LoadMaster HA in CenturyLink
This document is no longer updated as of LoadMaster firmware version 7.2.53. However, CenturyLink is still supported by Kemp.
When deploying an application using CenturyLink Cloud, you may need to provide load balancing and other application delivery functions such as content switching, SSL acceleration, Web Application Firewall (WAF), and Intrusion Prevention System (IPS). When using a Kemp LoadMaster for CenturyLink, you can address both application delivery and High Availability (HA).
Some of the features and associated benefits of the Virtual LoadMaster (VLM) are listed in the table below.
Regardless of where the applications are deployed (cloud, on premises, or in hybrid environments), the VLM can load balance them.
The VLM manages applications deployed in hybrid infrastructures on premises and in the CenturyLink Cloud.
Highly available Application Delivery Controllers (ADCs), deployed on-demand to meet load requirements.
VLM Global Balancing (GEO) load balancing supports application instances across multiple sites to accommodate growth and deliver additional resilience.
Kemp provides two different approaches for deploying LoadMasters with HA in CenturyLink Cloud: native HA and HA using GEO. The approach to use is determined by the CenturyLink data center that the LoadMasters are deployed in.
CenturyLink native HA is the first approach and it leverages the CenturyLink load balancer to route traffic to a healthy LoadMaster. The CenturyLink load balancer features required for this functionality are available in select data centers. These data centers are marked as advanced capabilities.
The CenturyLink HA using GEO (GSLB) approach leverages the Kemp LoadMaster GEO functionality. This functionality requires DNS delegation and configuration to route the active LoadMaster. This approach does not require the CenturyLink load balancer.
This document is intended to explain the two different configurations of HA for the Kemp LoadMaster in CenturyLink Cloud.
It is also possible to configure the LoadMaster using Application Program Interface (API) commands. For further details, refer to the Interface Description documents on the Kemp documentation page: https://kemptechnologies.com/documentation.
This document is intended to be read by anyone who is interested in deploying a HA pair of LoadMasters in CenturyLink Cloud.
When using LoadMaster native cloud HA on CenturyLink, HA operates in almost the same way as it does on non-cloud platforms. However, there are some key differences, which are listed below:
- LoadMaster HA for CenturyLink involves two LoadMasters that synchronize settings bi-directionally. Changes made to the master (active) are replicated to the slave (standby).
- The replication (synchronization) of settings (from master to slave) is not instant in all cases and may take a few moments to complete.
- When synchronizing the Virtual Services from master to slave, any IP addresses matching the master's IP address are replicated with the slave's IP address. Likewise, when synchronizing from slave to master, the slave's IP address is replaced with the master's IP address.
- When synchronizing the GEO settings from master to slave, any Fully Qualified Domain Name (FQDN) or cluster IP addresses matching the master's IP address are replaced with the slave's IP address. Likewise, when synchronizing from slave to master, the slave's IP address is replaced with the master's IP address.
- All user-defined settings are synchronized, with the exception of the following:
- Default gateway (both IPv4 and IPv6)
- IP addresses and netmasks
- Name server
- Admin default gateway
- Administrative certificate settings (.cert and .pem files)
- Network interface settings: Link Status, MTU, and additional addresses
- Virtual LAN (VLAN) configuration
- Virtual Extensible LAN (VXLAN) configuration
- Additional routes
- Cloud HA LoadMasters do not have a "force update" option.
- The HA Check Port must be set to the same port on both the master and slave units for HA to work correctly.
Refer to the High Availability (HA) Feature Description on the Kemp Documentation Page for a complete description of non-cloud LoadMaster HA.
There are some prerequisites to be aware of before following the steps in this document:
- You should be familiar with the operation of CenturyLink. For further information on CenturyLink cloud:
- If not already done, create a Kemp ID at the registration page: https://kemptechnologies.com/kemp-id-registration/
- You must have internet access to license the LoadMasters.
- A CenturyLink virtual network must be created in a data center to place the LoadMaster Virtual Machines (the data center must support CenturyLink internal load balancer "advanced capabilities").
