High Availability (HA) for Azure (Resource Manager)

1 Introduction

Microsoft Azure has two different models for deploying services: Resource Manager and Classic.  The main body of this guide covers setting up the LoadMaster with High Availability using the Resource Manager method. For steps using the Classic method, please refer to the HA for Azure (Classic Interface), Feature Description.

When deploying an application using the Microsoft Azure Infrastructure as a Service (IaaS) offering, you usually need to provide load balancing and other application delivery functions such as content switching, SSL Termination and IPS. Some of this functionality may also be necessary when deploying applications in Microsoft Azure Platform as a Service (PaaS).  KEMP’s LoadMaster for Azure enables you to address your needs of application delivery and High Availability (HA). 

Deploying a single LoadMaster for Azure does not provide you with the high availability you need for your applications. When deploying a pair of LoadMasters in Azure, you can achieve high availability for your application. This document provides the details for a HA KEMP LoadMaster solution.

When using LoadMaster in High Availability on Azure, HA operates in much the same way as it does on non-cloud platforms, but with some key differences, which are listed below:

LoadMaster HA for Azure involves two LoadMasters that synchronize settings bi-directionally. Changes made to the master are replicated to the slave and changes made to the slave are replicated to the master.

The replication (synchronization) of settings (from master to slave) is not instant in all cases and may take a few moments to complete.

When synchronizing the GEO settings from master to slave, any Fully Qualified Domain Name (FQDN) or cluster IP addresses that match the master’s IP address are replaced with the slave’s IP address. Likewise, when synchronizing from slave to master, the slave’s IP address is replaced with the master’s IP address.

All user-defined settings are synchronized, with the exception of the following:

- Default gateway (both IPv4 and IPv6)

- IP addresses and netmasks

- Hostname

- Name server

- Domain

- Admin default gateway

- Administrative certificate settings (.cert, .pem and .setadmin files)

- Network interface settings: Link Status (Speed and Duplex), MTU and additional addresses

- Virtual LAN (VLAN) configuration

- Virtual Extensible LAN (VXLAN) configuration

- Interface bonding

- Additional routes

The cloud HA LoadMaster does not have a “force update” option.

If the master unit fails, connections are directed to the slave unit. The master unit is the master and will never become the slave, even if it fails. Similarly, the slave unit will never become the master. When the master unit comes back up, connections will automatically be directed to the master again.

The HA Check Port must be set to the same port on both the master and slave units for HA to work correctly.

Depending on the design of the Network Security Groups, you must ensure the necessary ports are open inbound to allow for the traffic.

Introduction.png

A complete description of non-cloud LoadMaster HA can be found in the High Availability (HA), Feature Description document.

2 Prerequisites

The following prerequisites must be met before proceeding to a high availability configuration:

An Azure Resource Manager (ARM) (V2) Virtual Network added to Azure to place the LoadMaster VMs

Application VMs deployed in Azure in the Virtual Network

An Azure Internal Load Balancer deployed to create the high availability pair

Two ARM LoadMaster VMs deployed in Azure on the same Virtual Network as the Application VMs

- Both LoadMasters should be configured to be part of an availability set

The following diagram provides overview of the configuration described above:

To configure high availability using the LoadMaster, the following configuration must be in place:

Application VMs are installed and configured

LoadMaster for Azure VMs are installed and configured

Important: The HA Check Port must be set to the same port on both the master and slave units for HA to work correctly. The same port must be configured as the probe port on the Internal Load Balancer.

