Ansible Agent Option?
-
@stacksofplates said in Ansible Agent Option?:
You need one "agent" which is the SD-WAN client and that's it. The other way you will have most likely more than that because you will want some time of minor logging, monitoring, remote support like RDP, etc.
Most of that traffic is outbound, though. In theory, with something like Salt, you can have zero inbound ports for IT. Sure, applications might need something, but there will never be a way around that. But no additional ports opened for IT use. Or if there is, they can be opened ad hoc and closed as soon as they are not used.
-
@scottalanmiller said in Ansible Agent Option?:
@stacksofplates said in Ansible Agent Option?:
You need one "agent" which is the SD-WAN client and that's it. The other way you will have most likely more than that because you will want some time of minor logging, monitoring, remote support like RDP, etc.
Most of that traffic is outbound, though. In theory, with something like Salt, you can have zero inbound ports for IT. Sure, applications might need something, but there will never be a way around that. But no additional ports opened for IT use. Or if there is, they can be opened ad hoc and closed as soon as they are not used.
A lot are, but a lot of new ones aren't. Monitoring tools like Prometheus scrape clients and logging tools like Loki scrape logs in a similar way.
My point is I think it's much easier to take the 10 minutes to write the automation to set the client up the way you want and only allow access on that network from where you define. Then it doesn't matter what tool you decide to use. And when new ones come out or old ones are deprecated it's much easier to adapt.
Yeah it's obviously bad to treat it like a LAN but if you stop using tools just because it can be treated that way you are sometimes stopping yourself from doing some really interesting and helpful things.
Not aimed at you, just a point in general.
-
@stacksofplates said in Ansible Agent Option?:
Yeah it's obviously bad to treat it like a LAN but if you stop using tools just because it can be treated that way you are sometimes stopping yourself from doing some really interesting and helpful things.
Yes, LAN-like tools are only LAN-like if you treat them in that fashion. The behaviour is rarely intrinsic.