Setting up an Availability group - Platform - BlueCat Gateway - 24.1

Gateway Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
24.1

In general, when you set up a pair of Gateway instances as an Availability group, you'll do the following:

  • Check your network for prerequisites: Make sure that your network environment and infrastructure allow for Availability groups

  • Set up a TSIG (Transaction Signature) key: You must set up a TSIG key to be used by both Gateway instances

  • Add the Gateway instances to the Availability group: When you have a TSIG key available, you can add instances to an Availability group pair, using one as a Primary node and the other as a Secondary.

 

Making sure that your network environment supports Availability groups

Before starting, check the list of Availability group limitations and requirements to make sure that your system can support this feature. (See Gateway High Availability requirements and limitations.) In particular:

  • Make sure your system uses a DNS Server, such as a BlueCat DNS/DHCP Server (BDDS).

  • There must be an SOA (start of authority) record that indicates which DNS server is authoritative for the Availability group's address. Make sure that both Gateway nodes can resolve the SOA record on your DNS server.
  • Make sure your system has and uses an NTP time server, so that both Availability group nodes and the DNS server can use the same date and time source.

 

Setting up a BDDS as the DNS server for an Availability group

Availability groups require use of a DNS server that is accessible to both Gateway nodes. We recommend a BlueCat DNS/DHCP Server (BDDS), configurable from BlueCat Address Manager (BAM).

In general, you will do the following in Address Manager:

  • Set up a new View and Zone for the BDDS.

  • Create a new TSIG key for the Server.

  • Add the BDDS to Address Manager's Server List.

  • Set up the BDDS to allow for dynamic DNS updates by users authorized for the TSIG key.

  • Set up the BDDS to allow for DNS queries by Availability groups.

  • Set up a deployment role and deploy those changes to the BDDS.

To do so, follow the steps below:
  1. If necessary, within Address Manager, select the configuration you want to use from the Configurations drop-down list in the top right corner.

  2. Within Address Manager, click the DNS tab in the banner at the top.

  3. Create the DNS View that you'll use for the BDDS in BAM:
    1. Click the Views tab.

    2. Under DNS Views, click the New button (), then select View.

    3. Configure the new View as desired, then click Add.

  4. Click the new view to open it.

  5. Within the view, create a new zone for the BDDS:
    1. From within the Views list, click the New button ().

    2. Configure the new zone:
      1. In Name, enter a name for the new zone.

      2. In Template, select From View.

      3. Make sure the Deployable checkbox is selected.

      Click the Add button when you're done.

  6. Create a new TSIG key for the Server:
    1. Click the Servers tab in the banner at the top of the top, then click the TSIG Keys tab.

    2. Under TSIG Keys, click the New button (), then set the following options for the new TSIG key:
      1. In Name, enter a short descriptive name for the TSIG key, such as availgroup.

      2. In Algorithm and Length, choose the desired cryptographic algorithm based on the needs of your system. (We recommend hmac-sha256 and at least 256.)

      3. In Key Type, either manually enter a key (or secret key), or select Auto-Generate.

      When you're done, click Add.

  7. Add the BDDS server that will host a Gateway node from the Availability group to your Servers list. (If you're using separate BDDSes for the Primary and Secondary node, repeat this for every BDDS that will host a Gateway node):
    1. Click the Servers tab in the banner at the top to open the Servers list.

    2. Click the New button (), then set the following options for the new server:
      • In Profile, select the model of BDDS server that you're using.

      • In Name, enter a name for the server.

      • In Management Interface, enter the IP address of the server.

      • In Hostname, enter the name of the server, and make sure the Connect to server checkbox is selected.

      • In Password, enter the password for the server.

      • Under Additional Interfaces, click the Detect Server Settings button. Doing so automatically detects and fills in the server's settings

      When you're done, click Add.

  8. Click the DNS tab in the banner at the top of the top, then click the Deployment Options tab.

  9. Add a deployment option that allows for dynamic DNS updates by Availability groups on the BDDS that you added earlier. To do so, under Deployment Options, click the New button (), select DNS Option, then set the following settings:

    • In Option, make sure that Allow Dynamic Updates is selected.

    • Associate this permission with the new TSIG key:

      1. In the parameter type (the list box that displays IP Address or Name by default), select Key.

      2. Select the new TSIG key that you just created.

      3. Click Add. (Leave the Exclusion checkbox empty.)

    • Under Server, select Specific Server, then select the BDDS that you added earlier.

