Question about Private Networks

Hi everyone

I am trying to setup Rancher-Server & Hosts on Exoscale. I have a certain configuration in mind and am unsure if it’s wise and/or possible. I guess the same would apply to DigitalOcean (they also offer private networks).

First my tl;dr final goal: Have rancher-server and all hosts communicate between each other over a private network but allow services to expose some ports to WAN. I would also like 1 rancher-agent on the same server as my rancher-server to host environment wide services (external dns & let’s encrypt).

In more details this leads me to the following questions:

  • On Exoscale I defined a private network and provisioned my rancher-server host to have eth1 with an IP on this network. I would like for rancher/docker to communicate over this private network if possible. So it will setup it’s ipsec network over that and not the public network. Is this possible? How could I achieve this? (also in combination with question 2)
  • My rancher-server Host only has Ports 22 (restricted to office ip),80,443 exposed (WAN) and my porivisioned host has the default rancher-machine security gorup (22, 2376, 500, 4500, ICMP ping) open (WAN). It “seems” to work like this but is this advisable like this? If I launch a service on the provisioned host which accepts traffic from WAN so I configure a loadbalancer in front of it to accept port e.g. 443 I would also need to expose port 443 on my rancher-machnine group, right?
  • I would like to start a rancher-agent on the same host as my rancher-server is running. There it asks that I expose ports 500, 4500 for it, is that necessary if it’s on the same host (I also have other hosts provisioned) or is this necessary to communicate with the other hosts? I also asks for a public IP, especially in relation to the first question should this be the public or private netwrok ip? Would this interfere with the firewalling rules in question 2?

I also have some issues with the Exoscale driver:

  • When I select “CoreOS” to be porvisioned it always provisions an Ubuntu server.
  • I can’t find an option to provision with a cloud-config file so I have no clue how to even prepare the network interface.

Here is my example cloud-config I would use for the hosts and the server:

hostname: HOSTNAME

  - name: USERNAME
      - ssh-rsa ...
      - sudo
      - docker
    reboot-strategy: off
    group: stable
    - name: settimezone.service
      command: start
      content: |
        Description=Set the time zone
        ExecStart=/usr/bin/timedatectl set-timezone Europe/Zurich
    - name:
      runtime: true
      content: |
  - path: /etc/systemd/timesyncd.conf
    content: |
  - path: /etc/ssh/sshd_config
    permissions: 0600
    owner: root:root
    content: |
      # Use most defaults for sshd configuration.
      UsePrivilegeSeparation sandbox
      Subsystem sftp internal-sftp
      PermitRootLogin no
      AllowUsers core einsrnch01
      PasswordAuthentication no
      ChallengeResponseAuthentication no