Merge pull request #271452 from Satya-talluri/stalluri/firewall-rules

prmerger-automator[bot] · web-flow · commit cc2753449f61 · 2024-04-10T15:11:37.000Z
[operator-nexus] Add iDRAC configuration and firewall rules.
diff --git a/articles/operator-nexus/howto-platform-prerequisites.md b/articles/operator-nexus/howto-platform-prerequisites.md
@@ -355,9 +355,9 @@ Terminal Server has been deployed and configured as follows:
    - Purity Code Level: 6.5.1
    - Safe Mode: Disabled
    - Array Time zone: UTC
-   - DNS Server IP Address: 172.27.255.201
+   - DNS (Domain Name System) Server IP Address: 172.27.255.201
    - DNS Domain Suffix: not set by operator during setup
-   - NTP Server IP Address or FQDN: 172.27.255.212
+   - NTP (Network Time Protocol) Server IP Address or FQDN: 172.27.255.212
    - Syslog Primary: 172.27.255.210
    - Syslog Secondary: 172.27.255.211
    - SMTP Gateway IP address or FQDN: not set by operator during setup
@@ -398,11 +398,94 @@ Terminal Server has been deployed and configured as follows:
      - puretune -set PS_RDMA_STALE_OP_THRESH_MS 5000 "PURE-209441";
      - puretune -set PS_BDRV_REQ_MAXBUFS 128 "PURE-209441";
 
+## iDRAC IP Assignment
+
+Before deploying the Nexus Cluster, it’s best for the operator to set the iDRAC IPs while organizing the hardware racks. Here’s how to map servers to IPs:
+
+   - Assign IPs based on each server’s position within the rack.
+   - Use the fourth /24 block from the /19 subnet allocated for Fabric.
+   - Start assigning IPs from the bottom server upwards in each rack, beginning with 0.11.
+   - Continue to assign IPs in sequence to the first server at the bottom of the next rack.
+
+### Example
+
+Fabric range: 10.1.0.0-10.1.31.255 – iDRAC subnet at fourth /24 is 10.1.3.0/24.
+
+   | Rack   | Server        | iDRAC IP      |
+   |--------|---------------|---------------|
+   | Rack 1 | Worker 1      | 10.1.3.11/24  |
+   | Rack 1 | Worker 2      | 10.1.3.12/24  |
+   | Rack 1 | Worker 3      | 10.1.3.13/24  |
+   | Rack 1 | Worker 4      | 10.1.3.14/24  |
+   | Rack 1 | Worker 5      | 10.1.3.15/24  |
+   | Rack 1 | Worker 6      | 10.1.3.16/24  |
+   | Rack 1 | Worker 7      | 10.1.3.17/24  |
+   | Rack 1 | Worker 8      | 10.1.3.18/24  |
+   | Rack 1 | Controller 1  | 10.1.3.19/24  |
+   | Rack 1 | Controller 2  | 10.1.3.20/24  |
+   | Rack 2 | Worker 1      | 10.1.3.21/24  |
+   | Rack 2 | Worker 2      | 10.1.3.22/24  |
+   | Rack 2 | Worker 3      | 10.1.3.23/24  |
+   | Rack 2 | Worker 4      | 10.1.3.24/24  |
+   | Rack 2 | Worker 5      | 10.1.3.25/24  |
+   | Rack 2 | Worker 6      | 10.1.3.26/24  |
+   | Rack 2 | Worker 7      | 10.1.3.27/24  |
+   | Rack 2 | Worker 8      | 10.1.3.28/24  |
+   | Rack 2 | Controller 1  | 10.1.3.29/24  |
+   | Rack 2 | Controller 2  | 10.1.3.30/24  |
+   | Rack 3 | Worker 1      | 10.1.3.31/24  |
+   | Rack 3 | Worker 2      | 10.1.3.32/24  |
+   | Rack 3 | Worker 3      | 10.1.3.33/24  |
+   | Rack 3 | Worker 4      | 10.1.3.34/24  |
+   | Rack 3 | Worker 5      | 10.1.3.35/24  |
+   | Rack 3 | Worker 6      | 10.1.3.36/24  |
+   | Rack 3 | Worker 7      | 10.1.3.37/24  |
+   | Rack 3 | Worker 8      | 10.1.3.38/24  |
+   | Rack 3 | Controller 1  | 10.1.3.39/24  |
+   | Rack 3 | Controller 2  | 10.1.3.40/24  |
+   | Rack 4 | Worker 1      | 10.1.3.41/24  |
+   | Rack 4 | Worker 2      | 10.1.3.42/24  |
+   | Rack 4 | Worker 3      | 10.1.3.43/24  |
+   | Rack 4 | Worker 4      | 10.1.3.44/24  |
+   | Rack 4 | Worker 5      | 10.1.3.45/24  |
+   | Rack 4 | Worker 6      | 10.1.3.46/24  |
+   | Rack 4 | Worker 7      | 10.1.3.47/24  |
+   | Rack 4 | Worker 8      | 10.1.3.48/24  |
+   | Rack 4 | Controller 1  | 10.1.3.49/24  |
+   | Rack 4 | Controller 2  | 10.1.3.50/24  |
+
+An example design of three on-premises instances from the same NFC/CM pair, using sequential /19 networks in a /16:
+
+   | Instance   | Fabric Range            | iDRAC subnet |
+   |------------|-------------------------|--------------|
+   | Instance 1 | 10.1.0.0-10.1.31.255    | 10.1.3.0/24  |
+   | Instance 2 | 10.1.32.0-10.1.63.255   | 10.1.35.0/24 |
+   | Instance 3 | 10.1.64.0-10.1.95.255   | 10.1.67.0/24 | 
+
 ### Default setup for other devices installed
 
