AWX across separate networks - which solution?

Archives AWX Project
,
1

Was wondering if anyone here had suggestions/opinions on sharing one AWX database between two AWS regions - ie. separate networks where by default there’s no IP routing between them (in my case we ca assume no IP conflicts).

If I have AWX running in data center A, and also want to use AWX to manage hosts in data center B, what would be a good way to go about this?

I was thinking of two options initially:

  1. Set up a bastion host in datacenter B, and just route all the SSH connections from a single AWX server in datacenter A through that host.
  2. Set up a persistent VPN link that allowed AWX containers, minus DB, running in datacenter B to communicate just with the Postgres (and RabbitMQ?) services in datacenter A… So the SSH connections to hosts would be local, but communication to the AWX database and other RabbitMQ services would be over the VPN.

Option 1 seems simplest, but I had a gut feeling that it might be slow, especially if there are many hosts being managed…

Anyone set up something similar and can weigh in?

Thanks,

Robin

2

Robin Miller (robincello@gmail.com) said:

Anyone set up something similar and can weigh in?

Use isolated nodes. Docs for Tower usage are here:
  http://docs.ansible.com/ansible-tower/latest/html/administration/clustering.html#security-isolated-instance-groups

This is a little trickier to support in an AWX container deployment, but
that would still be the best solution.

Bill

3

Thanks Bill - Not questioning your advice but I was wondering if there’s a reason for that recommendation vs. the others?

-Robin

4

Robin Miller (robincello@gmail.com) said:

Thanks Bill - Not questioning your advice but I was wondering if there's a
reason for that recommendation vs. the others?

Compared to your two suggestions:

1) a bastion node will work, but will (as you note) suffer from performance
issues, plus it's a pain to configure behind the scenes for Ansible.

2) trying to span a AWX cluster across regions won't work, period. The
latency would be far far too high.

Bill

5

OK, thanks a lot for that detail. That’s very good to know. I’ll look into the isolated instance groups then.

Cheers,
Robin

6

The isolated instance groups looks like exactly what I need: A centralized AWX database which farms work out to “task” nodes in each of my globally distributed datacenters. Has anybody actually gotten this working with AWX?

7

This would technically be supported in AWX but we don’t have any tooling around the setup or install process which would be needed to make it functional. That’s something we’ll get to in time but I can’t give you a definitive timeline unfortunately :confused:

8

Understood. In the meantime, I will try hacking around it myself (see other thread) :slight_smile:

9

Hi guys,

Were you able to implement AWX and isolated nodes for cross datacenters?

I would like to implement isolated nodes for AWX but can’t find any documentation and support statement.
Looks like this has been long awaited feature.

Appreciate any help on this.

Thanks

10

Do you have any docs help me to attach Awx to AD/Ldap of our environment?

11

That has nothing to do with this thread, but the documentation Ansible Tower docs on docs.ansible.com are correct.

https://docs.ansible.com/ansible-tower/latest/html/administration/ldap_auth.html

Dave

12

Am unable to locate documentation for isolated nodes deployment for awx in docker based setup. Please help.