How high availability on AWS works 编辑
You can configure two Citrix ADC VPX instances on AWS as a high availability (HA) active-passive pair. When you configure one instance as the primary node and the other as the secondary node, the primary node accepts connections and manages servers. The secondary node monitors the primary. If for any reason, the primary node is unable to accept connections, the secondary node takes over.
In AWS, the following deployment types are supported for VPX instances:
- High availability within same zone
- High availability across different zones
Note
For high availability to work, ensure both the Citrix ADC VPX instances are attached with IAM roles and assigned with the Elastic IP (EIP) address to the NSIP. You need not assign an EIP on NSIP if the NSIP can reach internet through the NAT instance.
High availability within the same zones
In a high-availability deployment within the same zones, both VPX instances must have similar networking configurations.
Follow these two rules:
Rule 1. Any NIC on one VPX instance must be in the same subnet as the corresponding NIC in the other VPX. Both instances must have:
- Management interface on the same subnet (referred as management subnet)
- Client interface on the same subnet (referred as client subnet)
- Server interface on the same subnet (referred as server subnet)
Rule 2. Sequence of mgmt NIC, client NIC, and server NIC on both instances must be the same. For example, the following scenario is not supported.
VPX instance 1
NIC 0: management NIC 1: client NIC 2: Server
VPX instance 2
NIC 0: management
NIC 1: server
NIC 2: client
In this scenario, NIC 1 of instance 1 is in client subnet while NIC 1 of instance 2 is in server subnet. For HA to work, NIC 1 of both the instances must be either in the client subnet or in the server subnet.
From 13.0 41.xx, high availability can be achieved by migrating secondary private IP addresses attached to the NICs (client and server-side NICs) of the primary HA node to the secondary HA node after failover. In this deployment:
Both the VPX instances have the same number of NICs and subnet mapping according to NIC enumeration.
Each VPX NIC has one extra private IP address, except the first NIC - which corresponds to the management IP address. The extra private IP address appears as the primary private IP address in the AWS web console. In our document, we refer to this extra IP address as the dummy IP address).
The dummy IP addresses must be not configured on the Citrix ADC instance as VIP and SNIP.
Other secondary private IP addresses must be created, as required, and configured as VIP and SNIP.
On failover, the new primary node looks for configured SNIPs and VIPs and moves them from NICs attached to the previous primary to corresponding NICs on the new primary.
Citrix ADC instances require IAM permissions for HA to work. Add the following IAM privileges to the IAM policy added to each instance.
"iam:GetRole"
"ec2:DescribeInstances"
"ec2:DescribeNetworkInterfaces"
"ec2:AssignPrivateIpAddresses"
Note:
unassignPrivateIpAddress
is not required.
This method is faster than the legacy method. In the older method, HA depends on the migration of AWS elastic network interfaces of the primary node to the secondary node.
For a legacy method, the following policies are required:
"iam:GetRole"
"ec2:DescribeInstances"
"ec2:DescribeAddresses"
"ec2:AssociateAddress"
"ec2:DisassociateAddress"
For more information, see Deploy a high availability pair on AWS.
High availability across different zones
You can configure two Citrix ADC VPX instances on two different subnets or two different AWS availability zones, as a high availability active-passive pair in Independent Network Configuration (INC) mode. Upon failover, the EIP (Elastic IP) of the VIP of the primary instance migrates to the secondary, which takes over as the new primary. In the failover process, the AWS API:
- Checks the virtual servers that have
IPSets
attached to them. - Finds the IP address that has an associated public IP, from the two IP addresses the virtual server is listening on. One that is directly attached to the virtual server, and one that is attached through the IP set.
- Reassociates the public IP (EIP) to the private IP belonging to the new primary VIP.
For HA across different zones, the following policies are required:
"iam:GetRole"
"ec2:DescribeInstances"
"ec2:DescribeAddresses"
"ec2:AssociateAddress"
"ec2:DisassociateAddress"
For more information, see High availability across AWS availability zones.
Before you start your deployment
Before you start any HA deployment on AWS, read the following document:
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论