In this recipe, we will build a load-balancer and discuss the situation with certificates as well.
Here, we will be using VMware NSX, but the same methods apply to all load-balancers. So, for this recipe you need VMware NSX. If you don't have a license for NSX, check out F5 Networks, who have a trial program, or the Apache load-balancer. Alternatively, you could also use Nginx; see https://kb.vmware.com/kb/2058674 .
The NSX appliance needs to be deployed along with the controllers. If you need some help with that, check out these YouTube videos:
No VXLANs or any fancy configuration is needed.
I split this recipe into several parts for easier reading; execute them in sequence.
If you don't have an NSX Edge yet, let's get one running:
vROCluster
and click Next.
This enables the basic load-balancing functionality:
Set how you want to deal with the certificates (see the How it works... section for more information). We will be setting up SSL passthrough in this example:
Create a new health check for the Orchestrator services. The health of a node is captured in https://[VRO FQDN]:8281/vco/api/healthstatus
:
This configures what VMs belong to the load balancing setup:
8281
for both Port and Monitor Port. Click on OK and then add the next member. Click on OK when finished:
This is the interface that a client will connect to:
8281
as Port.
Load-balancing is a method by which a central unit (the load-balancer) is contacted by the user instead of one of the Orchestrator installations. The load-balancer has two functions. The first is to check the availability of the underlying Orchestrators for that, the load-balancer is checking each Orchestrator's health status by contacting https://[vro]:8281/vco/api/healthstatus
. If the Orchestrator service is alive then it will respond with the following:
<node-status xmlns="http://www.vmware.com/vco"> <state>RUNNING</state> <health-status state="OK" time="1463231814183"/> <instance-id>9d40b766-e278-4f6c-8fa1-ab143d5b73e7</instance-id>
The other function of a load-balancer is to forward the connection request to one of the active Orchestrator nodes. The method we should use for this with Orchestrator is called Round-Robin, which will give a connection to the next available Orchestrator node. For example, if there are three active Orchestrators (vro1
, vro2
, and vro3
) then the first request will be given to vro1
, the next one to vro2
, then to vro3
, and then again to vro1
, and so on.
The following settings are usable for all load-balancers. The settings may be called something slightly different, but they all function in the same way:
Setting |
Value |
Health check protocol |
HTTPS |
Health check link |
GET/vco/api/healthstatus |
Health check return |
RUNNING |
Health check interval |
3 sec |
Health check timeout |
9 sec |
Health check max retries |
3 |
Load-balancing mechanism |
Round-Robin |
Load-balancing port |
8281 |
SSL certificate |
Offload or passthrough |
SSL persistency |
None |
All connections to Orchestrator use HTTPS and SSL certificates, so we need to discuss this. The problem is as follows: when the load-balancer forwards the connection to one of the Orchestrators, the client will be connecting to a different certificate.
There are basically three methods to deal with this.
This is the default for most load-balancers. The certificate of the underlying Orchestrator is passed to the connecting user. If the certificate is CA signed and trusted by the connecting computer, then this works quite well. If you are using self-signed certificates that are not trusted by the connecting computer, the connection must be approved each time, which can lead to a lot of problems.
If you use a VMCA-signed certificate, this can work very well. (See the Use VMCA generated certificate section in the recipe Configuring the Orchestrator service SSL certificate in Chapter 2, Optimizing Orchestrator Configuration.
You can create a SSL certificate with alternative names, so-called SAN (Subject Alternative Name). The certificate contains not only one FDQN and/or IP, but multiple ones. The load-balancer is configured for passthrough and the connecting server gets a certificate that is valid for not only one Orchestrator node but multiple ones.
See the There's more... section of the recipe Configuring the Orchestrator service SSL certificate in Chapter 2, Optimizing Orchestrator Configuration.
This mode is not supported by all load-balancers. Offloading means that the load-balancer will trust each Orchestrator certificate but will present its own certificate to the connecting computer. Using this method, you can use self-signed untrusted certificates on the Orchestrator and use one single trusted CA certificate on the load-balancer:
One of the very cool features of the vSphere Web Client is that you can execute Orchestrator workflows directly from it. When you are using a load-balanced Orchestrator cluster, you will need to register the load-balanced address instead of any single Orchestrator:
Load balancing Orchestrator with F5: kb.vmware.com/kb/2118472 .
F5 trial license: https://www.f5.com/trial .
VMware NSX product overview and Hands on Lab: http://www.vmware.com/products/nsx/ .