Single Master, Multiple Workers, and a High-availability Database

In this scenario, which deploys Intelligence with high availability on the ArcSight Database, you have a single master node connected to three worker nodes and a cluster for the ArcSight Database. This scenario supports an environment with modest EPS and minimal number of nodes. However, it allows for futher scaling with multiple worker nodes. Each worker node runs on a separate, dedicated, connected host. All nodes have the same operating system. The Kubernetes cluster for Intelligence includes Fusion, which provides ArcSight SOAR, and Transformation Hub.

Diagram of this Scenario
Characteristics of this Scenario
Guidance for Node Configuration

If this scenario resembles your intended deployment, you might want to use the example-install-config-intelligence-scale_db.yaml config file with the ArcSight Platform Installer. For more information about the yaml files, see Using the Configuration Files in the Administrator's Guide for ArcSight Platform.

Diagram of this Scenario

Figure3. Example deployment of Intelligence and Recon

examaple of Intelligence with a scalable database

Characteristics of this Scenario

This scenario has the following characteristics:

The Kubernetes cluster overall is not highly available since it is deployed with only one master node.
A FQDN hostname for a virtual IP is used so that clients accessing master nodes have a single reliable hostname to connect to that will shift to whatever is the current primary master node. For example, yourdomain-ha.yourenterprise.net.
Transformation Hub's Kafka and ZooKeeper are deployed to all worker nodes with data replication enabled (1 original, 1 copy) so that they can tolerate a failure of a single node and still remain operational.
Intelligence services, Fusion, and Transformation Hub's platform and processing services are allocated across all worker nodes so that, if one of the nodes fails, Kubernetes can move all of the components to the other node and still remain operational.
The database cluster has three nodes with data replication enabled (1 original and 1 copy) so that it can tolerate a failure of a single node and remain operational.
For the NFS configuration, use an NFS server that has high availability capabilities so that it is not a single point of failure.

Guidance for Node Configuration

You need a minimum of nine physical or VM environments: three dedicated master nodes, three or more dedicated worker nodes, and a database cluster. You also need a customer-provisioned, highly-available NFS server (External NFS) and an SMTP server.

The following table provides guidance for deploying the Intelligence across multiple nodes to support a medium workload.

Node Name	Description	RAM	CPU Cores	Disk Space	Ports
Master Node `masternode1.yourenterprise.net`	OMT Management Portal (Optional) Fusion	256 GB	32	5 TB	OMT Management Portal Kubernetes NFS
Database Nodes 1-3 `databaseNN.yourenterprise.net`	Database	192 GB	24	28 TB	Database
Worker 1 `workernode1.yourenterprise.net`	Intelligence Fusion Transformation Hub	256 GB	32	5 TB	ArcMC Intelligence Kubernetes Transformation Hub
Worker 2 `workernode2.yourenterprise.net`	Intelligence Fusion Transformation Hub	256 GB	32	5 TB	ArcMC Intelligence Kubernetes Transformation Hub
Worker 3 `workernode3.yourenterprise.net`	Fusion Intelligence Transformation Hub	256 GB	32	5 TB	ArcMC Intelligence Kubernetes Transformation Hub