{"id":2073,"date":"2025-11-18T18:30:36","date_gmt":"2025-11-18T15:30:36","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/tailscale-zerotier-ile-ozel-ag-cok-saglayicili-vps-mesh-rehberi\/"},"modified":"2025-11-18T18:30:36","modified_gmt":"2025-11-18T15:30:36","slug":"tailscale-zerotier-ile-ozel-ag-cok-saglayicili-vps-mesh-rehberi","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/tailscale-zerotier-ile-ozel-ag-cok-saglayicili-vps-mesh-rehberi\/","title":{"rendered":"Tailscale\/ZeroTier ile \u00d6zel A\u011f: \u00c7ok Sa\u011flay\u0131c\u0131l\u0131 VPS Mesh Rehberi"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><p>Pager o gece 02:17\u2019de \u00e7ald\u0131. Frankfurt\u2019taki <a href=\"https:\/\/www.dchost.com\/tr\/vps\">VPS<\/a> \u00fczerinde \u00e7al\u0131\u015fan edge proxy bir anda TCP yeniden denemeleriyle bo\u011fulmu\u015ftu, Singapur\u2019daki i\u015f katman\u0131 d\u00fc\u011f\u00fcm\u00fc ise replikaya konu\u015fam\u0131yordu. Latency p95 280 ms\u2019e z\u0131plam\u0131\u015f, hatal\u0131 retry\u2019lar RDS ba\u011flant\u0131 havuzunu \u015fi\u015firmi\u015fti. O ana kadar \u201cinternet \u00fczerinden g\u00fcvenli t\u00fcneller yeter\u201d diyorduk; sonra DNS cache\u2019lerinin TTL\u2019leri birbirini \u0131s\u0131rd\u0131, wildcard SSL yenilemesi de ayn\u0131 gece geldi. E\u011fer siz de downtime riski, DNS kaosu ya da SSL yenileme pani\u011fi aras\u0131nda s\u0131k\u0131\u015ft\u0131ysan\u0131z ve <strong>Tailscale\/ZeroTier ile \u00f6zel a\u011f<\/strong> kurarak bunu kal\u0131c\u0131 \u00e7\u00f6zmek istiyorsan\u0131z, do\u011fru yerdesiniz. Bu yaz\u0131da \u00e7ok sa\u011flay\u0131c\u0131l\u0131 VPS\u2019ler aras\u0131nda site\u2011to\u2011site mesh\u2019i, ger\u00e7ek operasyon notlar\u0131, \u00f6l\u00e7\u00fclebilir metrikler ve \u00e7al\u0131\u015f\u0131r runbook\u2019larla ad\u0131m ad\u0131m anlataca\u011f\u0131m: mimari tasar\u0131m, kurulum, g\u00fcvenlik, g\u00f6zlemlenebilirlik ve de\u011fi\u015fiklik y\u00f6netimi. Sonunda, gece alarm\u0131 \u00e7alsa dahi \u201cbu a\u011f aya\u011fa kalkar\u201d diyebilece\u011finiz bir yap\u0131 kurmu\u015f olaca\u011f\u0131z.<\/p>\n<div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Incident_Retrosu_Neden_Overlay_Mesh\"><span class=\"toc_number toc_depth_1\">1<\/span> Incident Retrosu: Neden Overlay Mesh?<\/a><\/li><li><a href=\"#Mimari_Inceleme_IP_Plani_ACL_ve_SitetoSite_Secenekleri\"><span class=\"toc_number toc_depth_1\">2<\/span> Mimari \u0130nceleme: IP Plan\u0131, ACL ve Site\u2011to\u2011Site Se\u00e7enekleri<\/a><ul><li><a href=\"#IP_Planlamasi_ve_Alanlar\"><span class=\"toc_number toc_depth_2\">2.1<\/span> IP Planlamas\u0131 ve Alanlar<\/a><\/li><li><a href=\"#DNS_MagicDNS_ve_SplitHorizon\"><span class=\"toc_number toc_depth_2\">2.2<\/span> DNS, MagicDNS ve Split\u2011Horizon<\/a><\/li><li><a href=\"#Guvenlik_ve_ACL_Modeli\"><span class=\"toc_number toc_depth_2\">2.3<\/span> G\u00fcvenlik ve ACL Modeli<\/a><\/li><\/ul><\/li><li><a href=\"#Tailscale_ile_Kurulum_Runbook_ve_Komutlar\"><span class=\"toc_number toc_depth_1\">3<\/span> Tailscale ile Kurulum: Runbook ve Komutlar<\/a><ul><li><a href=\"#Onkosullar_ve_Organizasyon\"><span class=\"toc_number toc_depth_2\">3.1<\/span> \u00d6nko\u015fullar ve Organizasyon<\/a><\/li><li><a href=\"#Kurulum_Adimlari_Host_Basina\"><span class=\"toc_number toc_depth_2\">3.2<\/span> Kurulum Ad\u0131mlar\u0131 (Host Ba\u015f\u0131na)<\/a><\/li><li><a href=\"#Policy_ACL_Ornegi\"><span class=\"toc_number toc_depth_2\">3.3<\/span> Policy (ACL) \u00d6rne\u011fi<\/a><\/li><\/ul><\/li><li><a href=\"#ZeroTier_ile_Kurulum_Esnek_Sanal_Anahtar\"><span class=\"toc_number toc_depth_1\">4<\/span> ZeroTier ile Kurulum: Esnek Sanal Anahtar<\/a><ul><li><a href=\"#Controller_ve_Ag_Olusturma\"><span class=\"toc_number toc_depth_2\">4.1<\/span> Controller ve A\u011f Olu\u015fturma<\/a><\/li><\/ul><\/li><li><a href=\"#SitetoSite_Kopruleme_Rota_Ilani_MTU_ve_NAT\"><span class=\"toc_number toc_depth_1\">5<\/span> Site\u2011to\u2011Site K\u00f6pr\u00fcleme: Rota \u0130lan\u0131, MTU ve NAT<\/a><ul><li><a href=\"#Tailscale_Subnet_Router_ve_Route_Approval\"><span class=\"toc_number toc_depth_2\">5.1<\/span> Tailscale Subnet Router ve Route Approval<\/a><\/li><li><a href=\"#ZeroTier_Managed_Routes_ve_Policy\"><span class=\"toc_number toc_depth_2\">5.2<\/span> ZeroTier Managed Routes ve Policy<\/a><\/li><li><a href=\"#MTU_ve_MSS_Clamping\"><span class=\"toc_number toc_depth_2\">5.3<\/span> MTU ve MSS Clamping<\/a><\/li><\/ul><\/li><li><a href=\"#Gozlemlenebilirlik_Metrikler_Loglar_ve_Paneller\"><span class=\"toc_number toc_depth_1\">6<\/span> G\u00f6zlemlenebilirlik: Metrikler, Loglar ve Paneller<\/a><ul><li><a href=\"#Hangi_Metrikleri_Izledik\"><span class=\"toc_number toc_depth_2\">6.1<\/span> Hangi Metrikleri \u0130zledik?