Hello guys, I’m in the last year of my studies and the question in the title is to help me write my bachelor thesis.
My bachelor thesis is part a technical research(make a proof of concept.) and literature study.
The research that I did was based around 1 question: “How do I use Ansible in a production environment to configure a large number of on-premise devices via a cloud environment?”
So the following was what I did for the proof of concept:
I installed ansible in a cloud environment (google cloud) and created 3 VM’s in VMware workstation.
To be able to configure those 3 VM’s, I set up an OpenVPN connection.The ansible server in the cloud also became an OpenVPN server. I also created a new local VM that acted as an OpenVPN client that then routed all the traffic to the other local VM’s using iptables rules.
I now realize that the setup of the VPN needed to be the other way around (the ansible server should have been the VPN client).
I was wondering what other setups are possible in this scenario and what other hardware or software would be necessary (for example: is pfsense an option? or a proxy?).
Say for example I have ansible installed in the cloud on a VM and I want to configure devices at the office, how would you do it?
This sounds a bit atypical tbh. It’s more common (and useful imho) to do it the other way around. You have an “on-prem” ansible control node, which is used to configure cloud based VMs.
I wonder what the usecase for your setup is?
As you already found out, you will have to set up and manage Vpn solutions to reach your on-prem stuff. The nice thing of ansible is it’s simplicity.
I guess I don’t see why you’d want your control node to be “in the cloud”. If that sat next/close to the on-prem devices then you can skip the vpn complexity.
Pre-configured ansible-pull on the on-premise device downloads 1st stage
playbook let's say firstboot.yml. This playbook reads the HW of the device
and decides how to proceed, e.g. configure network, security, cron, which
playbook to download next etc.
The centralised repository in the Cloud serves the purpose of providing the
content (collections, playbooks, roles, modules, plugins) and the
configuration data. Create local proxy to make the solution more secure and
robust.
Thank you for your reply, I know the setup is a bit atypical but the “question” came from the university. So I had to find a solution to set it up and I know it wasn’t the most optimal solution that I did.
If the ansible server was also on premise it would have been a piece of cake.
Do you know any other possibilities for a solution? is a pfsense a solution maybe?
What is your Cloud Service Provider that this PoC will take place ?
Using just “OpenVPN” Soultion on a cloud provider isn’t best practice when it comes to Security you can download an OpenVPN instance on EC2 market, but you may have better option using the AWS offering for better Routing and Security options: I haven’t seen companies using OpenVPN as a soultion to make a connection from On-prem to Cloud
I don’t think the Cloud had your use case in mind when it was first offered, a better PoC would be how to use Terraform / Ansible / Packer for a Multi-Cloud Hybrid Solution: if you are Studying in the Cloud Field a better PoC would be a Multi-Cloud Environment as a HA Setup.
For Example:
If you are Running an Application on AWS how can we have a Fault Torelance Solution on GCP within the Same Region for GDPR: If you have German Customer their Data needs to have jurisdiction within Germany. With this in mind if your AWS Region in Germany goes down how do we make sure Fault Torelance is in place and Traffic is routed to a Secondary Cloud Provider (Azure / GCP) Similar to an On-Prem Solution were a Company would have 2 Datacenters in within the Same Country but in different locations (Availability Zones).