work-in-progress doc for an Amazon web services based Gluster deployment secured

1. work-in-progress doc for an Amazon web services based Gluster deployment secured using VPC and security groups.
2.  
3. SERVER
4. ======
5. - Gluster server nodes can only talk to nodes in AWS GLUSTER-SERVER security group and GLUSTER-CLIENT security group on ports explicitly listed in respective GLUSTER-SERVER and GLUSTER-CLIENT security groups.
6. - Gluster server nodes must be able to communicate with each other and must accept incoming connections from gluster clients
7. - Servers do NOT act as gluster clients
8. - Servers must be able to handle an AWS availability zone failure with no disruption
9. - Ubuntu 14.04 in AWS VPC, nonroutable private subnet
10.  
11. CLIENT
12. ======
13. - Gluster client nodes can only talk to nodes in GLUSTER-SERVER security group on incoming ports explicitly listed in GLUSTER-SERVER security group
14. - Clients must be able to read/write data to gluster nodes
15. - Clients must be able to seamlessly handle gluster server node failures
16. - Clients do NOT act as gluster server nodes
17. - Clients do not need to interact with other clients
18. - Ubuntu 14.04 in AWS VPC, different nonroutable, private submet from gluster servers
19.  
20.  
21. Security group "GLUSTER-SERVER"
22. ===============================
23. - Defines incoming ports allowed for gluster server nodes. All gluster server nodes are members of this security group.
24. - glusterd management
25. - ALLOW INCOMING on port 24007/tcp for all nodes in GLUSTER-SERVER security group
26. - ALLOW INCOMING on port 24007/tcp for all nodes in GLUSTER-CLIENT security group
27. - ALLOW INCOMING on port 24008/tcp if you use RDMA for $SECURITY_GROUP
28. - * Do I need this? How does one know if they're using RDMA?
29. - * Does Gluster server use RDMA by default?
30. - * Does Gluster client use RDMA by default?
31. - * Within AWS, should I use RDMA vs default?
32. - glusterfsd bricks (numbering starts at 49152 and increments +1 for each created brick) - below assumes 3 bricks
33. - ALLOW INCOMING on port 49152-49155/tcp for all nodes in GLUSTER-SERVER security group
34. - ALLOW INCOMING on port 49152-49155/tcp for all nodes in GLUSTER-CLIENT security group
35. - NFS (* is this needed for gluster servers?) (since Gluster 3.4)
36. - ALLOW INCOMING on port 111/tcp and port 2049/tcp for all nodes in GLUSTER-SERVER security group
37. - ALLOW INCOMING on port 111/tcp and port 2049/tcp for all nodes in GLUSTER-CLIENT security group
38. - ALLOW INCOMING on port 38468/tcp for all nodes in GLUSTER-SERVER security group for NLM
39. - ALLOW INCOMING on port 38468/tcp for all nodes in GLUSTER-CLIENT security group for NLM
40. - * Does gluster server use NFS by default?
41. - * Does gluster client use NFS by default?
42. - * Is NLM required regardless of whether NFS is used?
43. - ALLOW OUTBOUND traffic on any port to any host
44.  
45. Security group "GLUSTER-CLIENT"
46. ===============================
47. - Defines group of clients who are allowed to access gluster servers nodes in GLUSTER-SERVER security group on ports defined in GLUSTER-SERVER security group
48. - * Is there ANY incoming traffic from gluster server nodes in GLUSTER-SERVER security group?
49. - ALLOW OUTBOUND traffic on any port to any host