<\/a><\/li><li><a href=\"#Toplama_ve_Paneller\"><span class=\"toc_number toc_depth_2\">6.2<\/span> Toplama ve Paneller<\/a><\/li><\/ul><\/li><li><a href=\"#Guvenlik_Kimlik_Anahtar_Dondurme_Segmentasyon\"><span class=\"toc_number toc_depth_1\">7<\/span> G\u00fcvenlik: Kimlik, Anahtar D\u00f6nd\u00fcrme, Segmentasyon<\/a><ul><li><a href=\"#Kimlik_ve_SSO\"><span class=\"toc_number toc_depth_2\">7.1<\/span> Kimlik ve SSO<\/a><\/li><li><a href=\"#Anahtar_Yasam_Dongusu\"><span class=\"toc_number toc_depth_2\">7.2<\/span> Anahtar Ya\u015fam D\u00f6ng\u00fcs\u00fc<\/a><\/li><li><a href=\"#Segmentasyon\"><span class=\"toc_number toc_depth_2\">7.3<\/span> Segmentasyon<\/a><\/li><\/ul><\/li><li><a href=\"#CICD_ve_IaC_Tekrarlanabilirlik\"><span class=\"toc_number toc_depth_1\">8<\/span> CI\/CD ve IaC: Tekrarlanabilirlik<\/a><ul><li><a href=\"#Terraform_ile_Policy_Yonetimi\"><span class=\"toc_number toc_depth_2\">8.1<\/span> Terraform ile Policy Y\u00f6netimi<\/a><\/li><li><a href=\"#GitOps_Akisi\"><span class=\"toc_number toc_depth_2\">8.2<\/span> GitOps Ak\u0131\u015f\u0131<\/a><\/li><li><a href=\"#Ansible_ile_Host_Hazirligi\"><span class=\"toc_number toc_depth_2\">8.3<\/span> Ansible ile Host Haz\u0131rl\u0131\u011f\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#Gercek_Hikayeler_Iki_PostMortem_Notu\"><span class=\"toc_number toc_depth_1\">9<\/span> Ger\u00e7ek Hikayeler: \u0130ki Post\u2011Mortem Notu<\/a><ul><li><a href=\"#PM01_DERP_Uzerinden_Sessiz_Yavaslama\"><span class=\"toc_number toc_depth_2\">9.1<\/span> PM\u201101: DERP \u00dczerinden Sessiz Yava\u015flama<\/a><\/li><li><a href=\"#PM02_MTU_ve_Parcalanma_Kabusu\"><span class=\"toc_number toc_depth_2\">9.2<\/span> PM\u201102: MTU ve Par\u00e7alanma Kabusu<\/a><\/li><\/ul><\/li><li><a href=\"#Degisiklik_Yonetimi_Canary_mi_BlueGreen_mi\"><span class=\"toc_number toc_depth_1\">10<\/span> De\u011fi\u015fiklik Y\u00f6netimi: Canary mi Blue\/Green mi?<\/a><\/li><li><a href=\"#Operasyon_Runbooku_Gece_Alarmina_Kisa_Cevap\"><span class=\"toc_number toc_depth_1\">11<\/span> Operasyon Runbook\u2019u: Gece Alarm\u0131na K\u0131sa Cevap<\/a><ul><li><a href=\"#Baglanti_Sorununda_Ilk_10_Dakika\"><span class=\"toc_number toc_depth_2\">11.1<\/span> Ba\u011flant\u0131 Sorununda \u0130lk 10 Dakika<\/a><\/li><li><a href=\"#Planli_Degisiklik\"><span class=\"toc_number toc_depth_2\">11.2<\/span> Planl\u0131 De\u011fi\u015fiklik<\/a><\/li><\/ul><\/li><li><a href=\"#Maliyet_ve_Performans_Gercekci_Beklentiler\"><span class=\"toc_number toc_depth_1\">12<\/span> Maliyet ve Performans: Ger\u00e7ek\u00e7i Beklentiler<\/a><\/li><li><a href=\"#Kapanis_Ayaga_Kalkan_Yonetilebilir_Bir_Mesh\"><span class=\"toc_number toc_depth_1\">13<\/span> Kapan\u0131\u015f: Aya\u011fa Kalkan, Y\u00f6netilebilir Bir Mesh<\/a><\/li><\/ul><\/div>\n<h2 id=\"section-1\"><span id=\"Incident_Retrosu_Neden_Overlay_Mesh\">Incident Retrosu: Neden Overlay Mesh?<\/span><\/h2>\n<p>O incident\u2019te k\u00f6k neden, iki b\u00f6lgede farkl\u0131 sa\u011flay\u0131c\u0131lar\u0131n outboud NAT davran\u0131\u015flar\u0131 ve ara s\u0131ra tetiklenen <strong>asymmetric routing<\/strong> oldu. Frankfurt edge, Singapur app\u2019e TCP a\u00e7\u0131yordu; d\u00f6n\u00fc\u015f trafi\u011fi ise farkl\u0131 \u00e7\u0131k\u0131\u015f IP\u2019sinden geldi\u011fi i\u00e7in stateful firewall bay\u0131l\u0131yordu. VPC peering yoktu, IPsec siteler aras\u0131 t\u00fcneller ise bak\u0131m s\u0131ras\u0131nda yeniden ba\u011flanmay\u0131 ba\u015faramad\u0131. \u00dcst\u00fcne bir de DNS TTL k\u0131sa tutuldu\u011fu i\u00e7in (10s) rota dalgalanmalar\u0131nda client taraf\u0131nda \u201cservis dans\u0131\u201d ya\u015fand\u0131 ve p95 latency 280 ms, paket kayb\u0131 %3,5\u2019e vurdu. Audit loglar\u0131nda 01:59\u201302:23 aras\u0131nda TLS handshake timeout say\u0131s\u0131 112\u2019ydi.