Gateway Service
The gateway service provides a reverse proxy so that a job can migrate from one host to another without interrupting client connections.
Feature Description
In most cases, the OpCenter is used to schedule batch jobs, that is, jobs that run without an attached terminal — results are written to a file (or files) and retrieved when the job completes. OpCenter can also deploy containers that support interactive browser-based sessions, such as is required for RStudio or Jupyter Notebook. Each container can run on a Spot Instance in which case the OpCenter seamlessly migrates the job to a new virtual machine if the Spot Instance is reclaimed. The new virtual machine instance has a different IP address.
The gateway service provides a reverse proxy that ensures each interactive session, for example, each RStudio session, appears to clients as an IP address that never changes even when the RStudio session moves to a different virtual machine. The gateway uses TCP port numbers to distinguish between different services running on virtual machines on the server side of the gateway.
Application
RStudio and Jupyter Notebook/Lab servers can be connected to a gateway simultaneously.
Gateway Operation
The operation of the gateway is shown in the figure. The gateway has two sides: client side and server side. The gateway selects ports from a pool and assigns them to clients so that a single IP address on the client side of the gateway can be used to map to multiple IP addresses on the server side.
To enable the operation of the gateway with an application server, complete the following configuration tasks.
- Create a gateway: configuration instructions are in the next section.
- Start an application server: The procedure for instantiating an application server depends on the type of application server — see the section on Service Templates.
- Assign a range of ports to the gateway (the maximum allowed range is 1000 to 65535)
- Create an inbound firewall rule to allow access to ports within the allowed range and apply the firewall rule to the gateway
- Instantiate the application server with a configuration that maps port_host on the host to port_container on the container
- Create an inbound firewall rule to allow access to port_host and apply it to the application server
- Connect the application server (identified by its Job ID) to the gateway by connecting port_host to the gateway
Gateway Configuration and Management
Gateways are created and managed using the CLI or the web interface. Before beginning with either method, create an inbound firewall rule using your Cloud Service Provider management console.
In AWS, a firewall rule is called a security group. Create an inbound security group by completing these steps (you must create two inbound security groups — one to apply to the gateway and one to apply to the application server).
- Open your EC2 console and, from the left-hand panel, select Network Security > Security Groups
- Click Create security group (top, right-hand side) to open the Create security group screen
- In the Basic rules section, fill in Security group name and Description fields
- In the Inbound rules section, click Add rule
- In the Port range box, enter the port (for example, enter 8787 for the application server) or range of ports (for example, 10000-10500 for the gateway) to open
- In the Source box, enter the block of IP addresses for your VPC (for example, enter
172.31.0.0/16
). To allow access from any source, enter0.0.0.0/0
(not recommended). - Scroll to the bottom of the page and click Create security group
- After the security group is created, copy the Security group ID — either for configuring the gateway or for using a service template to instantiate an application server
Configuration using CLI
For usage and options enter the following:
Gateways can be created (float gateway create
), destroyed (float gateway destroy
), or modified (float gateway modify
). Use the float gateway modify
command to add or remove a security group that applies to a particular gateway.
To create a gateway enter the following:
float gateway create -c <cpu_min> -m <mem_min> -n <gw_name> \
--portRange <port_min>:<port_max> --securityGroup <sg>
Replace:
<cpu_min>
with the minimum number of vCPUs<min_mem>
with the minimum memory capacity (in GB)<gw_name>
with a name to identify the gateway<min_port>
with the start of the port range<max_port>
with the end of the port range<sg>
with the inbound firewall rule to allow access to the ports in the port range (multiple firewall rules can be applied by using the--securityGroup
option multiple times)
To create a gateway without a public IP address, include the --noPublicIP
option.
Each gateway has an associated ID. Each server, RStudio or Jupyter Notebook/Lab, has an associated job ID. Servers are connected to gateways by using the gateway connect
command:
float gateway connect -g <gw_id> -j <job_id> --targetPort <server_port_1> --targetPort <server_port_2>...
Replace:
<gw_id>
with the gateway ID<job_id>
with the job ID associated with the server<server_port_1>
,<server_port_2>
... with the ports the server listens on (in most cases, the gateway and server need only connect one port)
You can disconnect a server from one gateway (use the float gateway disconnect
command) and connect it to another gateway (use the float gateway connect
command).
To display information about all running gateways, enter:
To display detailed information (including connected clients) about one running gateway, enter:
Configuration using Web Interface
On the left-hand panel, go to SERVICE > Gateways. From the Gateways screen, you can create and manage gateways.
To create a gateway, click the Create Gateway button. In the pop-up screen, fill in the fields (some are mandatory, some are optional) and click Create.
To manage a gateway, identify your gateway by name or by ID and then click the ID. A screen called Gateway Details - <gateway_name> is displayed. From this screen, you can modify or destroy the gateway and you can also connect jobs (servers) to the gateway.
To connect a server to gateway, click Connect (top, right-hand side). In the pop-up window, fill in the fields and then click Connect. Once a job (server) is connected, it shows up in the Connected Jobs table. To open a browser session on the server, copy the entry in the Access URL column and paste it into the address bar of your browser. The gateway acts as a reverse-proxy for the server.
To disconnect a server, locate the job in the Connected Jobs table and then click Disconnect in the Actions column.
Web Widget
When a browser connects to the gateway, the gateway places a web widget at the top, right-hand side of the window (the user can move the widget). The widget provides an interface to the OpCenter Job Details screen. After logging in (use your credentials for the OpCenter), you can view status and perform actions such as migrate, suspend, resume or cancel (for this job only). When the application server (RStudio, for example) is in the "Floating" state, the widget alerts the user that the screen is unresponsive until the state returns to "Executing."