This document describes the network layout of the Phacility Cluster.
The Phacility cluster is deployed in an AWS VPC.
Most devices only accept connections from other devices within the cluster. Load balancers at the edge of the cluster accept external traffic and relay it to devices within the cluster, which may make additional service calls to other cluster services.
These devices have external interfaces and accept requests from the public internet.
|admin.phacility.com||alb||HTTP load balancer (ELB). Serves admin HTTP traffic.|
|bastion||bastion||Manages operational access.|
|nlb*.phacility.com||nlb||Notification load balancers.|
|vault.phacility.com||vault||SSH load balancer. Serves VCS SSH traffic.|
|www.phacility.com||corp||HTTP load balancer (ELB). Serves corporate site HTTP traffic.|
|*.phacility.com||lb||HTTP load balancer (ELB). Serves most HTTP traffic.|
|secure.phabricator.com||secure||Serves the upstream.|
|phabricator.org||secure||Serves marketing copy.|
|phabricator.com||secure||Redirects to secure.phabricator.com.|
|javelinjs.com||secure||Was hacked by Chinese.|
This is a general overview of device layout and traffic flow within the network.
For each type of request, traffic enters the network at the perimeter device in the left column, and is forwarded to the "Internal Device" to respond to the request. The internal device may also make requests to one or more devices from the "Service Devices" column to satisfy the request.
|Perimeter Device||Perimeter Port||Internal Device||Internal Port||Service Devices|
|lb||80, 443||web||80||db, repo|
|secure||22, 80, 443, 2222||secure||Same Host||None|
Connections to devices within the network are restricted. This table summarizes the layers which provide restrictions.
|AWS Security Rules||All Devices||Drops most inbound traffic.|
|iptables Rules||Normal Devices||Drops most inbound traffic.|
|Phabricator Rules||Application Servers||Restricts cluster devices and listening interfaces.|
|rSAAS Rules||Application Servers||Provides additional restrictions.|
|MySQL Rules||Database Servers||Prevents unrecognized connections.|