Setting up an Availability group - Platform - BlueCat Gateway - 25.3.0

Gateway Administration Guide
ft:locale
en-US
Product name
BlueCat Gateway
Version
25.3.0

In general, when you set up a pair of Gateway instances as an Availability group, you'll do the following:

  • Check your network for prerequisites: Make sure that your network environment and infrastructure allow for Availability groups

  • Set up a TSIG (Transaction Signature) key: You must set up a TSIG key to be used by both Gateway instances

  • Add the Gateway instances to the Availability group: When you have a TSIG key available, you can add instances to an Availability group pair, using one as a Primary node and the other as a Secondary. 

Making sure that your network environment supports Availability groups

Before starting, check the list of Availability group limitations and requirements to make sure that your system can support this feature. (See Gateway High Availability requirements and limitations.) In particular:

  • Make sure your system uses a DNS Server, such as a BlueCat DNS/DHCP Server (BDDS).

  • There must be an SOA (start of authority) record that indicates which DNS server is authoritative for the Availability group's address. Make sure that both Gateway nodes can resolve the SOA record on your DNS server.

  • Make sure your system has and uses an NTP time server, so that both Availability group nodes and the DNS server can use the same date and time source.

Setting up a BDDS as the DNS server for an Availability group

Availability groups require use of a DNS server that is accessible to both Gateway nodes. We recommend a BlueCat DNS/DHCP Server (BDDS), configurable from BlueCat Address Manager (BAM).

In general, you will do the following in Address Manager:

  • Set up a new View and Zone for the BDDS.

  • Create a new TSIG key for the Server.

  • Add the BDDS to Address Manager's Server List.

  • Set up the BDDS to allow for dynamic DNS updates by users authorized for the TSIG key.

  • Set up the BDDS to allow for DNS queries by Availability groups.

  • Set up a deployment role and deploy those changes to the BDDS.

To set up a BDDS as the DNS server for an Availability Group when using Address Manager v25.1 or later:

  1. If necessary, within Address Manager, select the configuration you want to use from the Configurations drop-down list in the top right corner.

  2. Within Address Manager, in the navigator on the left, click DNS, then click Views.

  3. Create the DNS View that you'll use for the BDDS in BAM:

    1. On the Views page, click New.

    2. Configure the new View as desired, then click Create.

  4. Click the new view to open it.

  5. Within the view, create a new zone for the BDDS:

    1. From within the Views list, click Zones tab, then click New.

    2. Configure the new zone:

      1. In Name, enter a name for the new zone.

      2. In Source of template, select From View.

      3. Make sure the Allow this zone to be deployable checkbox is selected.

      When you're done, click Create.

  6. Add the BDDS server that will host a Gateway node from the Availability group to your Servers list. (If you're using separate BDDSes for the Primary and Secondary node, repeat this for every BDDS that will host a Gateway node):

    1. In the navigator on the left, click Servers, then click Servers.

    2. Click New, then click Server. Within the Server tab of the Create new server window, set the following options for the new server:

      • In Profile, select the model of BDDS server that you're using.

      • In Name, enter a name for the server.

      • In Hostname, enter the name of the server.

      • In Management address, enter the IP address of the server, and make sure the Connect to server checkbox is selected..

      • In Password, enter the password for the server.

      • Click the Interfaces tab, then click Detect Server Settings. Doing so automatically detects and fills in the server's settings

      When you're done, click Create.

  7. Create a new TSIG key for the Server:

    1. In the navigator on the left, click Global, then click Configurations. Within the Configurations list, click the Configuration that will be used by Gateway.

    2. Click the TSIG Keys tab.
    3. Under TSIG Keys, click New, then set the following options for the new TSIG key:

      1. In Name, enter a short descriptive name for the TSIG key, such as availgroup.

      2. In Algorithm and Length, choose the desired cryptographic algorithm based on the needs of your system. (We recommend hmac-sha256 and at least 256.)

      3. To automatically generate a key (or secret key), make sure the Auto-generate secret is selected.

        Or, to manually enter a key (or secret key), clear Auto-generate secret, then enter the key in the Secret box that appears.

      When you're done, click Create.

  8. In the navigator on the left, click DNS, then click Views.

  9. Under Go to zone on the left, click the view then click the zone that you created earlier, then click the Deployment options tab.

  10. Add a deployment option that allows for dynamic DNS updates by Availability groups on the BDDS that you added earlier. To do so, click New, select DNS Option, then set the following settings in the General tab:

    • In Name, make sure that Allow Dynamic Updates is selected.