 - All network fabric devices (except for the Terminal Server) are set to `ZTP` mode
 - Servers have default factory settings
 
+## Firewall rules between Azure to Nexus Cluster.
+
+To establish firewall rules between Azure and the Nexus Cluster, the operator must open the specified ports. This ensures proper communication and connectivity for required services using TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
+
+| S.No | Source                 | Destination           | Port (TCP/UDP)  | Bidirectional  | Rule Purpose                                             |
+|------|------------------------|-----------------------|-----------------|----------------|----------------------------------------------------------|
+| 1    | Azure virtual network  | Cluster               | 22 TCP          | No             | For SSH to undercloud servers from the CM subnet.        |
+| 2    | Azure virtual network  | Cluster               | 443 TCP         | No             | To access undercloud nodes iDRAC                         |
+| 3    | Azure virtual network  | Cluster               | 5900 TCP        | No             | Gnmi                                                     |
+| 4    | Azure virtual network  | Cluster               | 6030 TCP        | No             | Gnmi Certs                                               |
+| 5    | Azure virtual network  | Cluster               | 6443 TCP        | No             | To access undercloud K8S cluster                         |
+| 6    | Cluster                | Azure virtual network | 8080 TCP        | Yes            | For mounting ISO image into iDRAC, NNF runtime upgrade   |
+| 7    | Cluster                | Azure virtual network | 3128 TCP        | No             | Proxy to connect to global Azure endpoints               |
+| 8    | Cluster                | Azure virtual network | 53 TCP and UDP  | No             | DNS                                                      |
+| 9    | Cluster                | Azure virtual network | 123 UDP         | No             | NTP                                                      |
+| 10   | Cluster                | Azure virtual network | 8888 TCP        | No             | Connecting to Cluster Manager webservice                 |
+| 11   | Cluster                | Azure virtual network | 514 TCP and UDP | No             | To access undercloud logs from the Cluster Manager       |
+
+
 ## Install CLI extensions and sign-in to your Azure subscription
 
 Install latest version of the
