If multiple Access Gateway and Identity Server virtual machines have been created and configured for clustering, you can configure an Azure load balancer for each cluster to balance the load of incoming requests across the clustered machines. A separate load balancer is used for an Identity Server cluster and an Access Gateway cluster.
The following procedures provide the differences in configuration details for Identity Server and Access Gateway load balancer wherever required. Repeat the steps and create separate load balancers for Identity Server and Access Gateway clusters.
Important points to consider before configuring an Azure load balancer for Access Manager:
All nodes of a cluster must be deployed in the same availability set. For example, all Identity Server nodes in a cluster are deployed in the same availability set, and all Access Gateway nodes in a cluster are deployed in a different availability set.
Separate load balancers are required for Identity Server and Access Gateway.
The Configuring a Load Balancer section includes examples assuming that the default ports are used (8080/8443 for Identity Server and 80/443 for Access Gateway). You can use iptables to configure the listeners on Identity Server to use other ports. See Translating Identity Server Configuration Port.
Azure load balancer supports HTTP and TCP health check probe. It does not support the HTTPS probe.
As such, using the Access Gateway heartbeat URL requires additional steps that are covered in the section To Create a Reverse Proxy for Health Probe.
NOTE:For scaling recommendations, see Recommendations for Scaling Access Manager Components in Public Cloud.
You must create separate load balancers and configure separate settings, such as IP configuration, backend pool, probes, and rules settings for an Identity Server cluster and for an Access Gateway cluster.
IMPORTANT:Before creating a load balancer for an Access Gateway cluster, complete the steps available in To Create a Reverse Proxy for Health Probe.
Perform the following steps to create a load balancer:
In the Azure portal, click Load balancers.
Click Add.
Specify the following details:
Field |
Description |
---|---|
Name |
Specify a name for the load balancer. |
Type |
Select Public. |
Public IP address |
Create a new public IP address for this load balancer.
|
Subscription |
Select the same Azure subscription that you have selected for virtual machines on which Access Manager is installed. |
Resource group |
Select the same resource group that you have selected for virtual machines on which Access Manager is installed. |
Location |
Select the same location that you have used for virtual machines. |
Click Create.
Continue with Configuring a Load Balancer.
In the Azure portal, click Load balancers.
Click the load balancer that you created in the previous procedure.
Configure the following settings:
By default, this setting takes the IP address you have configured in Public IP address while creating the load balancer.
You can create and select another IP address if you need to change this frontend IP address.
This setting provides a way to associate the load balancer to the IP addresses of virtual machines among which you want to distribute the load.
Perform the following steps to configure backend pools:
Click Backend pools.
Click Add.
Specify a name.
In Associated to, select Availability set.
Select the availability set for which you want to use this load balancer.
This enables the load balancer to distribute the load among virtual machines available in the selected availability set.
Under Target network IP configuration, click Add a target network IP configuration.
In Target virtual machine, select the virtual machine that you want to add in the load balancer.
You can select virtual machines available only in the specified availability set.
In Network IP configuration, select the related virtual machine.
Click Add a target network IP configuration to select other virtual machines from the same availability set to be added to the pool.
Click OK.
The load balancer uses probes to keep track of the health of virtual machines. If a probe fails, the related virtual machine is excluded from the load balancing automatically.
Perform the following steps to configure a health probe:
Click Health probes.
Click Add.
Specify a name.
Specify the following details:
Field |
Description |
---|---|
Protocol |
Select HTTP. |
Port |
IMPORTANT:You must configure these ports in network security groups associated with the respective Access Manager component’s cluster. |
Path |
IMPORTANT:An external communication to Access Gateway is typically configured to use HTTPS. Azure load balancer does not support the HTTPS probe. Therefore, when creating a health probe for an Access Gateway cluster, first create a reverse proxy that opens a non-SSL port for the probe URL. See To Create a Reverse Proxy for Health Probe. |
Interval |
Specify the time after which the load balancer verifies the health of the virtual machine. |
Unhealthy threshold |
Specify the number. If the health probe fails for the specified number consecutively for a virtual machine, then the load balancer removes it automatically from the load distribution. |
Click OK.
This setting maps the frontend IP address and port combination to the backend IP addresses and port combination associated with virtual machines. You can configure multiple load balancing rules for a load balancer.
Perform the following steps to configure a load balancing rule:
Click Load balancing rules.
Click Add.
Specify the following details:
Field |
Description |
---|---|
Name |
Specify a name for the rule. |
IP Version |
Select IPv4. |
Frontend IP address |
Select the frontend IP address for this rule. |
Protocol |
Select TCP. |
IMPORTANT:If you want the load balancer to handle both HTTP and HTTPS traffic, create a separate rule for both by specifying appropriate ports in Port and Backend port. The port configured in Port and Backend port must match the listening port configured in Identity Server or Access Gateway. |
|
Port |
For Access Gateway, specify the following values:
For an Identity Server listening on the default ports of 8080/8443, specify the following values:
|
Backend port |
For Access Gateway, specify the following values:
For an Identity Server listening on the default ports of 8080/8443, specify the following values:
|
Backend pool |
Select the backend pool for this rule. |
Health probe |
Select the health probe for this rule. |
Session persistence |
Keep the default value. |
Idle timeout |
Keep the default value. |
Floating IP (direct server return) |
Keep the default value. |
Click OK.
The port 80 on Access Gateway is reserved for redirects to the SSL port. Configure this reverse proxy to use any other free port.
Perform the following steps to create a reverse proxy for the health probe:
Click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.
Under Reverse Proxy List, click New, and then specify a name.
Change the Non-Secure Port to a port that is not already in use by another reverse proxy.
Click New to create the proxy service.
Specify the following details:
Field |
Description |
---|---|
Proxy Service Name |
Specify a name that identifies the purpose of this proxy service. |
Published DNS Name |
Specify a value, such as HealthProbe. A value is required, however it is not used for connection purposes. |
Web Server IP Address |
Specify 127.0.0.1. |
Host Header |
Select Forward Received Host Name. |
Click OK.
On the Reverse Proxy page, click the new proxy service under Proxy Service List, and then click Web Servers.
Change the Connect Port value to 9009.
The service provider (ESP) in Access Gateway that provides the heartbeat service listens on 127.0.0.1:9009.
Click Protected Resources.
Click New, specify a name and click OK.
In URL Path List, click /*, and modify the path to contain the following value:
/nesp/app/heartbeat
This is the path to the heartbeat application.
Click OK > OK.
Click OK and apply the changes to the configuration.