1 – why ? why are you separating the workload like this ?
2 – you can’t make routing rules by targets, only by the job itself and maybe by the user that ran it, though I’m not sure if that is possible.
And these job servers will be in the same physical location at the other servers and the database ?
The Why? -- kind of a long story, the short of it is 2 main pieces
1.) Security, Firewalls, user permissions ... I know I can handle all of the security and permissions stuff directly in BSA, but from an Infrastructure point of view, as long as someone can draw a line from App Servers in Group B to Target Servers in Group A, it is always going to be seen as a risk. By not allowing the IPs in App Server Group B through the firewall, no line can be drawn, thus no added Risk
2.) Workloads and performance... we have large burst of jobs that come out of Group A during small maintence windows. We configured our Job Servers settings to account for these types of deployment and would prefer not to introduce anything new to them.
Location Location Location:
Not sure if this will help or make it better, but here is a quick and dirty diagram of what our environment would look like... Keep in Mind that the App Servers in Group A, App Servers in Group B, AND the Target Servers in Group B are all in the same Datacenter
1 of 1 people found this helpful
you can't route the jobs by target, so you have to handle it by the job. and you can't do it by executing role either from what i can tell. so you would need a property set on the jobs, or a naming convention, or keeping them in a certain group, or something like that.
Well, I am sure we can punch some holes through this... what I ended up doing was:
1.) Create a new property for Jobs
2.) Made it un-editable, required, and set the Default Value to be ??ROLE_CREATED?? (ROLE_CREATED is not an option when creating Job Execution Rules)
3.) I could then use this property in creating my Job Execution Rules.
Initial tests prove this to be working, but I am sure I still have some work to do...
if it works it works
what if you stood up a socks proxy, and all the traffic from all appservers went through that? would that be any better ?