<\/p>\n<p>Overlay mesh ile hedefledi\u011fimiz \u015fuydu: heterojen sa\u011flay\u0131c\u0131larda (hetzner, DO, OVH, AWS lightsail fark etmez) WireGuard temelli, otomatik NAT traversal yapan, y\u00f6netimi basit bir <strong>site\u2011to\u2011site a\u011f<\/strong>. Tailscale ve ZeroTier bu noktada iki g\u00fc\u00e7l\u00fc se\u00e7enek. \u0130kisi de Layer\u20113 overlay kuruyor; Tailscale, WireGuard \u00fcst\u00fcnde key management ve DERP relay\u2019lerle pratikle\u015fiyor. ZeroTier, esnek sanal switch + policy motoru gibi; L2\/L3 melezi bir yakla\u015f\u0131m sunabiliyor. Metrikler a\u00e7\u0131s\u0131ndan hedefimiz netti: p95 latency &lt; 120 ms (k\u0131ta\u2011lararas\u0131), paket kayb\u0131 &lt; %0,5, handshake recovery &lt; 2s ve mevcut deployment pipeline\u2019lar\u0131na dokunmadan eri\u015fim.<\/p>\n<p>Trade\u2011off notu: Klasik IPsec t\u00fcnellerde full\u2011mesh i\u00e7in her noktay\u0131 her noktaya tan\u0131mlamak gerekir; y\u00f6netim y\u00fck\u00fc katlan\u0131r. Burada <strong>mesh kontrol d\u00fczlemi<\/strong> d\u0131\u015far\u0131da (Tailscale control plane\/DERP, ZeroTier controller) ve rotalar dinamik. Dezavantaj: 3. parti kontrol katman\u0131 ba\u011f\u0131ml\u0131l\u0131\u011f\u0131 ve veri ak\u0131\u015f\u0131n\u0131n (normalde direct, NAT delme ba\u015far\u0131s\u0131zsa relay) nadiren relay \u00fczerinden ge\u00e7ebilmesi; bu da latency sapmas\u0131 yaratabilir. Ancak SLA hedefleriyle k\u0131yaslad\u0131\u011f\u0131m\u0131zda risk kabul edilebilirdi.<\/p>\n<h2 id=\"section-2\"><span id=\"Mimari_Inceleme_IP_Plani_ACL_ve_SitetoSite_Secenekleri\">Mimari \u0130nceleme: IP Plan\u0131, ACL ve Site\u2011to\u2011Site Se\u00e7enekleri<\/span><\/h2>\n<h3><span id=\"IP_Planlamasi_ve_Alanlar\">IP Planlamas\u0131 ve Alanlar<\/span><\/h3>\n<p>Overlay mesh\u2019te en kritik tasar\u0131m alan\u0131 <strong>IP plan\u0131<\/strong>. Tailscale default 100.64.0.0\/10 CGNAT aral\u0131\u011f\u0131n\u0131 kullan\u0131rken, ZeroTier kendi tan\u0131ml\u0131 RFC4193 (fd00::\/8) + 10.0.0.0\/8 gibi atamalarla \u00e7al\u0131\u015fabilir. \u00c7ak\u0131\u015fmalar\u0131 engellemek i\u00e7in her lokasyona \/24 alt a\u011flar verdik:<\/p>\n<p>&#8211; eu\u2011fra: 10.77.10.0\/24<br \/>&#8211; ap\u2011sin: 10.77.20.0\/24<br \/>&#8211; us\u2011nyc: 10.77.30.0\/24<\/p>\n<p>Tailscale\u2019de her lokasyon i\u00e7in bir <strong>subnet router<\/strong> se\u00e7tik; ZeroTier\u2019de ise managed routes ile ayn\u0131 alt a\u011flar\u0131 ilan ettik. Ama\u00e7, host\u2011to\u2011host ve site\u2011to\u2011site eri\u015fimi ayn\u0131 d\u00fczlemde y\u00f6netebilmekti.<\/p>\n<h3><span id=\"DNS_MagicDNS_ve_SplitHorizon\">DNS, MagicDNS ve Split\u2011Horizon<\/span><\/h3>\n<p>DNS taraf\u0131nda iki \u00f6nemli karar vard\u0131: servis ke\u015ffi i\u00e7in MagicDNS (Tailscale) ve ZeroTier\u2019\u0131n adland\u0131rma se\u00e7enekleri, ayr\u0131ca split\u2011horizon DNS. Public DNS kay\u0131tlar\u0131nda TTL 60s; overlay i\u00e7i servislerde (\u00f6rn. <em>api.mesh.local<\/em>) TTL 300s. D\u00fc\u015f\u00fck TTL h\u0131zl\u0131 failover sa\u011flarken kontrol u\u00e7lar\u0131 etraf\u0131nda f\u0131rt\u0131na yaratabilir; SLA\u2019n\u0131zda \u201c\u00f6zelle\u015fmi\u015f internal domain\u201d varsa TTL\u2019i biraz daha y\u00fcksek tutup health\u2011check\u2019leri agresif yapmak daha sa\u011fl\u0131kl\u0131.<\/p>\n<h3><span id=\"Guvenlik_ve_ACL_Modeli\">G\u00fcvenlik ve ACL Modeli<\/span><\/h3>\n<p>Eri\u015fim kontrol\u00fcn\u00fc <strong>&#8220;default deny&#8221;<\/strong> prensibiyle kurduk. Tailscale\u2019de policy dosyas\u0131 (ACLs) ile servis rollerine izin verdik; ZeroTier\u2019da flow rules ile port\/protokol bazl\u0131 yetki. Prod ve staging\u2019i overlay seviyesinde segment ettik; ortak ara\u00e7lar (CI runner, log forwarder) i\u00e7in sadece belirli portlar\u0131 a\u00e7t\u0131k.<\/p>\n<h2 id=\"section-3\"><span id=\"Tailscale_ile_Kurulum_Runbook_ve_Komutlar\">Tailscale ile Kurulum: Runbook ve Komutlar<\/span><\/h2>\n<h3><span id=\"Onkosullar_ve_Organizasyon\">\u00d6nko\u015fullar ve Organizasyon<\/span><\/h3>\n<p>\u015eirket alan\u0131 ile SSO (SAML\/OIDC) ba\u011flad\u0131k. <strong>Pre\u2011auth key<\/strong> kullanarak headless sunucular\u0131n otomatik kat\u0131l\u0131m\u0131n\u0131 sa\u011flad\u0131k. DERP\u2019leri varsay\u0131lan b\u0131rakt\u0131k ancak EU ve APAC i\u00e7in yak\u0131n noktalar\u0131 se\u00e7tik. SSH yerine tailscale ssh\u2019\u0131 devreye ald\u0131k ki bastion ihtiyac\u0131 ve public portlar azals\u0131n.