Tutorial to setup Global Server Load Balancing with Kemp GEO which only handles A (IPv4) and AAAA (IPv6) records for now
Benefits of Global Server Load Balancing (GSLB)
- Intelligently distributes traffics across servers in different datacenters based on DNS query and Health monitoring in Kemp
- Enables many distributed application servers to function as a single, virtual server
We will test and verify how easy to setup and its functionality with Kemp GEO comparing with DNS Failover for Web Servers with DNSMadeEasy
Lab prepared for this tutorial
- 2 x Data Centers
- 2 x FortiGate Firewall
- 2 x Kemp VLM as Reverse Proxy for Nginx
Refer to my previous post on how to setup Reverse Proxy for Nginx with Kemp VLM
FortiGate Firewall in Production Site
1 to 1 NAT / PAT is required to ensure that the source IP of Kemp is identical with inbound NAT IP
Kemp does not recommend a Layer 3 source IP NAT to the LoadMaster as it will mask source IP visibility during geographical coding operations, all devices before the LoadMaster should be transparent.
Inbound NAT (Virtual IP) to map 22.214.171.124 to 192.168.1.222 for TCP 22 (SSH) & UDP 53 (DNS)
Outbound NAT to translate source IP from 192.168.1.222 to 126.96.36.199
Create a NAT Loopback rule to allow machines in LAN to access servers’ NATed Public IP Address
FG60E (12) # show config firewall policy edit 12 set name "LAN-NAT Loopback" set uuid ac4edb2c-8969-51ea-2e4f-971c3a9f66bd set srcintf "internal" set dstintf "internal" set srcaddr "all" set dstaddr "NAT-51-222-DNS" "NAT-51-222-HTTPS" "NAT-51-222-SSH" set action accept set schedule "always" set service "ALL" set logtraffic all set match-vip enable next end
Create a Policy Route to allow Kemp to access it own public IP Address
FG60E (4) # sh config router policy edit 4 set input-device "internal" set src "192.168.1.222/255.255.255.255" set dst "192.168.1.222/255.255.255.255" set output-device "internal" next end
Configure the FortiGate Firewall in DR Site for inbound & outbound NAT following the steps above
Setup GEO LoadMaster Partners
Login to Kemp VLM at Production and go to Certificate & Security – Remote Access – GEO Settings
- GEO LoadMaster Partners – IP ADDRESS of Kemp VLM in DR Site
- Partner Status – Ensure that it is always in GREEN color
- GEO LoadMaster Port = 22 (Default)
- GEO Update Interface – Interface used for GEO Communication
Login to Kemp VLM at DR and configure the IP Address of GEO LoadMaster Partners
SSH to Kemp VLM at DR Site to verify the SSH traffic in detail with tcpdump in Utilities – Diagnostics – Diagnostic Shell
Ensure that the Source NAT is configured for Kemp VLM to be identical with NAT IP Address for outgoing traffics if other Firewall is used
% tcpdump 'host 188.8.131.52' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 08:51:01.269525 IP 10.10.10.208.31761 > 184.108.40.206.22: S 1267849930:1267849930(0) win 29200 <mss 1460,nop,wscale 7> 08:51:01.280766 IP 220.127.116.11.22 > 10.10.10.208.31761: S 1535316721:1535316721(0) ack 1267849931 win 29200 <mss 1452,nop,wscale 7> 08:51:01.280799 IP 10.10.10.208.31761 > 18.104.22.168.22: . ack 1 win 229 08:51:01.296731 IP 22.214.171.124.22 > 10.10.10.208.31761: P 1:22(21) ack 1 win 229
New GEO Cluster
Login to Kemp VLM in Production Site and add the IP Addresses of both Kemp VLM in Global Balancing – Manage Clusters
Login to Kemp VLM in DR Site to verify the settings are synchronized successfully
Click Modify to configure Cluster Health Check via TCP 22 (SSH)
By default, Health Check is performed every 2 minutes (120 Seconds) and it can be adjusted in Global Balancing – Miscellaneous Param – Resource Check Parameter
Stickiness is the property that enables all name resolution requests from an individual client to be sent to the same set of resources until a specified period has elapsed.
Fully Qualified Domain Name (FQDN)
Add a FQDN called uat.aventislab.info in Global Balancing – Manage FQDN and click modify to continue
Configure the IP Address for uat.aventislab.info and set the Checker to Cluster Checks
Maximum 2 x FQDN is supported in Kemp VLM Free Edition
Round Robin – Incoming requests are distributed sequentially across the IP address end-points.
Weighted Round Robin – Incoming requests are distributed across the cluster in a sequential manner, while taking account of a static "weighting" that can be pre-assigned per server.
Fixed Weighted – Used in Disaster Recovery (DR) sites. The highest weight Real Server is only used when other Real Server(s) are given lower weight values. However, if the highest weighted server fails, the Real Server with the next highest priority number is available to serve clients.
Real Server Load – Requires integration with LoadMaster, this allows you to obtain datacenter-level metrics from LoadMaster which are used in real-time to direct clients to the cluster that’s least busy
Real Server Load cannot be selected in Kemp VLM Free Edition ?
- Location Based – Allows GEO to direct a client to a data center based on the client’s country, continent or IP address range as defined by the created policies.
- Proximity – takes Location Based one step further and allows for longitude and latitude granularity for definition of proximity.
- All Available – Returns all possible healthy targets for an A (IPv4) or AAAA (IPv6) query request
Site Failure Handling
Failure Delay – This setting determines how long (in minutes) the LoadMaster waits until it designates a site as having failed, thereby initiating a site failover.
Site Recovery Mode
This determines what recovery options are implemented when a failed site recovers.
Automatic – when the data center recovers, the LoadMaster automatically performs a failback (restores services to the recovered data center)
Manual – upon failure, the data center is administratively disabled and is not available for a failback until the admin clicks the Enable button for the relevant data center
Unanimous Cluster Health
If this option is enabled, if any IP addresses fail health checking – other FQDN IP addresses which belong to the same cluster is marked as down
Delegate Subdomains in DNSMadeEasy
Create A Records for ns1.aventislab.info (126.96.36.199) & ns2.aventislab.info (188.8.131.52)
Delegate the Sub-Domain (uat.aventislab.info) to NS1 & NS2
Functionality of Global Server Load Balancing with Kemp
Configure Fixed Weighted for uat.aventislab.info with highest weight to web server (184.108.40.206) in Production Site
The following page will be displayed when accessing to https://uat.aventislab.info
Shutdown the Kemp VLM in Production Site
Shutdown the Kemp VLM in Production Site
Login to Kemp VLM in DR Site to verify the availability of Kemp VLM in Production Site is DOWN
It will take up to 2 minutes to change from UP to DOWN based on the default 120 seconds Health Check Interval
A Record for uat.aventislab.info had been changed from 220.127.116.11 to 18.104.22.168, and the following page will be displayed when accessing to https://uat.aventislab.info
Power on Kemp VLM in Production Site
A record of uat.aventislab.info will be changed back to the IP Address of Kemp VLM in Production site automatically