    • Associate this permission with the new TSIG key:

      1. In Type, select TSIG Key.

      2. In TSIG key, click the selection and browse to the new TSIG key that you created earlier.

      3. Leave the Exclude checkbox empty.

    • Click the Servers tab, then in Server scope, select Server. In the Server selection box that appears, select the BDDS that you added earlier.

    • When you're done, click Create.

    This process associates the Allow Dynamic Updates permission with your TSIG key and assigns it to a specific BDDS. That is, instances of Gateway that use this key will be allowed to dynamically update DNS host records, a requirement for Availability groups. This permission is assigned to a specific BDDS to ensure that the Gateway instances within the Availability group won't be able to use it on other DNS servers.

  11. Set up a new deployment role. To do so, click the Deployment Roles tab, click New, then set the following settings:

    1. Click the Deployment Roles tab.

    2. Under Deployment roles, click New.

    3. In the Create DNS deployment role page, in Server interface, click the Find an interface box. From the list that appears, click the server that you added earlier, then select the server interface you want to use.

  12. Deploy these changes to the BDDS:

    1. In the navigator on the left, click Servers, then click Servers.

    2. Click the server that represents the BDDS.

    3. Click the down arrow next to the server's name at the top and select Deploy.

    4. In the Deploy Server window, click the Deployment Preference tab, then make sure that the Force DNS Full Deployment checkbox is ticked.

    5. When you're ready, click Deploy.

    6. Wait for the deployment to succeed. Address Manager displays a progress bar as the deployment proceeds.

To set up a BDDS as the DNS server for an Availability Group when using Address Manager v9.6.x or earlier:

  1. If necessary, within Address Manager, select the configuration you want to use from the Configurations drop-down list in the top right corner.

  2. Within Address Manager, click the DNS tab in the banner at the top.

  3. Create the DNS View that you'll use for the BDDS in BAM:

    1. Click the Views tab.

    2. Under DNS Views, click the New button (), then select View.

    3. Configure the new View as desired, then click Add.

  4. Click the new view to open it.

  5. Within the view, create a new zone for the BDDS:

    1. From within the Views list, click the New button ().

    2. Configure the new zone:

      1. In Name, enter a name for the new zone.

      2. In Template, select From View.

      3. Make sure the Deployable checkbox is selected.

      Click the Add button when you're done.

  6. Create a new TSIG key for the Server:

    1. Click the Servers tab in the banner at the top of the top, then click the TSIG Keys tab.

    2. Under TSIG Keys, click the New button (), then set the following options for the new TSIG key:

      1. In Name, enter a short descriptive name for the TSIG key, such as availgroup.

      2. In Algorithm and Length, choose the desired cryptographic algorithm based on the needs of your system. (We recommend hmac-sha256 and at least 256.)

      3. In Key Type, either manually enter a key (or secret key), or select Auto-Generate.

      When you're done, click Add.

  7. Add the BDDS server that will host a Gateway node from the Availability group to your Servers list. (If you're using separate BDDSes for the Primary and Secondary node, repeat this for every BDDS that will host a Gateway node):

    1. Click the Servers tab in the banner at the top to open the Servers list.

    2. Click the New button (), then set the following options for the new server:

      • In Profile, select the model of BDDS server that you're using.

      • In Name, enter a name for the server.

      • In Management Interface, enter the IP address of the server.

      • In Hostname, enter the name of the server, and make sure the Connect to server checkbox is selected.

      • In Password, enter the password for the server.

      • Under Additional Interfaces, click the Detect Server Settings button. Doing so automatically detects and fills in the server's settings

      When you're done, click Add.

  8. Click the DNS tab in the banner at the top of the top, then click the Deployment Options tab.

  9. Add a deployment option that allows for dynamic DNS updates by Availability groups on the BDDS that you added earlier. To do so, under Deployment Options, click the New button (), select DNS Option, then set the following settings:

    • In Option, make sure that Allow Dynamic Updates is selected.

    • Associate this permission with the new TSIG key:

      1. In the parameter type (the list box that displays IP Address or Name by default), select Key.

      2. Select the new TSIG key that you just created.

      3. Click Add. (Leave the Exclusion checkbox empty.)

    • Under Server, select Specific Server, then select the BDDS that you added earlier.

    • When you're done, click Add.

    This process associates the Allow Dynamic Updates permission with your TSIG key and assigns it to a specific BDDS. That is, instances of Gateway that use this key will be allowed to dynamically update DNS host records, a requirement for Availability groups. This permission is assigned to a specific BDDS to ensure that the Gateway instances within the Availability group won't be able to use it on other DNS servers.

  10. Add a deployment option that allows for DNS querying by Availability groups on the BDDS that you added earlier. To do so, under Deployment Options, click the New button (), select DNS Option, then set the following settings:

    • In Option, select Allow Query.

