If multiple Access Gateway and Identity Server instances have been created and configured for clustering, you can configure an AWS EC2 load balancer for each cluster to balance the load of incoming requests across the clustered instances. A separate load balancer is used for an Identity Server cluster and an Access Gateway cluster.
The following procedures provide differences in the configuration details for Identity Server load balancer and Access Gateway load balancer wherever required.
Repeat the steps in Creating Target Groups, Creating an Elastic IP Address, and Creating a Load Balancer, and create separate target groups, elastic IP addresses, and load balancers for Identity Server and Access Gateway clusters.
A target group provides a way to associate the load balancer to the IP addresses of instances (targets) among which the load will be distributed.
IMPORTANT:For each load balancer, create two target groups: one for HTTP and one for HTTPS.
For more information about target groups, see Target group.
Perform the following steps to create a target group:
In the EC2 Dashboard, click Target Groups under LOAD BALANCING.
Click Create target group.
Specify the following details:
Field |
Description |
---|---|
Target group name |
Specify a name for the target group. |
Protocol |
Select TCP. |
Port |
Specify the port on which the server is configured for listening. IMPORTANT:You need to create two separate target groups for each load balancer, one for HTTP and one for HTTPS. For Access Gateway Specify the following values:
For an Identity Server listening on the default ports of 8080/8443 Specify the following values:
You can use iptables to configure the listeners on Identity Server to use other ports. See Translating Identity Server Configuration Port. |
Target type |
Select ip. |
VPC |
Select the same VPC that you have selected for the instances of Access Manager components. |
Health Check Settings |
|
Protocol |
When creating a target group for the HTTPS protocol, select HTTPS. When creating a target group for the HTTP protocol, select HTTP. The load balancer uses this protocol while performing health checks. |
Path |
Specify the destination path for health checks. For Identity Server, specify /nidp/app/heartbeat. For Access Gateway, specify /nesp/app/heartbeat. |
Advanced health check settings |
Keep the default values. |
Click Create.
Enable session stickiness.
Select the target group you have created.
In the Description tab, click Edit attributes.
Select Enable for Stickiness.
Add the IP addresses of instances (targets) among which load will be distributed.
In the edit mode, select the Targets tab, and then click Edit.
Click the + (Register targets) icon.
Specify the following details:
Field |
Description |
---|---|
Network |
Populated with the VPC that you have selected under VPC in Step 3. |
IP |
Specify the private IP address of Identity Server or Access Gateway instances (targets) to register as targets that you want to add in the load balancer. |
Port |
Populated with the port value that you have specified for Port in Step 3. |
Click Add to list.
Click Register.
Repeat Step 6.b to Step 6.e and add other instances of the same component type that you want to add in the load balancer.
An elastic IP address is a public IPv4 address, which is reachable from the Internet. Elastic IP addresses are used as the listeners for the load balancers.
Click Services > EC2.
Click Elastic IPs.
Click Allocate new address.
Click Allocate.
A static IPv4 address is allocated that is not used by any other resource.
Click Close.
Perform the following steps to create a load balancer:
In the left menu, click Load Balancers.
Click Create Load Balancers.
Click Create under Network Load Balancer.
Specify the following details:
Field |
Description |
---|---|
Name |
Specify a name for the load balancer. |
Scheme |
Select internet-facing. |
Listeners |
Specify the listener ports as follows: For Identity Server:
Click Add listener and specify the following:
For Access Gateway:
Click Add listener and specify the following:
|
Availability Zones |
|
Tags |
Do not make any change. |
Click Next: Configure Routing.
Under Target group, specify the following details:
Field |
Description |
---|---|
Target group |
Select Existing target group. |
Name |
Select a target group from the list. You can select only one target group. For example, select the target group that you have created for the HTTP protocol. After creating the load balancer, you need to modify the listener port 8443 to use the target group that is configured for the HTTPS protocol. See Step 12 of this section. |
Protocol |
Populated with the value that you have configured in the specified target group. Review to ensure that the value is listed correctly. |
Port |
Populated with the value that you have configured in the specified target group. Review to ensure that the value is listed correctly. |
Target type |
Populated with the value that you have configured in the specified target group. Review to ensure that the correct value is listed. |
Under Health Checks, review the following details:
Field |
Description |
---|---|
Protocol |
Populated with HTTPS or HTTP based on the configuration of the target group you selected in Step 6. See Creating Target Groups. |
Path |
Populated with the health URL that you configured in the target group selected in Step 6. See Creating Target Groups. |
Advanced health check settings |
Keep the default values. |
Click Next: Register Targets.
The list of all targets registered with the target group that you selected is displayed. You can modify this list only after creating the load balancer.
Click Next: Review.
Verify that the load balancer details are correct.
Click Create and then click Close.
Update the listener ports to use the appropriate target groups.
Select the load balancer you have created.
Select the Listeners tab.
By default, both listeners (HTTP and HTTPS) are configured to forward to the same target group that you have created in Step 6 > Name.
Select the HTTPS listener (8443 for Identity Server or 443 for Access Gateway).
Click Actions > Edit to change the target group of the HTTPS listener.
In Default target group, select the HTTPS target group for that component type (Identity Server or Access Gateway).
Click Save.
NOTE:For scaling recommendations, see Recommendations for Scaling Access Manager Components in Public Cloud.