Scheduled Service Change: Move web2.login.cornell.edu to AWS
Event:
2017-07-16 11:00:00
Expected Duration:
2017-07-16 12:00:00
Status:
Closed
Brief Description:
Move web2.login.cornell.edu to AWS
User Impact:
None
Services Affected:
Authentication and Authorization
Subsites Affected:
Data Center
Full Description:
We are planning to move web2.login.cornell.edu from its current address (132.236.200.133) in the server farm to a static IP hosted with Amazon Web Services (AWS) (34.195.243.179).
We will make this change by repointing DNS at 7:00 am on Sunday, 07/16/17.
It is possible that some installations may have firewall rules that prevent CUWebAuth from contacting web2 at the new location. In the event that this comes up, there will not be any user impact (because CUWebAuth will still be able to contact the other weblogin servers, web1,3,4), and we will work with site admins to correct it after the move.
Additional details:
As part of its high-availability (HA) mechanism, each CUWebAuth installation periodically checks in with each of the weblogin servers in order to determine whether any of them are offline. If a weblogin server appears to be offline, CUWebAuth will stop redirecting users to that server to log in, until it comes back online.
In order for this HA mechanism to work, CUWebAuth on your web server must be able to contact each weblogin server over https (tcp 443). If firewall rules don't permit this contact to the new AWS IP, then CUWebAuth will think that web2 is offline and will stop sending users there.
This would not have any impact on users (they will just log in at web1, web3 or web4 instead), but it would mean that the site does not have the best HA. We will be checking our logs after the move to find any situations like this, and will contact individual service administrators about any problems we find.
If you have any questions or concerns, please contact idmgmt@cornell.edu
We will make this change by repointing DNS at 7:00 am on Sunday, 07/16/17.
It is possible that some installations may have firewall rules that prevent CUWebAuth from contacting web2 at the new location. In the event that this comes up, there will not be any user impact (because CUWebAuth will still be able to contact the other weblogin servers, web1,3,4), and we will work with site admins to correct it after the move.
Additional details:
As part of its high-availability (HA) mechanism, each CUWebAuth installation periodically checks in with each of the weblogin servers in order to determine whether any of them are offline. If a weblogin server appears to be offline, CUWebAuth will stop redirecting users to that server to log in, until it comes back online.
In order for this HA mechanism to work, CUWebAuth on your web server must be able to contact each weblogin server over https (tcp 443). If firewall rules don't permit this contact to the new AWS IP, then CUWebAuth will think that web2 is offline and will stop sending users there.
This would not have any impact on users (they will just log in at web1, web3 or web4 instead), but it would mean that the site does not have the best HA. We will be checking our logs after the move to find any situations like this, and will contact individual service administrators about any problems we find.
If you have any questions or concerns, please contact idmgmt@cornell.edu
CIT TDX ID:
CRQ000001018408
Timeline of Changes
| Description | Current Status | Date | Time |
|---|---|---|---|
| We are planning to move web2.login.cornell.edu from its current address (132.236.200.133) in the server farm to a static IP hosted with Amazon Web Services (AWS) (34.195.243.179). We will make this change by repointing DNS at 7:00 am on Sunday, 07/16/17. It is possible that some installations may have firewall rules that prevent CUWebAuth from contacting web2 at the new location. In the event that this comes up, there will not be any user impact (because CUWebAuth will still be able to contact the other weblogin servers, web1,3,4), and we will work with site admins to correct it after the move. Additional details: As part of its high-availability (HA) mechanism, each CUWebAuth installation periodically checks in with each of the weblogin servers in order to determine whether any of them are offline. If a weblogin server appears to be offline, CUWebAuth will stop redirecting users to that server to log in, until it comes back online. In order for this HA mechanism to work, CUWebAuth on your web server must be able to contact each weblogin server over https (tcp 443). If firewall rules don't permit this contact to the new AWS IP, then CUWebAuth will think that web2 is offline and will stop sending users there. This would not have any impact on users (they will just log in at web1, web3 or web4 instead), but it would mean that the site does not have the best HA. We will be checking our logs after the move to find any situations like this, and will contact individual service administrators about any problems we find. If you have any questions or concerns, please contact idmgmt@cornell.edu | 2017-07-13 | 17:05:09 |