<\/p>\n<h3><span id=\"Kurulum_Adimlari_Host_Basina\">Kurulum Ad\u0131mlar\u0131 (Host Ba\u015f\u0131na)<\/span><\/h3>\n<ul>\n<li>Kernel: WireGuard mod\u00fcl\u00fc (5.x) kontroll\u00fc.<\/li>\n<li>Paket: tailscale kurulumu (repo \u00fczerinden).<\/li>\n<li>Auth: pre\u2011auth key ile otomatik kat\u0131l\u0131m.<\/li>\n<li>Subnet router: ilgili \/24\u2019\u00fc advertise et.<\/li>\n<li>ACL ve DNS: policy g\u00fcncelle, MagicDNS do\u011frula.<\/li>\n<li>G\u00f6zlem: metrics exporter ve logs streaming.<\/li>\n<\/ul>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># Debian\/Ubuntu\ncurl -fsSL https:\/\/tailscale.com\/install.sh | sh\n\n# Headless join (\u00f6rnek preauth key)\nsudo tailscale up \n  --authkey=tskey-auth-kQ3... \n  --hostname=fra-edge-01 \n  --advertise-tags=tag:edge,tag:prod \n  --ssh \n  --accept-dns=true \n  --accept-routes=true\n\n# Subnet router olarak 10.77.10.0\/24 ilan et\nsudo tailscale up \n  --advertise-routes=10.77.10.0\/24 \n  --snat-subnet-routes=false\n\n# Durum\nsudo tailscale status\nsudo tailscale status --json | jq '.'\n<\/code><\/pre>\n<p>\u00d6rnek JSON \u00e7\u0131kt\u0131s\u0131:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">{\n  &quot;Self&quot;: {\n    &quot;DNSName&quot;: &quot;fra-edge-01.tailnet-abc.ts.net&quot;,\n    &quot;TailscaleIPs&quot;: [&quot;100.96.12.34&quot;, &quot;fd7a:115c:a1e0::abcd&quot;],\n    &quot;UserID&quot;: 101,\n    &quot;Hostinfo&quot;: {&quot;OS&quot;: &quot;linux&quot;, &quot;Hostname&quot;: &quot;fra-edge-01&quot;}\n  },\n  &quot;Peers&quot;: [\n    {\n      &quot;DNSName&quot;: &quot;sin-app-02.tailnet-abc.ts.net&quot;,\n      &quot;TailscaleIPs&quot;: [&quot;100.98.22.11&quot;],\n      &quot;RxBytes&quot;: 12900322,\n      &quot;TxBytes&quot;: 9388821,\n      &quot;Latency&quot;: {&quot;p50&quot;: 172000000, &quot;p90&quot;: 198000000},\n      &quot;Relay&quot;: false\n    }\n  ],\n  &quot;MagicDNSEnabled&quot;: true,\n  &quot;CurrentTailnet&quot;: &quot;acme-corp&quot;\n}\n<\/code><\/pre>\n<h3><span id=\"Policy_ACL_Ornegi\">Policy (ACL) \u00d6rne\u011fi<\/span><\/h3>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">{\n  &quot;ACLs&quot;: [\n    {&quot;Action&quot;: &quot;accept&quot;, &quot;Users&quot;: [&quot;group:platform&quot;], &quot;Ports&quot;: [&quot;tag:edge:443&quot;, &quot;tag:app:5432&quot;]},\n    {&quot;Action&quot;: &quot;accept&quot;, &quot;Users&quot;: [&quot;group:sre&quot;], &quot;Ports&quot;: [&quot;tag:edge:22&quot;, &quot;tag:infra:9100&quot;]}\n  ],\n  &quot;Groups&quot;: {\n    &quot;group:platform&quot;: [&quot;alice@acme.co&quot;, &quot;bob@acme.co&quot;],\n    &quot;group:sre&quot;: [&quot;oncall@acme.co&quot;]\n  },\n  &quot;TagOwners&quot;: {\n    &quot;tag:edge&quot;: [&quot;group:sre&quot;],\n    &quot;tag:app&quot;: [&quot;group:platform&quot;],\n    &quot;tag:infra&quot;: [&quot;group:sre&quot;]\n  },\n  &quot;AutoApprovers&quot;: {\n    &quot;routes&quot;: {&quot;100.64.0.0\/10&quot;: [&quot;group:sre&quot;]}\n  }\n}\n<\/code><\/pre>\n<p>Bu projede \u015f\u00f6yle \u00e7\u00f6zd\u00fck: Subnet router\u2019lar\u0131 iki node\u2019da \u00e7al\u0131\u015ft\u0131r\u0131p ECMP yerine <strong>aktif\/pasif<\/strong> yapt\u0131k. Neden? \u00c7\u00fcnk\u00fc baz\u0131 sa\u011flay\u0131c\u0131larda MTU fark\u0131 (1500 vs 1450) ECMP ile MSS uyumsuzlu\u011fu do\u011furdu. Aktif\/pasif rota ile p95 latency\u2019de %12 iyile\u015fme, TCP retransmit\u2019lerde %0,7 azalma g\u00f6rd\u00fck.<\/p>\n<h2 id=\"section-4\"><span id=\"ZeroTier_ile_Kurulum_Esnek_Sanal_Anahtar\">ZeroTier ile Kurulum: Esnek Sanal Anahtar<\/span><\/h2>\n<h3><span id=\"Controller_ve_Ag_Olusturma\">Controller ve A\u011f Olu\u015fturma<\/span><\/h3>\n<p>ZeroTier\u2019da ya y\u00f6netilen cloud controller\u2019\u0131 ya da kendi controller\u2019\u0131n\u0131z\u0131 kullanabilirsiniz. A\u011f olu\u015fturduktan sonra node\u2019lar\u0131 join edip <strong>managed routes<\/strong> ve flow rules ile yetkiyi y\u00f6netirsiniz.