Table of Contents
Advertisement
implement a MySQL Cluster network setup of this type, or of a "mixed" type as discussed under the
next item.
3.
It is also possible to employ a combination of the first two methods, using both hardware and
software to secure the cluster—that is, using both network-based and host-based firewalls. This is
between the first two schemes in terms of both security level and cost. This type of network setup
keeps the cluster behind the hardware firewall, but permits incoming packets to travel beyond the
router connecting all cluster hosts to reach the SQL nodes.
One possible network deployment of a MySQL Cluster using hardware and software firewalls in
combination is shown here:
In this case, you can set the rules in the hardware firewall to deny any external traffic except to SQL
nodes and API nodes, and then permit traffic to them only on the ports required by your application.
Whatever network configuration you use, remember that your objective from the viewpoint of keeping
the cluster secure remains the same—to prevent any unessential traffic from reaching the cluster while
ensuring the most efficient communication between the nodes in the cluster.
Because MySQL Cluster requires large numbers of ports to be open for communications between
nodes, the recommended option is to use a segregated network. This represents the simplest way to
prevent unwanted traffic from reaching the cluster.
Note
If you wish to administer a MySQL Cluster remotely (that is, from outside the
local network), the recommended way to do this is to use
login shell to access an SQL node host. From this host, you can then run the
management client to access the management server safely, from within the
Cluster's own local network.
Even though it is possible to do so in theory, it is not recommended to use
ndb_mgm
the Cluster is running. Since neither authentication nor encryption takes place
between the management client and the management server, this represents an
MySQL Cluster Security Issues
to manage a Cluster directly from outside the local network on which
1688
or another secure
ssh
Advertisement
Chapters
Table of Contents
Troubleshooting