The following management Load Balanced NAT Rules must be set up for access to the LoadMasters:

- TCP Port 22 for SSH access

- TCP Port 8443 for Management Web User Interface (WUI) access

- Additional Load Balanced Rules for any traffic that is being transmitted through the LoadMaster

Use this table to record the necessary information required to create the LoadMaster Pair in Azure:

Fields Required for creation of LoadMaster Pair

Primary LoadMaster Name

 

Secondary LoadMaster Name

 

Pricing Tier

 

Password for LoadMasters

 

Availability Service Name

 

Resource Group Name

 

Virtual Network

 

Internal Load Balancer Name

 

Internal Load Balancer Public IP Address (PIP), if required

 

3 Manually Configure LoadMaster HA in Azure

The steps in this section were correct at the time of writing. However, the Azure interface changes regularly so please refer to Azure documentation for up-to-date steps if needed.

Please complete the prerequisites documented in the earlier section.

3.1 Licensing Options

There are two main licensing options when deploying a LoadMaster for Azure:

Hourly consumption

Bring Your Own License (BYOL)

To use the BYOL option, follow the steps below:

1. Download the BYOL – Trial and perpetual license version of the Virtual LoadMaster (follow the steps in the section below to do this).

2. Contact a KEMP representative to get a license.

3. Update the license on your LoadMaster to apply the license change (System Configuration > System Administration > Update License).

3.2 Recommended Pricing Tier

When creating a LoadMaster for Azure Virtual Machine, you must select a pricing tier. The recommended pricing tiers are listed in the table below.

If the relevant pricing tier is not displayed in Azure, click View all.

VLM Model

Recommended Pricing Tier

VLM 200

A1, A2, A3

VLM 2000

A2, A3, A4

VLM 5000

A3, A4, A5

VLM 10G

A7, A8, A9

 

3.3 Create an SSH Key Pair

When creating a LoadMaster for Azure VM, there are two options for authentication - a password or an SSH public key. KEMP recommends using a password, but either way will work fine. If you choose to use a password, this section can be skipped and you can move on to the Creating First Virtual LoadMaster in Azure section to create the LoadMaster for Azure VM. If you choose to use an SSH public key, an SSH key pair will need to be created.

To create an SSH key pair, you will need to use a program such as the PuTTYgen or OpenSSH. As an example for this document, the steps in PuTTYgen are below:

1. Open PuTTYgen.

Create an SSH Key Pair.png

2. Click Generate.

Create an SSH Key Pair_1.png

3. Move the mouse over the blank area in the middle. This generates a random pattern that is used to generate the key pair.

Create an SSH Key Pair_2.png

4. Copy and save the public and private key as needed.

It is recommended to store SSH keys in a secure location.

3.4 Creating First Virtual LoadMaster in Azure

The steps in this document reflect the steps in the Azure Marketplace (http://portal.azure.com).

The following procedure describes how to set up LoadMaster for Azure from the Microsoft Azure portal:

The steps below are carried out from http://portal.azure.com and not from http://manage.windowsazure.com.

Creating First Virtual LoadMaster.png

1. From the Azure Management Portal dashboard, click Marketplace.

Creating First Virtual LoadMaster_1.png

2. In the Marketplace section, click New.

Creating First Virtual LoadMaster_2.png

3. Type KEMP in the search field and press Enter on your keyboard.

Creating First Virtual LoadMaster_3.png

4. Select the appropriate KEMP Virtual LoadMaster image to deploy.

Creating First Virtual LoadMaster_4.png

5. Select Resource Manager.

6. Click Create.

Creating First Virtual LoadMaster_5.png

7. Provide details in the Create VM section. The details required to create new VM are:

a) Host Name: Provide a unique name for VM identification

b) User Name: This will not be used by LoadMaster for Azure. Provide a name of your choice. The default username for accessing the LoadMaster is bal.

c) Fill out the authentication details. There are two possible methods of authentication - using a password or an SSH key. Depending on what you select, complete the relevant step below:

- Password: Enter a password.

This password is used to access the LoadMaster WUI.

- SSH Public Key: Paste the SSH public key which was created in the Create an SSH Key Pair section. The private key is needed to connect to the LoadMaster using SSH.

It is recommended to store SSH keys in a secure location.