    • When you're done, click Add.

    This process associates the Allow Dynamic Updates permission with your TSIG key and assigns it to a specific BDDS. That is, instances of Gateway that use this key will be allowed to dynamically update DNS host records, a requirement for Availability groups. This permission is assigned to a specific BDDS to ensure that the Gateway instances within the Availability group won't be able to use it on other DNS servers.

  10. Add a deployment option that allows for DNS querying by Availability groups on the BDDS that you added earlier. To do so, under Deployment Options, click the New button (), select DNS Option, then set the following settings:

    • In Option, select Allow Query.

    • Allow this permission for any IP address:

      1. Leave the parameter type as IP Address or Name (the default).

      2. For the range, select any.

      3. Click Add. (Leave the Exclusion checkbox empty.)

    • Under Server, select All Servers (if it isn't already selected).

    • When you're done, click Add.

    This process gives query permission to all IP addresses.

  11. Set up a new deployment role as follows:

    1. Click the Deployment Roles tab.

    2. Under Deployment Options, click the New button ().

    3. Within the Add DNS Role page, in Server interface, click the Select Server Interface link.

    4. From the list that appears, click the server that you added earlier, then select the server interface you want to use.

  12. Deploy these changes to the BDDS:
    1. Click the Servers tab in the banner at the top of the top, then click the Servers tab within it.

    2. Click the server that represents the BDDS.

    3. Click the server's name at the top (with a down arrow next to it) and select Deploy.

    4. In the Confirm Server Deploy screen, under the Deployment Preference section, select the Force DNS Full Deployment checkbox.

    5. When you're ready, click Yes.

    6. Wait for the deployment to succeed. Address Manager displays a progress bar as the process continues.

Adding Gateway instances to an Availability group

You'll need to open each instance of Gateway and assign them both to the same Availability group, one as a Primary node and the other as a Secondary node. When assigning an instance as the Primary node, you'll also need to configure the Availability group's TSIG key and Failover settings.

Tip: For more details on what to enter for each field in the High availability configuration screen, see High availability configuration settings.
To set up two Gateway instances as an Availability group:
  1. Primary node: Within the Gateway instance that you want to act as a Primary node:
    1. Open the High availaiblity settings for the current instance of BlueCat Gateway (click the Navigator button if necessary, then click Configurations > High availability).

    2. In the bottom right corner, click Create/join group.

      The Create/join group window opens, with an extra selection that lets you choose whether to create a new group or join an existing group.

    3. At the top of the page, make sure that Create new Availability group is selected.

      Doing so will also set the current instance of Gateway as the Primary node.

    4. In Primary IPv4 address, enter the IPv4 address for the primary Gateway node.

    5. In the Availability group section, select the Scheme (http or https), and enter the FQDN (fully-qualified domain name), Port, and FQDN TTL (time to live).

      Make a note of what you select for these fields. Both nodes in an Availability group must have the same FQDN and port. Effectively, the FQDN identifies a specific Availability group if you use multiple groups.

    6. In the TSIG key section, enter the name of the TSIG key (transaction signature key), select an Algorithm, and enter the Secret Key.

      This TSIG key should be the same TSIG key you added to the Availability group's DNS zone for use by group.

    7. (Optional) In the Failover settings section, edit the Failover settings for your Availability group.

      Note: We do not recommend changing Failover settings from their default values.

    When you're done, click Save to save your changes.

  2. Secondary node: Within the Gateway instance that you want to act as a Secondary node:
    1. Open the Availability group settings for the current instance of BlueCat Gateway (click the Navigator button if necessary, then click Configurations > High availability).

    2. In the bottom right corner, click Create/join group.

      The Create/join group window opens, with an extra selection that lets you choose whether to create a new group or join an existing group.

    3. At the top of the page, select Join existing Availability group.

      Doing so hides the TSIG key and Failover settings. Gateway will set those settings to the same values as the Primary node.

    4. In Secondary IPv4 address, enter the IPv4 address for the secondary Gateway node.

    5. In the Availability group section, select the Scheme (http or https), and enter the FQDN (fully-qualified domain name), Port, and FQDN TTL (time to live).

      Important: Make sure you use the same values as Primary node that you want to pair with this Gateway instance.

      Effectively, the FQDN identifies a specific Availability group if you use multiple groups.

    When you're done, click Save to save your changes.

    The Secondary Gateway node will attempt to communicate with its Primary node and operate as an Availability group right away. For more details, see How Availability groups work.