- LoadMasters must be deployed on the same virtual network within CenturyLink Cloud.
- A CenturyLink Internal Load Balancer must be deployed to create the HA pair.
- The following ports must be open on each of the LoadMasters in the HA pair:
- TCP Port 22 for SSH Access
- TCP Port 443 or 8443 for Web User Interface (WUI) management access
- Application Virtual Machines are installed and configured.
The HA Check Port must be set to the same port on both the master and slave units for HA to work correctly. The same port must be configured as a custom health check on the internal load balancer.
The steps in this document were correct at the time of writing. However, the CenturyLink interface changes regularly so please refer to the CenturyLink documentation for up-to-date steps, if needed.
A CenturyLink Internal Load Balancer must be deployed to monitor the health of the LoadMasters and direct traffic accordingly. The LoadMasters must be deployed prior to the creation of a CenturyLink Internal Load Balancer.
The following procedure describes how to set up a CenturyLink Load Balancer from the CenturyLink portal:
The CenturyLink data center must support Advanced Capabilities. These datacenters are marked with an asterisk (*).
1. From the CenturyLink Control Portal, click Network and Load Balancer.
2. Click create load balancer.
3. Provide the necessary information for the load balancer:
a) Select a location (data center) that has advanced capabilities (marked with *). This data center must be the same as the data center of the LoadMasters being set up for HA.
b) Provide a unique name for the load balancer.
c) Provide a description for the load balancer.
4. Click create load balancer.
It may take some time for the Internal Load Balancer to propagate.
There are some settings that must be configured to provide high availability of the LoadMasters:
- Create a pool and add the LoadMasters to the pool.
- Create a Custom Healthcheck to monitor the health of the LoadMasters.
The pool is a collection of virtual machines (LoadMasters) which is load balanced to provide high availability.
1. Select the newly created CenturyLink load balancer (created in the previous section).
2. Click add pool.
3. Provide the necessary information for the pool:
a) Select a mode (protocol) and port for the workload being published.
b) Keep the default method of round robin.
c) Keep the default persistence of None.
4. Change the default health check to custom, and:
a) Set the target port to 8444 and HTTP.
b) Set the http health check request to GET and /.
c) Set the health check interval (sec) to 5.
d) Set the unhealthy threshold to 2.
e) Set the unhealthy threshold to 2.
f) Set server weights to off.
5. Click add node.
6. Provide the necessary information for the node:
a) Type the Virtual Service IP address of the first Kemp LoadMaster.
b) Type the Virtual Service (workload) port.
c) Set the health check to default.
7. Click add node and enter the details for the second Kemp LoadMaster Virtual Services.
8. Click add pool to add any additional ports, as required.
To configure the LoadMaster for HA, follow the steps outlined in the sections below:
1. Log in to the Kemp LoadMaster. This LoadMaster will be set as the master.
2. In the main menu, go to System Configuration > CenturyLink HA Parameters.
3. Select Master HA Mode in the set HA Mode drop-down list.
4. Select the desired option in the Switch to Preferred Server drop-down list:
- No Preferred Host: Each unit takes over when the other unit fails. Switchover is not performed when the partner is restarted.
- Prefer Master: The HA1 (master) unit always takes over. This is the default option.
5. Type the internal address of the slave LoadMaster unit in the Partner Name/IP text box and click Set Partner Name/IP.
6. Type 8444 as the Health Check Port and click Set Check Port.
The Health Check Port must be set to 8444 on both the master and slave units for HA to function correctly.
7. Then, access the WUI of the slave unit. Complete the following steps in the slave unit but select Slave HA Mode as the HA Mode instead:
a) In the main menu, go to System Configuration > CenturyLink HA Parameters.
b) Type the internal address of the slave LoadMaster unit in the Partner Name/IP text box and click Set Partner Name/IP.
HA does not work if both units have the same value selected for the HA Mode.