8. Use an existing or create a new Resource Group for the LoadMasters to be a part of.

9. Select the Location in which to deploy the LoadMaster.

10. Click OK.

Creating First Virtual LoadMaster_6.png

11. Select from the recommended pricing tiers. Click View all if the recommended pricing tiers do not meet the recommended requirements (see the Licensing Options section for further information regarding what tier to select).

Creating First Virtual LoadMaster_7.png

12. Select the relevant Storage Account, or create a new one if needed.

13. Select an existing Virtual network, or create a new one if needed.

A Public IP Address (PIP) is not required for each of the LoadMasters.  A single PIP is created for the Azure Load Balancer and NAT Translation Rules are created to allow management access.

14. Select the relevant Network security group, or create a new one if needed.

If the LoadMaster is public-facing, the security group should contain rules for port 8441, 8442, 8443, 8444, 22, 221, 222, the Virtual Service ports (such as 80, 443) and any other ports that are needed by the backend.

Creating First Virtual LoadMaster_8.png

15. Select Disabled for Diagnostics.

16. Click Availability set.

Creating First Virtual LoadMaster_9.png

17. Click Create new.

Creating First Virtual LoadMaster_10.png

18. Provide a unique Name for the Availability Set.

19. Click OK.

Creating First Virtual LoadMaster_11.png

20. Click OK.

Creating First Virtual LoadMaster_12.png

21. Confirm that Validation Passed.

22. Click OK.

Creating First Virtual LoadMaster_13.png

23. Click Purchase.

3.5 Create the Second LoadMaster in Azure

The process of setting up the second LoadMaster for Azure is similar to the first with a few exceptions, which are listed below. 

You must select the same Virtual Network that was used during the first LoadMaster deployment.

You must select the same Availability Set that was created during the first LoadMaster deployment.

4 Create the Internal Load Balancer

An Azure Internal Load Balancer must be deployed to monitor the health of the LoadMasters and direct traffic accordingly. 

The following procedure describes how to set up an Azure Load Balancer from the Microsoft Azure portal:

The steps below are carried out from http://portal.azure.com and not from http://manage.windowsazure.com.

010.png

1. From the Azure Management Portal dashboard, click More services.

011.png

2. Select Load balancers.

012.png

3. Click Add.

Create the Internal Load Balancer_3.png

4. Provide the necessary information for the Load Balancer:

a) Assign the Load Balancer a Name.

b) Select whether or not the Load Balancer is made available to the Internet (Public or Internal).

c) Assign the same Resource group as the LoadMasters.

d) Select the Location.

5. Click Create.

5 Configure the Azure Load Balancer

There are several settings that need to be configured to provide the high availability of the LoadMasters. 

Create a backend address pool and add the LoadMasters to the pool.

Create Inbound NAT rules to direct traffic to the appropriate LoadMaster.

Create a Probe to monitor the health of the LoadMasters.

Create Load Balancing Rules to allow the necessary traffic.

Refer to the sections below for further information on each of these.

5.1 Create a Backend Pool

The Backend Pool is a collection of virtual machines (LoadMasters) which is load balanced in order to provide High Availability.

010.png

1. In the left hand navigation, click More services.

Create a Backend Pool_1.png

2. Select Load balancers.

013.png

3. Click the name of the internal load balancer that was created in the Create the Internal Load Balancer section.

 

4. Click Backend pools.

Create a Backend Pool_3.png

5. Click Add.

015.png

6. Provide a Name for the Backend Pool.

7. Click Availability set in the Associated to drop-down list.

8. Select the relevant Availability set.

016.png

9. Click Add a target network IP configuration.

017.png

10. Select the master LoadMaster in the Target virtual machine drop-down list.

11. Select the relevant Network Interface Card (NIC) in the Network IP configuration drop-down list.

12. Click OK.

13. Click Add a target network IP configuration.

14. Select the slave LoadMaster in the Target virtual machine drop-down list.

15. Select the relevant Network Interface Card (NIC) in the Network IP configuration drop-down list.

16. Click OK.

5.2 Create Inbound NAT rules

Create Inbound NAT rules.png

Inbound NAT rules will provide a translation for management access into each of the LoadMasters in the Backend pool. Each LoadMaster does not require a Public IP Address (PIP).  A unique port will need to be configured in an Inbound NAT rule for each LoadMaster. The rules are the following:

Target

Port

Target Port

LoadMaster1 - WUI

8441

8443

LoadMaster1 – SSH

221

22

LoadMaster2 – WUI

8442

8443

LoadMaster2 – SSH

222

22

 

Create Inbound NAT rules_1.png

1. In the left hand navigation, click Browse.

Create a Backend Pool_1.png

2. Select Load balancers.

3. Select the load balancer that was created in the Create the Internal Load Balancer section.

Create Inbound NAT rules_2.png

4. Click All settings.

5. Click Inbound NAT rules.

Create Inbound NAT rules_3.png

6. Click Add.

Create Inbound NAT rules_4.png

7. Provide the following information:

a) Provide a Name.

b) Select Custom as the Service.

c) Select TCP.

d) Enter 8441 as the Port.

e) Click Target.

Create Inbound NAT rules_5.png

8. Select the LoadMaster to associate this rule with (LM1).

Create Inbound NAT rules_6.png

9. Provide the following information:

a) Select Custom as the Port mapping.

b) Select Disabled for Floating IP.

c) Enter 8443 as the Target port.

d) Click OK.

Use the table at the start of this section and start from the following step to create additional NAT rules: Click Add.

5.3 Create a Probe to Monitor LoadMaster Health

A probe must be created to monitor the health of the LoadMasters. This probe will determine which LoadMaster is active and send the necessary traffic. Should that LoadMaster go offline, the probe will take that LoadMaster out of service and direct all traffic to the secondary LoadMaster.

Create a Probe to Monitor.png

1. In the left hand navigation click Browse.

Create a Backend Pool_1.png

2. Click Load balancers.

3. Select the load balancer that was create in the Create the Internal Load Balancer section.

Create a Probe to Monitor_1.png

4. Click All settings.

5. Select Probes.

Create a Probe to Monitor_2.png

6. Click Add.

Create a Probe to Monitor_3.png

7. Provide the following information:

8. Provide a Name.

9. Select HTTP as the Protocol.

10. Enter 8444 as the Port.

11. Enter / as the Path.

12. Enter 5 as the Interval.

13. Enter 2 as the Unhealthy threshold.

14. Click OK.

5.4 Create Load Balancing Rules to Allow Traffic

Load Balancing Rules must be configured for any traffic that is published through the LoadMaster. A Rule is set up for Port 8444 which can be used to check the state of the LoadMasters within the Backend Pool.

Create Load Balancing Rules.png

1. In the left hand navigation, click Browse.

Create a Backend Pool_1.png

2. Select Load balancers.

3. Select the load balancer that was created in the Create the Internal Load Balancer section.

Create Load Balancing Rules_1.png

4. Click All settings.

5. Click Load balancing rules.

Create Load Balancing Rules_2.png

6. Click Add.

Create Load Balancing Rules_3.png

7. Provide the following information:

a) Provide a Name.

b) Select TCP as the Protocol.

c) Enter 8444 as the Port.

d) Enter 8444 as the Backend port.

e) Select your Backend pool.

f) Select the Probe for port 8444.

g) Select None as the Session persistence.

h) Select 4 as the Idle timeout (minutes).

8. Click OK.

Create additional Load Balancing Rules for any other traffic that is published through the LoadMaster.

6 Network Security Groups

Network Security Groups are used in Azure to control what traffic is allowed or denied access to Virtual Machines. Depending on your configuration, you are required to update one or more Network Security Groups in order to allow published traffic to access the LoadMasters and backend Real Servers.