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># Kurulum\ncurl -s https:\/\/install.zerotier.com | sudo bash\nsudo zerotier-cli info\n# &gt; 200 info 9c3d1a2b3c 1.12.2 ONLINE\n\n# A\u011fa kat\u0131l\nsudo zerotier-cli join 8056c2e21c000001\nsudo zerotier-cli listnetworks\n# Routes ve assigned addresses'i kontrol et\n<\/code><\/pre>\n<p>Network ayar \u00f6rne\u011fi (controller taraf\u0131):<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">{\n  &quot;config&quot;: {\n    &quot;name&quot;: &quot;acme-mesh&quot;,\n    &quot;v4AssignMode&quot;: {&quot;zt&quot;: true},\n    &quot;v6AssignMode&quot;: {&quot;rfc4193&quot;: true},\n    &quot;routes&quot;: [\n      {&quot;target&quot;: &quot;10.77.10.0\/24&quot;, &quot;via&quot;: null},\n      {&quot;target&quot;: &quot;10.77.20.0\/24&quot;, &quot;via&quot;: null},\n      {&quot;target&quot;: &quot;10.77.30.0\/24&quot;, &quot;via&quot;: null}\n    ]\n  },\n  &quot;rules&quot;: [\n    {&quot;rule&quot;: &quot;drop not ethertype ipv4&quot;},\n    {&quot;rule&quot;: &quot;accept ipprotocol tcp dport 22 from 10.77.0.0\/16&quot;},\n    {&quot;rule&quot;: &quot;accept ipprotocol tcp dport 443&quot;},\n    {&quot;rule&quot;: &quot;accept ipprotocol tcp dport 5432 from 10.77.20.0\/24 to 10.77.10.10\/32&quot;},\n    {&quot;rule&quot;: &quot;drop&quot;}\n  ]\n}\n<\/code><\/pre>\n<p>ZeroTier\u2019\u0131n avantaj\u0131, L2\u2019ye yak\u0131n davranabilmesi ve ayn\u0131 a\u011fda discovery gerektiren baz\u0131 protokollerde (\u00f6rn. konsensus cluster management ara\u00e7lar\u0131) i\u015fleri kolayla\u015ft\u0131rmas\u0131. Dezavantaj, yanl\u0131\u015f kurgulan\u0131rsa geni\u015f yay\u0131n (broadcast) ve ARP gibi L2 davran\u0131\u015flar\u0131 overlay \u00fczerinde g\u00fcr\u00fclt\u00fc yaratabilir. Bunu rules ile s\u0131k\u0131la\u015ft\u0131rmak \u015fart.<\/p>\n<h2 id=\"section-5\"><span id=\"SitetoSite_Kopruleme_Rota_Ilani_MTU_ve_NAT\">Site\u2011to\u2011Site K\u00f6pr\u00fcleme: Rota \u0130lan\u0131, MTU ve NAT<\/span><\/h2>\n<h3><span id=\"Tailscale_Subnet_Router_ve_Route_Approval\">Tailscale Subnet Router ve Route Approval<\/span><\/h3>\n<p>Prod\u2019da <strong>autoApprovers.routes<\/strong> ile ilan edilen a\u011flar\u0131 otomatik onaylatt\u0131k. Geriye sadece sa\u011fl\u0131kl\u0131l\u0131k kontrol\u00fc kald\u0131. Bir rota d\u00fc\u015ft\u00fc\u011f\u00fcnde alert \u00fcretiyoruz, failover node \u201cadvertise\u201d etmeye haz\u0131r bekliyor.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># Pasif node haz\u0131r beklerken (advertise yok)\nsudo tailscale up --authkey=tskey-auth-... --hostname=fra-edge-02 --accept-routes=true\n\n# Failover an\u0131nda\nsudo tailscale up --advertise-routes=10.77.10.0\/24 --snat-subnet-routes=false\n<\/code><\/pre>\n<h3><span id=\"ZeroTier_Managed_Routes_ve_Policy\">ZeroTier Managed Routes ve Policy<\/span><\/h3>\n<p>ZeroTier taraf\u0131nda ayn\u0131 alt a\u011flar i\u00e7in managed routes kullan\u0131yoruz. Health check script\u2019i RTT ve packet loss e\u015fiklerini a\u015ft\u0131\u011f\u0131nda controller API\u2019si ile route \u201cvia\u201d g\u00fcncelleniyor. Bu, saniye mertebesinde failover sa\u011fl\u0131yor.<\/p>\n<h3><span id=\"MTU_ve_MSS_Clamping\">MTU ve MSS Clamping<\/span><\/h3>\n<p>Farkl\u0131 sa\u011flay\u0131c\u0131lar, farkl\u0131 MTU. WireGuard \u00fczerinde genelde 1420 civar\u0131 g\u00fcvenli. Aksi halde \u201cICMP Fragmentation Needed\u201d d\u00fc\u015fm\u00fcyor ve sessizce performans \u00e7\u00f6k\u00fcyor. TCP i\u00e7in MSS clamp, UDP i\u00e7in Path MTU Discovery\u2019ye g\u00fcvenmek bazen hayal k\u0131r\u0131kl\u0131\u011f\u0131 yarat\u0131r. A\u015fa\u011f\u0131daki kural, overlay aray\u00fcz\u00fcnde MSS\u2019i s\u0131n\u0131rlar:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># nftables \u00f6rne\u011fi\nsudo nft add table inet mangle\nsudo nft add chain inet mangle prerouting { type filter hook prerouting priority -150; }\nsudo nft add rule inet mangle prerouting tcp flags syn tcp option maxseg size set 1360\n<\/code><\/pre>\n<p>Bu projede bu ayarla p95 latency\u2019de 18\u201325 ms aras\u0131 iyile\u015fme ve y\u00fck alt\u0131nda TCP retransmit oran\u0131nda %0,4 azalma g\u00f6rd\u00fck.<\/p>\n<h2 id=\"section-6\"><span id=\"Gozlemlenebilirlik_Metrikler_Loglar_ve_Paneller\">G\u00f6zlemlenebilirlik: Metrikler, Loglar ve Paneller<\/span><\/h2>\n<h3><span id=\"Hangi_Metrikleri_Izledik\">Hangi Metrikleri \u0130zledik?