Fixing load balancer health check by including the monitoring subnet …

…info in the sensor configuration to ensure LB probes coming into the monitoring NIC also go out the monitoring NIC.
corelight · Dec 19, 2024 · 4930b18 · 4930b18
1 parent 1c429bd
commit 4930b18
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 62 deletions.
diff --git a/data.tf b/data.tf
@@ -0,0 +1,9 @@
+locals {
+  monitoring_subnet_resource_id_slice = split("/", var.monitoring_subnet_id)
+}
+
+data "azurerm_subnet" "mon_subnet" {
+  name                 = local.monitoring_subnet_resource_id_slice[length(local.monitoring_subnet_resource_id_slice) - 1]
+  resource_group_name  = var.resource_group_name
+  virtual_network_name = local.monitoring_subnet_resource_id_slice[8]
+}
diff --git a/load_balancer.tf b/load_balancer.tf
@@ -5,7 +5,12 @@ resource "azurerm_lb" "scale_set_lb" {
   sku                 = "Standard"
 
   frontend_ip_configuration {
-    name      = var.lb_frontend_ip_config_name
+    name      = var.lb_management_frontend_ip_config_name
+    subnet_id = var.management_subnet_id
+  }
+
+  frontend_ip_configuration {
+    name      = var.lb_monitoring_frontend_ip_config_name
     subnet_id = var.monitoring_subnet_id
   }
 
@@ -17,20 +22,40 @@ resource "azurerm_lb_backend_address_pool" "management_pool" {
   name            = var.lb_mgmt_backend_address_pool_name
 }
 
+resource "azurerm_lb_probe" "mgmt_sensor_health_check_probe" {
+  loadbalancer_id = azurerm_lb.scale_set_lb.id
+  name            = var.lb_management_probe_name
+  port            = 22
+  protocol        = "Tcp"
+}
+
+resource "azurerm_lb_rule" "management_lb_rule" {
+  name                           = var.lb_ssh_rule_name
+  loadbalancer_id                = azurerm_lb.scale_set_lb.id
+  frontend_ip_configuration_name = azurerm_lb.scale_set_lb.frontend_ip_configuration[0].name
+  protocol                       = "Tcp"
+  backend_port                   = 22
+  frontend_port                  = 22
+  backend_address_pool_ids = [
+    azurerm_lb_backend_address_pool.management_pool.id
+  ]
+  probe_id = azurerm_lb_probe.mgmt_sensor_health_check_probe.id
+}
+
 resource "azurerm_lb_backend_address_pool" "monitoring_pool" {
   loadbalancer_id = azurerm_lb.scale_set_lb.id
   name            = var.lb_mon_backend_address_pool_name
 }
 
 resource "azurerm_lb_probe" "sensor_health_check_probe" {
   loadbalancer_id     = azurerm_lb.scale_set_lb.id
-  name                = var.lb_health_check_probe_name
+  name                = var.lb_monitoring_probe_name
   port                = 41080
   request_path        = "/api/system/healthcheck"
   protocol            = "Http"
-  interval_in_seconds = 30
-  number_of_probes    = 2
-  probe_threshold     = 2
+  interval_in_seconds = 15
+  number_of_probes    = 3
+  probe_threshold     = 10
 }
 
 resource "azurerm_lb_rule" "monitoring_vxlan_lb_rule" {
@@ -39,35 +64,9 @@ resource "azurerm_lb_rule" "monitoring_vxlan_lb_rule" {
   protocol                       = "Udp"
   backend_port                   = 4789
   frontend_port                  = 4789
-  frontend_ip_configuration_name = azurerm_lb.scale_set_lb.frontend_ip_configuration[0].name
+  frontend_ip_configuration_name = azurerm_lb.scale_set_lb.frontend_ip_configuration[1].name
   backend_address_pool_ids = [
     azurerm_lb_backend_address_pool.monitoring_pool.id
   ]
   probe_id = azurerm_lb_probe.sensor_health_check_probe.id
 }
-
-resource "azurerm_lb_rule" "monitoring_health_check_rule" {
-  name                           = var.lb_health_check_rule_name
-  loadbalancer_id                = azurerm_lb.scale_set_lb.id
-  protocol                       = "Tcp"
-  backend_port                   = 41080
-  frontend_port                  = 41080
-  frontend_ip_configuration_name = azurerm_lb.scale_set_lb.frontend_ip_configuration[0].name
-  backend_address_pool_ids = [
-    azurerm_lb_backend_address_pool.monitoring_pool.id
-  ]
-  probe_id = azurerm_lb_probe.sensor_health_check_probe.id
-}
-
-resource "azurerm_lb_rule" "management_lb_rule" {
-  name                           = var.lb_ssh_rule_name
-  loadbalancer_id                = azurerm_lb.scale_set_lb.id
-  frontend_ip_configuration_name = azurerm_lb.scale_set_lb.frontend_ip_configuration[0].name
-  protocol                       = "Tcp"
-  backend_port                   = 22
-  frontend_port                  = 22
-  backend_address_pool_ids = [
-    azurerm_lb_backend_address_pool.management_pool.id
-  ]
-  probe_id = azurerm_lb_probe.sensor_health_check_probe.id
-}
diff --git a/scale_set.tf b/scale_set.tf
@@ -23,13 +23,12 @@ resource "azurerm_linux_virtual_machine_scale_set" "sensor_scale_set" {
     disk_size_gb         = var.virtual_machine_os_disk_size
   }
 