    • Allow this permission for any IP address:

      1. Leave the parameter type as IP Address or Name (the default).

      2. For the range, select any.

      3. Click Add. (Leave the Exclusion checkbox empty.)

    • Under Server, select All Servers (if it isn't already selected).

    • When you're done, click Add.

    This process gives query permission to all IP addresses.

  11. Set up a new deployment role as follows:

    1. Click the Deployment Roles tab.

    2. Under Deployment Options, click the New button ().

    3. Within the Add DNS Role page, in Server interface, click the Select Server Interface link.

    4. From the list that appears, click the server that you added earlier, then select the server interface you want to use.

  12. Deploy these changes to the BDDS:

    1. Click the Servers tab in the banner at the top of the top, then click the Servers tab within it.

    2. Click the server that represents the BDDS.

    3. Click the server's name at the top (with a down arrow next to it) and select Deploy.

    4. In the Confirm Server Deploy screen, under the Deployment Preference section, select the Force DNS Full Deployment checkbox.

    5. When you're ready, click Yes.

    6. Wait for the deployment to succeed. Address Manager displays a progress bar as the process continues.

Adding Gateway instances to an Availability group

You'll need to open each instance of Gateway and assign them both to the same Availability group, one as a Primary node and the other as a Secondary node. When assigning an instance as the Primary node, you'll also need to configure the Availability group's TSIG key and Failover settings.

Tip: For more details on what to enter for each field in the High availability configuration screen, see High availability settings.

To set up two Gateway instances as an Availability group:

First, set up the Primary node:

  1. Log in to the Gateway instance that you want to act as a Primary node.

  2. Open the High availability settings. (Click Settings at the bottom of the navigator on the left, then click High availability.)

  3. At the top of the page, click Create availability group.

  4. Click Availability group on the left, then fill in the following settings:

    • Primary IPv4 address: The IPv4 address for the primary Gateway node.

    • Scheme: The protocol for the network where the availability group will be hosted (http or https).

    • FQDN: The fully-qualified domain name (FQDN) for the availability group. Effectively, the FQDN identifies a specific Availability group when you use multiple groups.

    • Port: The port to use for communicatios with the availability group.

    • FQDN TTL: The time to live (TTL) for the availability group, in seconds. This tells a DNS resolver how long queries should be cached before requesting a new one. By default, this is 60.

    Important: Make a note of what you select for these fields. Both the Primary and Secondary nodes in an Availability group must have the same FQDN and port.

  5. Click TSIG key on the left, then fill in the following settings:

    • Key name: The name of the TSIG key (transaction signature key).

    • Algorithm: Select the encryption algorithm to use for communications with the Availability group.

    • Secret: Enter the secret key for the Availability group.

    Note: The TSIG key settings should match the TSIG key that you added to the Availability group's DNS zone for use by the group.

  6. Click Failover settings on the left, then fill in the following settings:

    • Heartbeat interval (seconds): The time between health reports sent by the Primary Gateway instance. By default, this is 20.

    • Standby check interval (seconds): The time between checks made by the Secondary Gateway instance to see if the Primary instance is still active. By default, this is 30.

    • Failover period (seconds): How long the Secondary Gateway instance waits after a heartbeat before deciding that the Primary Gateway instance has failed. If the timeout is exceeded, the Secondary instance attempts to take over. By default, this is 60.

      Tip: We recommend that the Failover period be a multiple of the Standby check interval.
    Note: If possible, we recommend leaving Failover settings at their default values.

  7. When you're done, click Create to create the Availability group and set the current node as the primary node.

Then, set up the Secondary node:

  1. Log in to the Gateway instance that you want to act as a Secondary node.

  2. Open the Availability group settings for the current instance of BlueCat Gateway. (Click Settings at the bottom of the navigator on the left, then click High availability.)

  3. At the top of the page, click Join availability group.

    The Join availability group window opens.

  4. Fill in the following settings, identifying the Availability group that you want this Gateway instance to join:

    • Secondary IPv4 address: The IPv4 address for the secondary Gateway node.

    • Scheme: The protocol for the network where the Availability group is hosted (http or https).

    • FQDN: The fully-qualified domain name (FQDN) for the Availability group. Effectively, the FQDN identifies a specific Availability group when you use multiple groups.

    • Port: The port to use for communicatios with the Availability group.

    Important: Make sure you use the same Scheme, FQDN, and Port as the Primary node with which you want to pair this Gateway instance.

  5. When you're done, click Join to apply your changes. Or, click Cancel to cancel the operation.

    Gateway attempts to join the specified Availability group as a Secondary node, establishing communications with the Primary node operating as an Availability group. If successful, the current Gateway instance becomes the Secondary node in the group. For more details, see How Availability groups work.