If the LoadMaster is public-facing, the security group should contain rules for port 8441, 8442, 8443, 8444, 22, 221, 222, the Virtual Service ports (such as 80, 443) and any other ports that are needed by the backend.

Do not block port 6973.

7 Configure the LoadMasters

To configure LoadMaster for HA, follow the steps outlined in the sections below:

Configure the LoadMasters.png

1. Access the WUI of the LoadMaster which is the master unit:

a) Access the WUI of master LoadMaster by going to https://<DNSNameURL>:8441.

b) Access the WUI of the slave LoadMaster by going to https://<DNSNameURL>:8442.

c) The default username is bal and the password is the password entered during the creation of the LoadMaster.

2. In the main menu, go to System Configuration > HA and Clustering.

Configure the LoadMasters_1.png

3. If you have a clustering license, a screen will appear asking if you want to set up HA Mode or Clustering. To set up HA, select HA Mode and click Confirm.

SCHP001.png

4. Select Master HA Mode in the Azure HA Mode drop-down list.

5. Select the desired option in the Switch to Preferred Server drop-down list:

- No Preferred Host: Each unit takes over when the other unit fails. No switchover is performed when the partner is restarted.

- Prefer Master: The HA1 (master) unit always takes over. This is the default option.

6. Enter the Partner Name/IP address of the slave LoadMaster unit and click Set Partner Name/IP.

7. Enter 8444 as the Health Check Port and click Set Check Port.

The Health Check Port must be set to 8444 on both the master and slave units for HA to function correctly.

8. Then, access the WUI of the slave unit. Complete the following steps in the slave unit, but select Slave HA Mode as the Azure HA Mode instead: In the main menu, go to System Configuration > HA and Clustering. to Enter the Partner Name/IP address of the slave LoadMaster unit and click Set Partner Name/IP.

HA will not work if both units have the same value selected for the Azure HA Mode.

9. After configuring both LoadMasters, reboot both units (System Configuration > System Administration > System Reboot > Reboot).

When HA is enabled on both devices, changes made to the Virtual Services in the master unit is replicated to the slave.

LA001.png

If a unit is in standby mode, WUI access is restricted to Local Administration only. Full WUI access is available if the unit is in an active or unchecked state.

Configure the LoadMasters_3.png

You can tell, at a glance, which unit is the master, and which is the slave, by checking the mode in the top bar of the LoadMaster.

The current status of each LoadMaster, when HA is enabled, is shown as follows: 

Configure the LoadMasters_4.png

Configure the LoadMasters_5.png

Configure the LoadMasters_6.png

In addition, it is possible to check which LoadMaster is active by accessing port 8444 through the Public IP address since the Load Balanced Rule was created for this port in section 6.4, that is,

http://<PublicIPofAzureLoadBalancer>:8444

8 LoadMaster Firmware Upgrades/Downgrades

Do not downgrade from firmware version 7.2.36 or higher to a version below 7.2.36. If you do this, the LoadMaster becomes inaccessible and you cannot recover it.

You should never leave two LoadMasters with different firmware versions paired as HA in a production environment. To avoid complications, follow the steps below in sequence and do not perform any other actions in between the steps. Please upgrade/downgrade during a maintenance window and expect service disruption because there are reboots.

The steps below are high-level, for detailed step-by-step instructions on how to upgrade the LoadMaster firmware, refer to the Updating the LoadMaster Software Feature Description on the KEMP documentation page: https://kemptechnologies.com/loadmaster-documentation.

8.1 Upgrade the LoadMaster Firmware

To upgrade the LoadMaster firmware, follow the steps below in sequence:

1. Ensure the Master unit is in the ACTIVE state and the Slave is in the STAND-BY state.

2. Upgrade the LoadMaster firmware on the Slave unit. Once the Slave has rebooted, the Slave remains in the STAND-BY state and the WUI is limited to the Local Administration options.