8. After configuring both LoadMasters, reboot both units (System Configuration > System Administration > System Reboot > Reboot).
When HA is enabled on both devices, changes made to the Virtual Services in the master unit are replicated in the slave.
If a unit is in standby mode, WUI access is restricted to Local Administration only. Full WUI access is available if the unit is in an active or unchecked state.
You can tell, at a glance, which unit is the master, and which is the slave, by checking the mode in the top bar of the LoadMaster.
The current status of each LoadMaster, when HA is enabled, is shown as follows:
Do not downgrade from firmware version 7.2.36 or higher to a version below 7.2.36. If you do this, the LoadMaster becomes inaccessible and you cannot recover it.
You should never have two LoadMasters with different firmware versions paired as HA in a production environment. To avoid complications, follow the steps below in sequence and do not perform any other actions between the steps. Upgrade/downgrade during a maintenance window and expect service disruption because there are reboots.
The following steps are high-level. For detailed step-by-step instructions on how to upgrade the LoadMaster firmware, refer to the Updating the LoadMaster Software Feature Description on the Kemp Documentation Page.
To upgrade the LoadMaster firmware, follow these steps in sequence:
1. Upgrade the LoadMaster firmware on the ACTIVE unit (A). Unit (B) takes over as ACTIVE when unit A reboots.
2. Upgrade the LoadMaster firmware on unit B. When unit B reboots, unit A becomes ACTIVE.
After these steps are completed, the upgrade is finished. Both HA units are up, unit A is in the ACTIVE state and unit B is in the STAND-BY state.
To downgrade the LoadMaster firmware, follow these steps in sequence:
1. Ensure the master unit is in the ACTIVE state and the slave is in the STAND-BY state.
2. On both LoadMasters, set the Switch to Preferred Server drop-down list to Prefer Master (this is in System Configuration > HA Parameters or Local Administration > HA Parameters).
3. Downgrade the LoadMaster firmware on the slave unit. When the slave unit reboots, it remains in the STAND-BY state and it has the full menu WUI.
4. Downgrade the LoadMaster firmware on the master unit. When the master unit reboots, the slave unit temporarily becomes ACTIVE and returns to the STAND-BY state after the master has rebooted.
After these steps are complete, the downgrade is finished. Both HA units are up, the master is in the ACTIVE state, and the slave is in the STAND-BY state.
You can leverage GEO or Global Server Load Balancing (GSLB) to provide HA for LoadMasters in data centers that do not provide the CenturyLink Internal Load Balancer "advanced capabilities". This approach works quite differently, by leveraging intelligent DNS rather than the CenturyLink Internal Load Balancer.
Before we configure GEO LoadMaster for HA, take a look at the protocol workflow.
The following diagram provides a visual overview of the process:
When the client initiates a request for application, the following actions take place to achieve HA:
1. The client requests name resolution to access the service or application.
2. A Domain Name Server (DNS) entry for the service or application endpoint (URL, for example, app.kempdemo.com) is delegated to GEO LoadMaster devices.
3. The LoadMaster uses GEO functionality to determine the health status of each participating LoadMaster and Virtual Service. This is done along with the configured load balancing mechanism, such as round robin or location based, to determine which CenturyLink endpoint IP address the request should resolve to.
4. The client receives a DNS response for which service IP to connect to.
5. The client application connects to a resolved IP address.
6. The LoadMaster forwards the request to the application servers according to the configured load balancing mechanism and server health state.
Some requirements to be aware of when deploying a LoadMaster in CenturyLink are below:
- You must have internet access to license the LoadMasters.
- A public IP address is required for each of the LoadMasters in the HA pair.
- The following ports must be open on each of the LoadMasters in the HA pair:
- TCP port 22 for SSH access
- TCP port 443 or 8443 for Web User Interface (WUI) management access
- UDP and TCP port 53 for inbound DNS queries to the GEO LoadMaster
- The application virtual machines must be installed and configured.
There is a GEO option that is not contained in the Global Balancing main menu option - Use for GEO Responses and Requests. You can get to this setting by going to System Configuration > Network Setup and selecting the relevant interface.