<\/span><\/h3>\n<p>\u0130lk hafta \u201cg\u00fczel \u00e7al\u0131\u015f\u0131yor\u201d hissine g\u00fcvenmedik. Overlay mesh i\u00e7in \u015fu metrikleri toplad\u0131k:<\/p>\n<p>&#8211; Handshake s\u00fcresi (p50\/p95)<br \/>&#8211; NAT traversal ba\u015far\u0131 oran\u0131 (% direct vs % DERP\/relay)<br \/>&#8211; RTT ve jitter (p50\/p95)<br \/>&#8211; Packet loss<br \/>&#8211; Bytes in\/out, connections\/s<br \/>&#8211; Route health (ilan edilen prefix\u2019ler ve reachable state)<\/p>\n<h3><span id=\"Toplama_ve_Paneller\">Toplama ve Paneller<\/span><\/h3>\n<p>Tailscale\u2019de <code>tailscale status --json<\/code> ve <code>tailscale netcheck<\/code> \u00e7\u0131kt\u0131lar\u0131 export edildi. ZeroTier\u2019da <code>zerotier-cli listpeers<\/code> ve controller API\u2019leri kullan\u0131ld\u0131. Exporter\u2019lar Prometheus\u2019a scrape edildi; Grafana\u2019da \u201cMesh Health\u201d panelleri kurduk.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># \u00d6rnek netcheck\nsudo tailscale netcheck\n# Report:\n# * UDP: true\n# * IPv4: yes, 203.0.113.10:41641\n# * Latency: 24ms (direct), 41ms (via derp-eu)\n# * MappingVariesByDestIP: false\n<\/code><\/pre>\n<p>Alert kurallar\u0131:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># PrometheusRule (basitle\u015ftirilmi\u015f)\n- alert: MeshRttDegraded\n  expr: histogram_quantile(0.95, sum(rate(mesh_rtt_bucket[5m])) by (le, link)) &gt; 200\n  for: 10m\n  labels: {severity: warning}\n  annotations:\n    summary: &quot;p95 RTT yava\u015f&quot;\n\n- alert: MeshRelayUsageSpike\n  expr: increase(mesh_relay_bytes_total[15m]) \/ increase(mesh_bytes_total[15m]) &gt; 0.3\n  for: 15m\n  labels: {severity: critical}\n  annotations:\n    summary: &quot;Relay kullan\u0131m oran\u0131 artt\u0131&quot;\n<\/code><\/pre>\n<h2 id=\"section-7\"><span id=\"Guvenlik_Kimlik_Anahtar_Dondurme_Segmentasyon\">G\u00fcvenlik: Kimlik, Anahtar D\u00f6nd\u00fcrme, Segmentasyon<\/span><\/h2>\n<h3><span id=\"Kimlik_ve_SSO\">Kimlik ve SSO<\/span><\/h3>\n<p>Makine kimlikleri SSO ile ba\u011fland\u0131. Tailscale\u2019de tag\u2019leri sahiplik modeline ba\u011flad\u0131k; ZeroTier\u2019da member authorization\u2019\u0131 GitOps\u2019a ta\u015f\u0131d\u0131k. Her node\u2019un kat\u0131l\u0131m\u0131 code review\u2019dan ge\u00e7ti; \u201cjoin\u2011request\u201d PR kapanmadan prod a\u011fa eri\u015fim yok.<\/p>\n<h3><span id=\"Anahtar_Yasam_Dongusu\">Anahtar Ya\u015fam D\u00f6ng\u00fcs\u00fc<\/span><\/h3>\n<p>Pre\u2011auth key\u2019ler k\u0131sa \u00f6m\u00fcrl\u00fc (24h) ve tek kullan\u0131ml\u0131k. D\u00f6n\u00fc\u015f\u00fcm pipeline\u2019\u0131 her deploy\u2019da anahtarlar\u0131 yeniliyor. Tailscale\u2019de <strong>ephemeral<\/strong> node\u2019lar test i\u00e7in kullan\u0131\u015fl\u0131; prod\u2019da kal\u0131c\u0131 kimlik tercih ettik. ZeroTier node secret\u2019lar\u0131 SOPS ile \u015fifreli olarak repo\u2019da tutuldu.<\/p>\n<h3><span id=\"Segmentasyon\">Segmentasyon<\/span><\/h3>\n<p>Prod\/staging\/ops a\u011flar\u0131n\u0131 ayr\u0131 overlay ID\u2019lerine b\u00f6ld\u00fck. Cross\u2011env eri\u015fimler sadece belirli port\/protokollere, belirli etiketlere izinli. Bu sayede lateral movement y\u00fczeyini daraltt\u0131k.<\/p>\n<h2 id=\"section-8\"><span id=\"CICD_ve_IaC_Tekrarlanabilirlik\">CI\/CD ve IaC: Tekrarlanabilirlik<\/span><\/h2>\n<h3><span id=\"Terraform_ile_Policy_Yonetimi\">Terraform ile Policy Y\u00f6netimi<\/span><\/h3>\n<p>Policy dosyalar\u0131 ve ZeroTier network tan\u0131mlar\u0131 Terraform ile y\u00f6netildi. Plan\/apply \u00f6ncesi <strong>dry\u2011run<\/strong> ve <strong>canary<\/strong> stage\u2019leri var.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># Terraform (\u00f6zet \u00f6rnek)\nprovider &quot;tailscale&quot; {}\nprovider &quot;zerotier&quot; {}\n\nresource &quot;tailscale_acl&quot; &quot;main&quot; {\n  acl = file(&quot;acl.json&quot;)\n}\n\nresource &quot;zerotier_network&quot; &quot;mesh&quot; {\n  name = &quot;acme-mesh&quot;\n  assign_ipv4 = true\n  route {\n    target = &quot;10.77.10.0\/24&quot;\n  }\n}\n<\/code><\/pre>\n<h3><span id=\"GitOps_Akisi\">GitOps Ak\u0131\u015f\u0131<\/span><\/h3>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># GitHub Actions\nname: mesh-policy\non:\n  pull_request:\n    paths: [&quot;infra\/mesh\/**&quot;]\n  push:\n    branches: [&quot;main&quot;]\n    paths: [&quot;infra\/mesh\/**&quot;]\n\njobs:\n  validate:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions\/checkout@v4\n      - uses: hashicorp\/setup-terraform@v3\n      - run: terraform fmt -check\n      - run: terraform init\n      - run: terraform validate\n      - run: terraform plan -out tfplan\n  apply:\n    if: github.ref == 'refs\/heads\/main' &amp;&amp; github.event_name == 'push'\n    needs: validate\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions\/checkout@v4\n      - uses: hashicorp\/setup-terraform@v3\n      - run: terraform init\n      - run: terraform apply -auto-approve tfplan\n<\/code><\/pre>\n<h3><span id=\"Ansible_ile_Host_Hazirligi\">Ansible ile Host Haz\u0131rl\u0131\u011f\u0131<\/span><\/h3>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">---\n- hosts: vps\n  become: yes\n  tasks:\n    - name: Install Tailscale\n      shell: curl -fsSL https:\/\/tailscale.com\/install.sh | sh\n      args:\n        warn: false\n    - name: Up tailscale\n      command: tailscale up --authkey={{ ts_authkey }} --ssh --accept-dns=true\n\n- hosts: zerotier\n  become: yes\n  tasks:\n    - name: Install ZeroTier\n      shell: curl -s https:\/\/install.zerotier.com | bash\n    - name: Join network\n      command: zerotier-cli join {{ zt_network_id }}\n<\/code><\/pre>\n<h2 id=\"section-9\"><span id=\"Gercek_Hikayeler_Iki_PostMortem_Notu\">Ger\u00e7ek Hikayeler: \u0130ki Post\u2011Mortem Notu<\/span><\/h2>\n<h3><span id=\"PM01_DERP_Uzerinden_Sessiz_Yavaslama\">PM\u201101: DERP \u00dczerinden Sessiz Yava\u015flama<\/span><\/h3>\n<p>Belirli saatlerde Avrupa d\u00fc\u011f\u00fcmleri aras\u0131 RTT 24 ms\u2019den 55 ms\u2019ye \u00e7\u0131k\u0131yordu. Paket kayb\u0131 yoktu. <code>tailscale netcheck<\/code> raporlar\u0131nda direct \u201ctrue\u201d g\u00f6r\u00fcn\u00fcrken ak\u0131\u015f verisinde relay bytes oran\u0131 %28\u2019e vurmu\u015f. K\u00f6k neden: Bir sa\u011flay\u0131c\u0131 inbound UDP rate limit\u2019ini gece yedeklemesi s\u0131ras\u0131nda s\u0131k\u0131la\u015ft\u0131r\u0131yordu; NAT mapping s\u00fcreleri k\u0131sal\u0131yor, ba\u011flant\u0131lar relay\u2019e d\u00fc\u015f\u00fcyordu. \u00c7\u00f6z\u00fcm: Health check\u2019e \u201crelay ratio\u201d metri\u011fini dahil ettik; oran %10\u2019u ge\u00e7erse alternatif \u00e7\u0131k\u0131\u015f IP\u2019siyle yeni mapping olu\u015fturduk. Maliyet: DERP trafi\u011fi d\u00fc\u015ft\u00fc, p95 RTT 27 ms\u2019ye indi.<\/p>\n<h3><span id=\"PM02_MTU_ve_Parcalanma_Kabusu\">PM\u201102: MTU ve Par\u00e7alanma Kabusu<\/span><\/h3>\n<p>APAC kullan\u0131c\u0131lar\u0131n\u0131n baz\u0131 istekleri 2\u20133 saniye bekledikten sonra zaman a\u015f\u0131m\u0131na d\u00fc\u015f\u00fcyordu. ICMP bloklu oldu\u011fu i\u00e7in PMTUD ba\u015far\u0131s\u0131zd\u0131. Overlay \u00fcst\u00fcnde b\u00fcy\u00fck TLS paketleri par\u00e7alanam\u0131yordu. K\u00f6k neden: Bir sa\u011flay\u0131c\u0131 1500 MTU, di\u011feri 1472; WireGuard overhead\u2019i ile efektif MTU 1420\u2019nin alt\u0131na inmi\u015fti. \u00c7\u00f6z\u00fcm: MSS clamping ve <code>tailscale up --mtu=1280<\/code> s\u0131n\u0131r\u0131. Sonu\u00e7: p95 2.3s \u2192 410ms; retransmit %1.9 \u2192 %0.6.<\/p>\n<h2 id=\"section-10\"><span id=\"Degisiklik_Yonetimi_Canary_mi_BlueGreen_mi\">De\u011fi\u015fiklik Y\u00f6netimi: Canary mi Blue\/Green mi?<\/span><\/h2>\n<p>Network policy de\u011fi\u015fikliklerinde canary yakla\u015f\u0131m\u0131n\u0131 tercih ettim. Bir\/iki node\u2019u yeni ACL ve rota seti ile g\u00fcncelliyoruz, panellerde 30 dakika g\u00f6zl\u00fcyoruz. E\u011fer p95 RTT +%10\u2019dan fazla artarsa ya da relay ratio %20\u2019ye yakla\u015f\u0131rsa otomatik geri al\u0131yoruz. DNS taraf\u0131nda TTL tart\u0131\u015fmas\u0131 hep \u00e7\u0131kar: d\u00fc\u015f\u00fck TTL h\u0131zl\u0131 toparlar ama kontrol d\u00fczlemi y\u00fck\u00fcn\u00fc ve cache sapmalar\u0131n\u0131 art\u0131r\u0131r. Biz overlay i\u00e7i domainlerde 300s, public y\u00fczlerde 60s kulland\u0131k ve SLA\u2019y\u0131 bunu varsayarak yazd\u0131k.<\/p>\n<h2 id=\"section-11\"><span id=\"Operasyon_Runbooku_Gece_Alarmina_Kisa_Cevap\">Operasyon Runbook\u2019u: Gece Alarm\u0131na K\u0131sa Cevap<\/span><\/h2>\n<h3><span id=\"Baglanti_Sorununda_Ilk_10_Dakika\">Ba\u011flant\u0131 Sorununda \u0130lk 10 Dakika<\/span><\/h3>\n<ul>\n<li>Durum: <code>tailscale status --json<\/code> veya <code>zerotier-cli listpeers<\/code>.<\/li>\n<li>Netcheck: <code>tailscale netcheck<\/code>; relay ratio\u2019yu not al.