Best Practice for Slave in DMZ


my question is: What is the best practice variant if you want to set up check mk across multiple locations and have the individual slaves in a DMZ. And this one has one connection to the internal network to monitor the servers and the other connection to the outside to get to the master. Do you can easily solve this with two IP addresses in both networks and a common DNS name? Or what is exactly your most recommended method?

regards Fabio

first question:
What is allowed in your DMZ?
Here any DMZ has NO access to the internal net.
Were are using ssh & scp to transfer agents and configs in the DMZ.
We are planing to use ansible starting next month.

the plan is to create the dmz especially for check mk and that’s exactly my question. because other people with the same thematic will not have their monitor slaves sent directly from the internal network to the master. i prefer to set everything from the master so the ssh method is suboptimal for me. i was thinking more of ssl encryption over the public network from the DMZ of the slave.

why a own DMZ for checkmk?

I won’t make a hole in my internal network only for the monitoring ports (6557,443)

1 Like