-  health_probe_id = azurerm_lb_probe.sensor_health_check_probe.id
+  health_probe_id = azurerm_lb_probe.mgmt_sensor_health_check_probe.id
   upgrade_mode    = "Automatic"
 
   network_interface {
     name    = "management-nic"
     primary = true
-
     ip_configuration {
       name      = "management-nic-ip-cfg"
       primary   = true
@@ -45,6 +44,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "sensor_scale_set" {
     enable_accelerated_networking = true
     ip_configuration {
       name      = "monitoring-nic-ip-cfg"
+      primary   = true
       subnet_id = var.monitoring_subnet_id
       load_balancer_backend_address_pool_ids = [
         azurerm_lb_backend_address_pool.monitoring_pool.id
@@ -69,10 +69,6 @@ resource "azurerm_linux_virtual_machine_scale_set" "sensor_scale_set" {
   }
 
   tags = var.tags
-
-  depends_on = [
-    azurerm_lb_rule.monitoring_health_check_rule,
-  ]
 }
 
 resource "azurerm_monitor_autoscale_setting" "auto_scale_config" {

diff --git a/sensor_config.tf b/sensor_config.tf
@@ -17,6 +17,9 @@ module "sensor_config" {
   sensor_management_interface_name             = "eth0"
   sensor_monitoring_interface_name             = "eth1"
   sensor_health_check_probe_source_ranges_cidr = [local.azure_lb_health_check_probe_ip]
+  sensor_health_check_http_port                = "41080"
+  subnetwork_monitoring_gateway                = cidrhost(data.azurerm_subnet.mon_subnet.address_prefix, 1)
+  subnetwork_monitoring_cidr                   = data.azurerm_subnet.mon_subnet.address_prefix
   gzip_config                                  = true
   base64_encode_config                         = true
   enrichment_enabled                           = var.enrichment_storage_account_name != "" && var.enrichment_storage_container_name != ""

diff --git a/variables.tf b/variables.tf
@@ -41,11 +41,6 @@ variable "sensor_ssh_public_key" {
 }
 
 ## Variables with defaults
-variable "sensor_subnet_name" {
-  description = "The name of the subnet the VMSS will scale sensors in"
-  type        = string
-  default     = "cl-sensor-subnet"
-}
 variable "sensor_admin_username" {
   description = "The name of the admin user on the corelight sensor VM in the VMSS"
   type        = string
@@ -79,7 +74,7 @@ variable "load_balancer_name" {
 variable "scale_set_name" {
   description = "Name of the Corelight VMSS of sensors"
   type        = string
-  default     = "vmss-sensor"
+  default     = "corelight-sensor"
 }
 
 variable "virtual_machine_size" {
@@ -106,10 +101,16 @@ variable "enrichment_storage_container_name" {
   default     = ""
 }
 
-variable "lb_frontend_ip_config_name" {
-  description = "Name of the internal load balancer frontend ip configuration"
+variable "lb_management_frontend_ip_config_name" {
+  description = "Name of the internal load balancer monitoring backend pool frontend ip configuration"
   type        = string
-  default     = "corelight-sensor-lb-ip"
+  default     = "corelight-management"
+}
+
+variable "lb_monitoring_frontend_ip_config_name" {
+  description = "Name of the internal load balancer monitoring backend pool frontend ip configuration"
+  type        = string
+  default     = "corelight-monitoring"
 }
 
 variable "lb_mgmt_backend_address_pool_name" {
@@ -124,22 +125,22 @@ variable "lb_mon_backend_address_pool_name" {
   default     = "monitoring-pool"
 }
 
-variable "lb_health_check_probe_name" {
-  description = "Name of the load balancer health check probe that check the sensor healthcheck API"
+variable "lb_monitoring_probe_name" {
+  description = "Name of the load balancer health check probe that checks if the sensor is up and ready to receive traffic on the monitoring NIC"
   type        = string
-  default     = "health-check"
+  default     = "sensor-health-check"
 }
 
-variable "lb_vxlan_rule_name" {
-  description = "Name of the load balancer rule for VXLAN traffic"
+variable "lb_management_probe_name" {
+  description = "Name of the load balancer health probe that checks if SSH is available on the management NIC"
   type        = string
-  default     = "vxlan-lb-rule"
+  default     = "ssh-health-check"
 }
 
-variable "lb_geneve_rule_name" {
-  description = "Name of the load balancer rule for Geneve traffic"
+variable "lb_vxlan_rule_name" {
+  description = "Name of the load balancer rule for VXLAN traffic"
   type        = string
-  default     = "geneve-lb-rule"
+  default     = "vxlan-lb-rule"
 }
 
 variable "lb_health_check_rule_name" {
@@ -197,9 +198,3 @@ variable "fleet_no_proxy" {
   default     = ""
   description = "(optional) hosts or domains to bypass the proxy for fleet traffic"
 }
-
-variable "monitoring_nsg_name" {
-  type        = string
-  default     = "corelight-monitoring-nsg"
-  description = "(optional) Name of the monitoring network security group"
-}