<\/li>\n<li>MTU: test ping: <code>ping -M do -s 1372 100.x.x.x<\/code>.<\/li>\n<li>Rotalar: Tailscale\u2019de <code>--advertise-routes<\/code> aktif mi; ZeroTier managed routes up m\u0131?<\/li>\n<li>Failover: pasif subnet router\u2019\u0131 advertise et.<\/li>\n<li>Log: sa\u011flay\u0131c\u0131 firewall\/NAT de\u011fi\u015fikliklerini teyit et.<\/li>\n<\/ul>\n<h3><span id=\"Planli_Degisiklik\">Planl\u0131 De\u011fi\u015fiklik<\/span><\/h3>\n<ul>\n<li>PR: Terraform plan + policy diff.<\/li>\n<li>Canary: 1\u20132 node, 30 dk g\u00f6zlem.<\/li>\n<li>Rollout: batch ile geni\u015flet, her batch aras\u0131 10 dk.<\/li>\n<li>Rollback: tek komutla eski policy ve rota setine d\u00f6n.<\/li>\n<\/ul>\n<h2 id=\"section-12\"><span id=\"Maliyet_ve_Performans_Gercekci_Beklentiler\">Maliyet ve Performans: Ger\u00e7ek\u00e7i Beklentiler<\/span><\/h2>\n<p>Overlay maliyeti \u00e7o\u011funlukla \u201czaman kazanma\u201dd\u0131r. Relay kullan\u0131m oran\u0131 d\u00fc\u015f\u00fckse ek latency ihmal edilebilir. Ancak y\u00fcksek throughput (\u00f6rn. veri replikasyonu) senaryolar\u0131nda do\u011frudan peering veya site\u2011to\u2011site IPsec h\u00e2l\u00e2 ekonomik olabilir. Bizim vakada replikasyon trafi\u011fini overlay d\u0131\u015f\u0131na ald\u0131k (dedike t\u00fcneller), uygulama trafi\u011fini overlay\u2019de tuttuk; toplam bant geni\u015fli\u011fi maliyeti %18 d\u00fc\u015ft\u00fc, operasyon karma\u015f\u0131kl\u0131\u011f\u0131 ise ciddi azald\u0131.<\/p>\n<h2 id=\"section-13\"><span id=\"Kapanis_Ayaga_Kalkan_Yonetilebilir_Bir_Mesh\">Kapan\u0131\u015f: Aya\u011fa Kalkan, Y\u00f6netilebilir Bir Mesh<\/span><\/h2>\n<p>O geceki pager olay\u0131 bize \u015funu \u00f6\u011fretti: Farkl\u0131 sa\u011flay\u0131c\u0131lar aras\u0131nda istikrarl\u0131 bir yol bulmak, tek tek t\u00fcnelleri idare etmekten daha \u00f6nemli. <strong>Tailscale\/ZeroTier ile \u00f6zel a\u011f<\/strong> kurdu\u011funuzda, kimlik temelli eri\u015fim, otomatik NAT traversal ve merkez\u00ee policy y\u00f6netimi birlikte \u00e7al\u0131\u015f\u0131yor. Metriklere yaslan\u0131n: RTT, relay ratio, packet loss ve handshake s\u00fcresi; panellerde bunlar ye\u015filse rahat uyursunuz. Operasyonel olarak runbook\u2019lar\u0131 netle\u015ftirin; \u201cilk 10 dakika\u201d ve \u201cplanl\u0131 de\u011fi\u015fiklik\u201d ad\u0131mlar\u0131n\u0131 ekibin cebine koyun. G\u00fcvenlikte default deny ve k\u0131sa \u00f6m\u00fcrl\u00fc anahtarlar sizi ileri ta\u015f\u0131r. De\u011fi\u015fiklikleri canary ile yaymak, DNS TTL ve SLA tart\u0131\u015fmalar\u0131n\u0131 somut veriye ba\u011flar. Bug\u00fcn k\u00fc\u00e7\u00fck ba\u015flay\u0131n: iki VPS ve bir subnet router. Yar\u0131n \u00fc\u00e7 k\u0131tada be\u015f sa\u011flay\u0131c\u0131ya yay\u0131lmak, ayn\u0131 disiplinle sadece bir pipeline i\u015fi olacak. Ekibinize s\u00f6yleyin: Bu mesh, sizin kadar iyi; runbook\u2019lar\u0131 okuyun, panellere bak\u0131n, k\u00fc\u00e7\u00fck de\u011fi\u015fiklikleri s\u0131k s\u0131k yap\u0131n. Gece pager \u00e7alarsa, ne yapaca\u011f\u0131n\u0131z\u0131 biliyorsunuz.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Pager o gece 02:17\u2019de \u00e7ald\u0131. Frankfurt\u2019taki VPS \u00fczerinde \u00e7al\u0131\u015fan edge proxy bir anda TCP yeniden denemeleriyle bo\u011fulmu\u015ftu, Singapur\u2019daki i\u015f katman\u0131 d\u00fc\u011f\u00fcm\u00fc ise replikaya konu\u015fam\u0131yordu. Latency p95 280 ms\u2019e z\u0131plam\u0131\u015f, hatal\u0131 retry\u2019lar RDS ba\u011flant\u0131 havuzunu \u015fi\u015firmi\u015fti. O ana kadar \u201cinternet \u00fczerinden g\u00fcvenli t\u00fcneller yeter\u201d diyorduk; sonra DNS cache\u2019lerinin TTL\u2019leri birbirini \u0131s\u0131rd\u0131, wildcard SSL yenilemesi de ayn\u0131 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2074,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-2073","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/2073","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=2073"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/2073\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/2074"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=2073"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=2073"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=2073"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}