In this recipe, we will build a load-balancer and discuss the situation with certificates as well.
Here, we will be using VMware NSX, but the same methods apply to all load-balancers. So, for this recipe you need VMware NSX. If you don't have a license for NSX, check out F5 Networks, who have a trial program, or the Apache load-balancer. Alternatively, you could also use Nginx; see https://kb.vmware.com/kb/2058674 .
The NSX appliance needs to be deployed along with the controllers. If you need some help with that, check out these YouTube videos:
No VXLANs or any fancy configuration is needed.
I split this recipe into several parts for easier reading; execute them in sequence.
If you don't have an NSX Edge yet, let's get one running:
- Log in to vCenter and click on Network Security and then on NSX Edges.
- Click on the green plus sign to create a new NSX Edge.
- We can run with the defaults mostly, just change the settings I point out. Give the NSX Edge a name such as
vROClusterand click Next. - Set a new password and click Next.
- Click on the green plus sign to add some settings for the new Edge. You need to define the cluster, the datastore, the host, and the VM folder that the new Edge VM should live in. Click Next.
- Click on the green plus sign to create a new interface, basically the IP that the load-balancer will be working on. Specify the load-balancer IP and the network you want to connect to. Make sure it's an Uplink. Click on OK:
- You can untick the Configure Default Gateway option and click Next.
- Tick Configure Firewall default policy and switch it to Accept. Click Next.
- Finish the wizard and wait until the Edge is deployed.
This enables the basic load-balancing functionality:
- From where we have left off, double-click on the new Edge. You are now redirected to the Edge and can configure it.
- Click on Load Balancer and then on Global Configuration.
- Click on Edit (on the right side) and tick Enable Load Balancer. Click OK.
Set how you want to deal with the certificates (see the How it works... section for more information). We will be setting up SSL passthrough in this example:
- Now select Application Profiles and click on the green plus sign.
- Give the policy a name and set it to HTTPS.
- Ticking Enable SSL Passthrough will be okay for this example; depending on what you would like to do, you can also untick it and go with SSL offload. Leave the rest as the defaults. Click OK.
Create a new health check for the Orchestrator services. The health of a node is captured in https://[VRO FQDN]:8281/vco/api/healthstatus:
- Select Service Monitoring and click on the green plus sign. (previous screenshot A).
- Enter a name for the check. VMware's recommended settings are captured in the previous screenshot and in the table in the How it works... section.
This configures what VMs belong to the load balancing setup:
- Select Pools and click on the green plus sign.
- Enter a name for the new pool and select the monitor that you created in step 2 of the Monitors - health checks section.
- Click on the green plus sign to add the first member of our pool.
- Give the pool member a name (best to give it the VM name) and then fill in its IP and port
8281for both Port and Monitor Port. Click on OK and then add the next member. Click on OK when finished:
This is the interface that a client will connect to:
- Select Virtual Servers and click on the green plus sign.
- Enter a new name for the service and give it the IP of the frontend you selected in step 6 of the Creating a new NSX Edge section.
- Set the Protocol to HTTPS and enter
8281as Port. - Assign this virtual server to use the pool you created in step 2 of the Configure pools section and click OK:
Load-balancing is a method by which a central unit (the load-balancer) is contacted by the user instead of one of the Orchestrator installations. The load-balancer has two functions. The first is to check the availability of the underlying Orchestrators for that, the load-balancer is checking each Orchestrator's health status by contacting https://[vro]:8281/vco/api/healthstatus. If the Orchestrator service is alive then it will respond with the following:
<node-status xmlns="http://www.vmware.com/vco"> <state>RUNNING</state> <health-status state="OK" time="1463231814183"/> <instance-id>9d40b766-e278-4f6c-8fa1-ab143d5b73e7</instance-id>
The other function of a load-balancer is to forward the connection request to one of the active Orchestrator nodes. The method we should use for this with Orchestrator is called Round-Robin, which will give a connection to the next available Orchestrator node. For example, if there are three active Orchestrators (vro1, vro2, and vro3) then the first request will be given to vro1, the next one to vro2, then to vro3, and then again to vro1, and so on.
The following settings are usable for all load-balancers. The settings may be called something slightly different, but they all function in the same way:
|
Setting |
Value |
|
Health check protocol |
HTTPS |
|
Health check link |
GET/vco/api/healthstatus |
|
Health check return |
RUNNING |
|
Health check interval |
3 sec |
|
Health check timeout |
9 sec |
|
Health check max retries |
3 |
|
Load-balancing mechanism |
Round-Robin |
|
Load-balancing port |
8281 |
|
SSL certificate |
Offload or passthrough |
|
SSL persistency |
None |
All connections to Orchestrator use HTTPS and SSL certificates, so we need to discuss this. The problem is as follows: when the load-balancer forwards the connection to one of the Orchestrators, the client will be connecting to a different certificate.
There are basically three methods to deal with this.
This is the default for most load-balancers. The certificate of the underlying Orchestrator is passed to the connecting user. If the certificate is CA signed and trusted by the connecting computer, then this works quite well. If you are using self-signed certificates that are not trusted by the connecting computer, the connection must be approved each time, which can lead to a lot of problems.
If you use a VMCA-signed certificate, this can work very well. (See the Use VMCA generated certificate section in the recipe Configuring the Orchestrator service SSL certificate in Chapter 2, Optimizing Orchestrator Configuration.
You can create a SSL certificate with alternative names, so-called SAN (Subject Alternative Name). The certificate contains not only one FDQN and/or IP, but multiple ones. The load-balancer is configured for passthrough and the connecting server gets a certificate that is valid for not only one Orchestrator node but multiple ones.
See the There's more... section of the recipe Configuring the Orchestrator service SSL certificate in Chapter 2, Optimizing Orchestrator Configuration.
This mode is not supported by all load-balancers. Offloading means that the load-balancer will trust each Orchestrator certificate but will present its own certificate to the connecting computer. Using this method, you can use self-signed untrusted certificates on the Orchestrator and use one single trusted CA certificate on the load-balancer:
One of the very cool features of the vSphere Web Client is that you can execute Orchestrator workflows directly from it. When you are using a load-balanced Orchestrator cluster, you will need to register the load-balanced address instead of any single Orchestrator:
- Execute the recipe Connecting to vCenter in Chapter 1, Installing and Configuring Orchestrator, for both Orchestrator servers. Make sure you enter the FQDN or IP of your Orchestrator cluster you created in step 6 of the Creating a new NSX Edge section as the external address (see the following screenshot):
- Log in to vCenter with an administrator account.
- Go to vRealize Orchestrator. In vRO Home, click on Manage, and under Server, select your vCenter. Your Orchestrator cluster should already be set up here. If not, continue this recipe.
- Click on Edit Configuration and enter the FQDN or IP of the Orchestrator Cluster you created in step 6 of Creating a new NSX Edge section.
- Click on Test Connection to check weather the connection is working, then click OK.
- Click on the workflows in the inventory list to see whether the inventory is loading; if that is not the case you need to check your SSO registration of your Orchestrator. See the recipe Connecting to vCenter in Chapter 1, Installing and Configuring Orchestrator.
Load balancing Orchestrator with F5: kb.vmware.com/kb/2118472 .
F5 trial license: https://www.f5.com/trial .
VMware NSX product overview and Hands on Lab: http://www.vmware.com/products/nsx/ .