By default, only the default gateway interface is used to listen for and respond to DNS requests. This field gives you the option to listen on additional interfaces. When this option is enabled, GEO also listens on any Additional addresses that are configured for the interface.
This option cannot be disabled on the interface containing the default gateway. By default, this is eth0.
Virtual Services are not synchronized between LoadMasters configured with GEO. Each LoadMaster must be configured with the identical Virtual Services for the published workload.
GEO settings can be synchronized between LoadMasters to simplify the configuration. Follow the steps below in the LoadMaster WUI:
1. In the main menu, select Certificates & Security and Remote Access.
2. Under GEO Settings complete the following fields:
a) For Remote GEO LoadMaster Access, type the IP address of the other LoadMaster in the HA pair and click Set GEO LoadMaster Access.
b) For GEO LoadMaster Partners, type the IP address of the other LoadMaster in the HA pair and click Set GEO LoadMaster Partners.
c) For GEO LoadMaster Port, keep the default port (22).
d) Ensure the correct GEO Update Interface is selected.
Repeat these steps on the second LoadMaster in the HA Pair. When both LoadMasters are configured with the remote IP address set, the Partner Status should show Green.
For further details on GEO, refer to the GEO Feature Description on the Kemp Documentation page.
To configure Global Balancing on the Kemp LoadMaster to provide HA, follow the steps below in the LoadMaster WUI on the primary LoadMaster:
1. In the main menu, select Global Balancing.
2. Select Manage FQDN.
3. Type the Fully Qualified Domain Name (FQDN) of the workload and click Add FQDN.
4. Select Fixed Weighting under Selection Criteria.
5. Enter the Virtual Service public IP address for the primary LoadMaster and click Add Address.
6. Set Checker to Tcp Connect and type the port used by the Virtual Service.
7. Click Set Addr.
8. Type the Virtual Service public IP address for the secondary LoadMaster and click Add Address.
9. Set Checker to Tcp Connect and type the port used by the Virtual Service.
10. Click Set Addr.
11. Set Weight for the secondary LoadMaster to 1 and click Set Weight.
The LoadMasters in this configuration are responsible for resolving the FQDN therefore the SOA parameters should be complete:
1. In the main menu, select Global Balancing.
2. Select Miscellaneous Params.
3. Configure the following settings:
The name of the zone when using DNSSEC. This should be left blank if you are not using DNSSEC.
Source of Authority
The name of the domain owner.
The name of the DNS server.
Email address of the person responsible for the zone and to which email may be sent to report errors or problems. This is the email address of a suitable DNS administrator but more commonly the technical contact for the domain.
By convention (in RFC 2142) it is suggested that the reserved mailbox hostmaster is used for this purpose but any valid email address will work.
The format is <MailboxName>.<Domain>.com, for example, hostmaster.example.com (uses a full stop (.) rather than the usual @ symbol because the @ symbol has other uses in the zone file) but mail is sent to email@example.com.
|TTL||1||Time To Live (TTL), which is measured in seconds, defines how long a DNS answer is valid for.|
4. Enter the following settings for Resource Check Parameters:
- Check Interval = 9
- Connection Timeout = 4
- Retry attempts = 2
5. Enter the following setting for Stickiness:
- Stickiness = 0
After the LoadMaster configuration is complete, delegation of DNS must be performed. This differs depending on the DNS provider.
1. A new entry (sometimes called a node) must be created under the parent zone.
2. The node must have both LoadMasters configured as name servers.
For further information on DNS delegation, refer to the GEO Feature Description on the Kemp Documentation page.
While the instructions above provide a basic overview of how to deploy a LoadMaster HA Pair in CenturyLink Cloud, it is not designed to be a comprehensive guide. This section identifies some of the many guides published on the resources section of our website. Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/loadmaster-documentation.
Licensing, Feature Description
Web User Interface (WUI), Configuration Guide
This document was last updated on 19 March 2021.