I am wondering about what decomposition into zones is advisable for distributed management in the following situation with around two hundred hosts.
On the one hand there are some hosts which the master can reach directly on ports 5665. On the other hand there are hosts in other subnets where the master faces a firewall. For each of those subnets I would designate one host as satellite and open the firewall for a point-to-point connection from the master to the satellite.
I am assuming that since point-to-point connections is desired the master zone and each satellite’s zone must contain only a single endpoint.
But about the other hosts, how should they be grouped into zones? I could place also each remaining host in its own zone or I could try to gather the remaining hosts into fewer, larger zones (e.g. one for all the hosts that the master can reach directly minus the satellites, and one each for hosts in a subnet minus the local satellite).
I am currently leaning towards the first choice because it allows for a cleaner structure inside
zones.d, and because it works in a small prototype so far. However, there may be downsides.
Are there any best practices or recommendations about this? Is it common to have only one endpoint per zone in Icinga 2 distributed management (without HA)? If both options are in use, what are some pros and cons in each case?