Gateway Service

The gateway service provides a reverse proxy so that a job can migrate from one host to another without interrupting client connections.

Feature Description

In most cases, the OpCenter is used to schedule batch jobs, that is, jobs that run without an attached terminal — results are written to a file (or files) and retrieved when the job completes. OpCenter can also deploy containers that support interactive browser-based sessions, such as is required for RStudio or Jupyter Notebook. Each container can run on a Spot Instance in which case the OpCenter seamlessly migrates the job to a new virtual machine if the Spot Instance is reclaimed. The new virtual machine instance has a different IP address.

The gateway service provides a reverse proxy that ensures each interactive session, for example, each RStudio session, appears to clients as an IP address that never changes even when the RStudio session moves to a different virtual machine. The gateway uses TCP port numbers to distinguish between different services running on virtual machines on the server side of the gateway.

Application

RStudio and Jupyter Notebook/Lab servers can be connected to a gateway simultaneously.

Gateway Operation

The operation of the gateway is shown in the figure. The gateway has two sides: client side and server side. The gateway selects ports from a pool and assigns them to clients so that a single IP address on the client side of the gateway can be used to map to multiple IP addresses on the server side.

To enable the operation of the gateway with an application server, complete the following configuration tasks. Gateway configuration instructions follow in the sections below. The procedure for instantiating an application server depends on the type of application server — see the section on Service Templates.
  • Assign a range of ports to the gateway (the maximum allowed range is 1000 to 65535)
  • Create an inbound firewall rule to allow access to ports within the allowed range and apply the firewall rule to the gateway
  • Instantiate the application server with a configuration that maps port_host on the host to port_container on the container
  • Create an inbound firewall rule to allow access to port_host and apply it to the application server
  • Connect the application server (identified by its Job ID) to the gateway by connecting port_host to the gateway

Gateway Configuration and Management

Gateways are created and managed using the CLI or the web interface. Before beginning with either method, create an inbound firewall rule using your Cloud Service Provider management console.

In AWS, a firewall rule is called a security group. Create an inbound security group by completing these steps (you must create two inbound security groups — one to apply to the gateway and one to apply to the application server).
  • Open your EC2 console and, from the left-hand panel, select Network Security > Security Groups
  • Click Create security group (top, right-hand side) to open the Create security group screen
  • In the Basic rules section, fill in Security group name and Description fields
  • In the Inbound rules section, click Add rule
  • In the Port range box, enter the port (for example, enter 8787 for the application server) or range of ports (for example, 10000-10500 for the gateway) to open
  • In the Source box, enter 0.0.0.0/0
  • Scroll to the bottom of the page and click Create security group
  • After the security group is created, copy the Security group ID — either for configuring the gateway or for using a service template to instantiate an application server

Configuration using CLI

For usage and options enter the following: 
float gateway -h
Gateways can be created (float gateway create), destroyed (float gateway destroy), or modified (float gateway modify). Use the float gateway modify command to add or remove a security group that applies to a particular gateway.
To create a gateway enter the following: 
float gateway create -c <cpu_min> -m <mem_min> -n <gw_name> --portRange <port_min>:<port_max> --securityGroup <sg>
where:
  • <cpu_min> is the minimum number of vCPUs
  • <min_mem> is the minimum memory capacity (in GB)
  • <gw_name> is a name to identify the gateway
  • <min_port> is the start of the port range
  • <max_port> is the end of the port range
  • <sg> is the inbound firewall rule to allow access to the ports in the port range (multiple firewall rules can be applied by using the --securityGroup option multiple times)
  • (optional)--noPublicIP instantiates the gateway without a public IP address
Each gateway has an associated ID. Each server, RStudio or Jupyter Notebook/Lab, has an associated job ID. Servers are connected to gateways by using the gateway connect command: 
float gateway connect -g <gw_id> -j <job_id> --targetPort <server_port_1> --targetPort <server_port_2>...
where:
  • <gw_id> is the gateway ID
  • <job_id> is the job ID associated with the server
  • <server_port_1>, <server_port_2> ... are the ports the server listens on (in most cases, the gateway and server need only connect one port)

You can disconnect a server from one gateway (use the float gateway disconnect command) and connect it to another gateway (use the float gateway connect command).

To display information about all running gateways, enter: 
float gateway list
To display detailed information (including connected clients) about one running gateway, enter: 
float gateway info -g <gw_id>

Configuration using Web Interface

On the left-hand panel, go to SERVICE > Gateways. From the Gateways screen, you can create and manage gateways.

To create a gateway, click the Create Gateway button. In the pop-up screen, fill in the fields (some are mandatory, some are optional) and click Create.

To manage a gateway, identify your gateway by name or by ID and then click the ID. A screen called Gateway Details - <gateway_name> is displayed. From this screen, you can modify or destroy the gateway and you can also connect jobs (servers) to the gateway.

To connect a server to gateway, click Connect (top, right-hand side). In the pop-up window, fill in the fields and then click Connect. Once a job (server) is connected, it shows up in the Connected Jobs table. To open a browser session on the server, copy the entry in the Access URL column and paste it into the address bar of your browser. The gateway acts as a reverse-proxy for the server.

To disconnect a server, locate the job in the Connected Jobs table and then click Disconnect in the Actions column.

Web Widget

When a browser connects to the gateway, the gateway places a web widget at the top, right-hand side of the window (the user can move the widget). The widget provides an interface to the OpCenter Job Details screen. After logging in (use your credentials for the OpCenter), the user can view status and perform actions such as migrate, suspend, resume or cancel (for this job only). When the application server (RStudio, for example) is in the "Floating" state, the widget alerts the user that the screen is unresponsive until the state returns to "Executing."