3. Upgrade the LoadMaster firmware on the Master unit. When the Master unit is rebooting, the Slave unit temporarily becomes ACTIVE and returns to the STAND-BY state after the Master is finished rebooting.

After these steps are completed the upgrade is finished. Both HA units are up, the Master is ACTIVE and the Slave is STAND-BY.

8.2 Downgrade the LoadMaster Firmware

To downgrade the LoadMaster firmware, follow the steps below in sequence:

1. Ensure the Master unit is in the ACTIVE state and the Slave is in the STAND-BY state.

2. On both LoadMasters, set the Switch to Preferred Server drop-down list to Prefer Master (this is in System Configuration > HA Parameters or Local Administration > HA Parameters).

3. Upgrade the LoadMaster firmware on the Slave unit. Once the Slave has rebooted, the Slave remains in the STAND-BY state and has the full menu WUI.

4. Upgrade the LoadMaster firmware on the Master unit. When the Master unit is rebooting, the Slave unit temporarily becomes ACTIVE and returns to the STAND-BY state after the Master is finished rebooting.

After these steps are completed the downgrade is finished. Both HA units are up, the Master is ACTIVE and the Slave is STAND-BY.

9 Troubleshooting

The sections below provide some basic troubleshooting tips. If further assistance is required, please contact KEMP Support: https://support.kemptechnologies.com.

9.1 Virtual Machine Inaccessible

It takes approximately five minutes for the Virtual Machine to become accessible after booting.

9.2 Run a TCP Dump

Running a TCP dump and checking the results can also assist with troubleshooting. To do this, follow the steps below in the LoadMaster WUI:

1. In the main menu, go to System Configuration > Logging Options > System Log Files.

Run a TCP Dump.png

2. Click Debug Options.

3. In the TCP dump section, enter the relevant IP Address and the Azure HA Port.

4. Click Start.

5. Let the capture run for a few minutes.

6. Click Stop.

7. Click Download.

8. Analyse the results in a packet trace analyser tool such as Wireshark.

Checks from the partner LoadMaster should appear in the results. If nothing is shown there is a problem, for example Azure may be blocking the connection.

9.3 Sync Problems

In most scenarios, the configuration settings are automatically synchronized between partners every two minutes. If a new Virtual Service is created, the settings are immediately synchronized. Because of this, creating a new Virtual Service is a good way of checking if the synchronization is working. To trace this, follow the steps below:

1. Start a TCP dump, as detailed in the Run a TCP Dump section, but use port 6973.

2. Create a Virtual Service.

3. Stop the TCP dump.

4. Download the TCP dump file.

5. Analyse the results.

After creating a Virtual Service, a lot of traffic should have been immediately triggered.

Generally, if a lot of packets are being transferred it means that the synchronization is working. If only a few packets are transferred, it may mean that the connection was unsuccessful. In this case, there may be a problem such as unmatched SSH keys.

References

Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation.

Licensing, Feature Description

LoadMaster for Azure, Feature Description

HA for Azure (Classic Interface), Feature Description

Azure Virtual Machines – tutorials and guides:

http://www.windowsazure.com/en-us/documentation/services/virtual-machines/

High Availability (HA), Feature Description

Document History

Date

Change

Reason for Change

Version

Resp.

June 2016

Initial draft

First draft of document

1.0

LB

July 2016

Release updates

Updates for 7.1.35

2.0

LB

Aug 2016

Minor change

Enhancement made

3.0

LB

Sep 2016

Release updates

Updates for 7.2.36

4.0

LB

Jan 2017 Release updates Updates for 7.2.37 5.0 LB
July 2017 Release updates Updates for 7.2.39 6.0 LB

 

 

Was this article helpful?

0 out of 0 found this helpful

Comments

Avatar
support

This article is not clear with the current screenshots

Avatar
Lisa Barry

Hi,

Thank you for your feedback. The screenshot issue was caused during the upload of the document. We have since fixed the issue.

Thanks,
Lisa