net.ipv4.ip_forward=1 && proxyHostIp=$(hostname -I) && iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 199.96.220.18:6443 && iptables -t nat -A PREROUTING -p tcp --dport 8085 -j DNAT --to-destination 192.168.101.250:80 && iptables -t nat -A POSTROUTING -p tcp -d 199.96.220.18 --dport 6443 -j SNAT --to-source $proxyHostIp && iptables -t nat -A POSTROUTING -p tcp -d 192.168.101.250 --dport 80 -j SNAT --to-source $proxyHostIp"}