vRA 7.3 High Availability and Load-balancing – Configuration Iteration
These are my concentrated notes on vRA distributed architecture, again there might be a plethora of notes on the Internet around this topic but I find that having a single note that one can revert back to refresh one’s memory is very much needed.
- FQDNs, create static DNS A records for all appliances and VIPs.
- A highly available MSSQL setup with MSDTC enabled (allow remote clients/administrator on all) on all cluster nodes, and the service account should have sysadmin rights on the instance.
- vRA with vRO appliances (2 minimum) -> active/active (load balanced).
- IaaS Servers:
- Don’t clone a base machine as with MSDTC enabled it gets touchy)
- Make sure the service account has local admin rights and is configured to run as a service, eventually you will be running the agent installation using this account.
- Provide internet access to the VMs unless you want to install JRE and configure %JAVA_HOME% to java installation directory manually where those are part of the installation agent tasks.
- You can disable local Windows firewall and UAC, unless you like to re-run the vRA installation more than once :-P.
- Personally, I’d keep the patch level on all of these hosts identical.
- Web (2 minimum) -> active/active (load balanced).
- Agent/DEMs (2 minimum) -> active/active (provided that the proxy agents configuration is identical on all DEMs).
- Managers (2 minimum) -> active/passive with automatic failover (load balanced).
- A load balancer:
- (NSX or NSX or NSX, or hey you can use a physical load balancing ;-)) and this should be working in one-arm mode (in-line is supported but there is no solid requirement for it).
- Sizing for NSX ESG -> Not compact ;-).
- 1 VIP for vRA/vRO:
- Profile:
- HTTPS.
- SSL Passthrough.
- Source IP persistence with expiry is set to 1800.
- Health Monitor:
- Interval 3.
- Timeout 10.
- Max retries 10.
- Type HTTPS.
- Expected code -> 204
- Method -> GET
- URL pojnts towards /vcac/services/api/health
- Pool:
- Algorithm -> RoundRobin.
- When adding members use port 443.
- Assign the configured health monitor.
- Profile:
- 1 VIP for IaaS Managers:
- Profile:
- HTTPS.
- No persistence.
- Health Monitor:
- Interval 3.
- Timeout 10
- Max retries 3.
- Type HTTPS.
- Method -> GET
- URL points towards /VMPSProvision
- Receive -> ProvisionServer
- Pool [1]:
- Algorithm -> RoundRobin.
- When adding members use port 443.
- Assign the configured health monitor.
- Pool [2] Remote Console:
- Algorithm -> RoundRobin.
- When adding members use port 8444 with monitor port set to 443.
- Assign the configured health monitor.
- Profile:
- 1 VIP for IaaS Web Servers:
- Profile:
- HTTPS.
- SSL Passthrough
- Source IP persistence with expiry is set to 1800.
- Health Monitor:
- Interval 3.
- Timeout 10
- Max retries 3.
- Type HTTPS.
- Method -> GET
- URL points towards /wapi/api/status/web
- Receive -> REGISTERED
- Pool:
- Algorithm -> RoundRobin.
- When adding members use port 443.
- Assign the configured health monitor.
- Profile:
- Installation Wizard (CLICK VALIDATE LIKE YOUR INSTALLATION DEPENDS ON IT ;-)):
- Select the deployment type (Enterprise obviously), preferably select install infrastructure as a service.
- Configure NTP (super important).
- Get the agent’s MSI and install it on all IaaS servers (use the first appliance when prompted for vRA appliance information).
- Back to the installation wizard and all installed IaaS servers nodes should be visible.
- Choose IaaS servers roles (remember: 2 managers, 2 web, 2 DEM/Agent).
- Check prerequisites, fix the installation (again this requires internet access on the IaaS nodes as mentioned before).
- vRA Host -> use the VIP for vRA/vRO management.
- SSO, set a password for the new vsphere.local domain.
- IaaS Host -> use the IaaS Web and IaaS Manager VIPs and use a secure password for the database passphrase.
- MSSQL Server -> The listener name for the highly available instance and follow along (depends on whether the database was pre-created or you want to create a new one).
- Web Role -> You can either settle for the default web site virtual directory or create a one of your own but it doesn’t have any advantage, also make sure to use the service account which was already configured for local admin and run as a service.
- Manager Service Role -> Select whom is going to have active, the passive is determined automatically, also make sure to use the service account which was already configured for local admin and run as a service.
- DEMs -> Make sure to use the service account which was already configured for local admin and run as a service.
- Agents -> Make sure to use the service account which was already configured for local admin and run as a service, it’s very important here to make sure that the agent name and endpoint name (this isto remember of course) are identical for both hosts. In addition, you can add additional agent configuration for both hosts if you have different vCenter Servers at that point in time.
- vRA Certificates -> Either generate a self-signed, or you can use your own signed certificates (certgen tool).
- Web Certificate -> Either generate a self-signed, or you can use your own signed certificates (cergen tool).
- Manager Certificate -> Either generate a self-signed, or you can use your own signed certificates (cergen tool).
- Load Balancers -> Look at the note mentioned and make sure that only the nodes that are shown to you are active on the load balancer and you must have the health monitors disabled (just during the installation).
- Validation -> Although we’ve validated things on each and every window, this runs again to validate all settings and will take some time.
- Snapshots -> Create snapshots of everything in case this fails in a hectic way and you need to redo everything.
- Installation Details -> Hit install, leave it, go watch a movie, eat or anything that would keep you for at least 1 hour away ;-).
- Licensing -> Enter the license key.
- Telemetry -> To participate or not to participate, it’s your choice.
- Post-Installation Options -> Don’t configure initial content, as you will be obviously wanting to create your stuff in your production environment.
- Enable the disabled nodes in the load balancer, enabled health monitors and finally MAKE SURE YOU DELETE THE SNAPSHOTS!.
The next thing to continue with the initial configuration to a point where you’re using all components and afterwards what you need to do is to conduct availability testing to make sure that all components behaviours is as expected.
References: https://docs.vmware.com/en/vRealize-Automation/index.html
Thank you,
(Abdullah)^2
3020 Total Views 1 Views Today