...
There are multiple methods available to achieve DPOD HA/DR planning and configuration. These methods depend are determined based on the customer's requirements, implementation and infrastructure.
Terminology
Node stateState/mode - A DPOD nodes node can be in state one of the following states: Active (On and Performing , performing monitoring activities) / , Inactive (Off and Not perform , not performing any monitoring activities) / , DR Standby (On and Not perform , not performing monitoring activities).
Primary node Node - a A DPOD installation that will actively monitor monitors DataPower instances under normal circumstances (Active state).
Secondary node - an identical DPOD installation Node - A DPOD installation, identical to the Primary Node (In virtualized environments shared storage scenario it is the same image of as the primary node) - that is in DR Standby or Inactive state.
3rd party DR software - a A software tool that assist assists in identify the process of identifying when the primary node state has changed from active to inactive and initiate initiates the process of launching the secondary node as an active node .
DPOD Scalability vs. HA/DR
The DPOD architecture supports installing installation of multiple DPOD nodes for scalability - to support high throughput in case cases of high rate of transactions per second (TPS). However, this does not provide a solution for HA/DR requirements.
For simplicity, this document assumes that only one DPOD node is installed, but exactly the same scenarios and considerations apply for multiple nodes installations.
Important HA
...
/DR
...
Considerations
Consult your BCP/DR/System/Network Admin and address the following questions before selecting the which method(s) of HA/DR implementation with DPOD to use:
...
Is it cost effective to replicate DPOD's data, or is it acceptable to launch another instance of DPOD with configuration replication only?
...
2. The software used for Active/Passive scenario:
Does DPOD in your case run Will you run DPOD on a virtual infrastructure like VMware, or can you use VMware VMotion or Active\/Passive cluster management tools that can help identify and relaunch DPOD on a different cluster member?
...
3. You are expected to have an Active/Passive software or another mechanism in place to identify when a DPOD node becomes inactive, and launch a new one in an active cluster member.
...
5. Some DataPower architecture solutions (Active/Passive or Active/Active) effect DPOD configuration. If the DataPower IP address changes - then your DPOD configuration may need to change.
Does your DataPower architecture use an active/passive deployment? If so - will the passive DataPower have the same IP addresses address when it switches to active?
Common
...
Scenarios for
...
DPOD HA/DR Implementation
Scenario A: Active/Passive - DPOD's IP Address remains the same - Shared Storage
Assumptions:
- The customer has DataPower appliances deployed using either an Active/Passive, Active/Standby or Active/Active configuration. All DataPower appliances in any of these configurations have unique IP addresses.
- The customer has storage replication capabilities to replicate DPOD disks based on the disks’ replication policy described above.
- A primary DPOD node is installed once , and is configured to monitor all DataPower appliances (active, standby and passive). The secondary node will use the same disks on shared storage.
- All DPOD network services (NTP, SMTP, LDAP etc.) have retain the same IP addresses even after in a failover event (otherwise or else a post configuration script is required to be run by the DR software).The customer has storage replication capabilities to replicate DPOD disks based on the disks’ replication policy described above.
- The customer has a 3rd party software tool or scripts that can:
- Identify unavailability of the primary DPOD
...
- node.
- Launch a
...
- secondary DPOD node using the same IP address as the primary one (usually on a different physical hardware).
...
- The
...
- secondary DPOD node is not
...
- operating when business is as usual,
...
- as disks replication is required and
...
- the secondary node has the same IP address as the primary DPOD node.
- This scenario might not be suitable for high load implementations, as replication of DPOD data disk might not be acceptable.
During a disaster:
- The customer's DR software should Identify a failure in the DPOD primary node (e.g. by pinging an access IP, sampling the user interface URL or both).
- The customer's DR software should launch the passive DPOD secondary DPOD node using the same IP address as the failed primary server node (or change initiate changing the IP address if not already configured that way).
DPOD will be available in the following way:
- As the passive DPOD server secondary DPOD node has the same IP address, all all DataPower appliances will be able to access it.
- Since all DataPower appliances will have the same IP addresses - DPOD can continue to sample them.
- Since the passive DPOD server secondary DPOD node has the same IP address as the primary one, access to DPOD's console will be with retains the same URL.
Scenario B: Active/Passive – DPOD's IP Address changes - Shared Storage
Assumptions:
- The customer has DataPower appliances deployed using either an Active/Passive or Active/Stand-by configuration. All DataPower appliances in any of these configurations have unique IP addresses.
- The customer has storage replication capabilities to replicate DPOD disks based on the disks’ replication policy described above.
- A primary DPOD node is node is installed once , and is configured to monitor all DataPower appliances (active, standby and passive). . The secondary node will use the same disks on shared storage.
- All DPOD network services (NTP, SMTP, LDAP etc.) have retain the same IP addresses even after in a failover event (otherwise or else a post configuration post configuration script is required to be run by the DR software).
- The customer has storage replication capabilities to replicate DPOD disks based on the disks’ replication policy described above.The customer has a 3rd party software tool or scripts that can:
- Identify unavailability of the primary DPOD node.
- Launch a
...
- secondary DPOD
...
- node using a different IP address
...
- to the primary one (usually on a different physical hardware).
...
- The
...
- secondary DPOD node is not
...
- operating when business is as usual, since disks replication is required.
- This scenario might not be suitable for high load implementations, as replication of DPOD data disk might not be acceptable.
During a disaster:
- The customer's DR software should Identify a failure in DPOD's primary server node (e.g. by pinging an access IP, sampling the user interface URL or both).
- The customer's DR software should launch the passive secondary DPOD server node using a different IP address than to the failed primary server node (or change initiate changing the IP address if not already configured that way).
- The customer's DR software should execute a command/script to change DPOD's IP address.
- The customer's DR software should change the DNS name for the DPOD servernode's web console to reference an actual IP address or use an NLB in front of both DPOD web consoles.
- The customer's DR software should disable all DPOD log targets, update DPOD host aliases and re-enable all log targets in all DataPower devices. This is done by invoking a REST API call to DPOD.
(See "refreshAgents" API under Devices REST API).
DPOD will be available in the following way:
- Although the secondary DPOD node has a different IP address, all the DataPower appliances will still be able to access it since their internal host aliases pointing to DPOD will be replaced (step 5 above).
- As all DataPower appliances retain the same IP addresses - the passive secondary DPOD server node that was just became made active can continue to sample them.
- Although the secondary DPOD node has a different IP address, all users can access DPOD’s web console because its DNS name has been changed or it is behind an NLB (step 4 above).
Scenario C: Active/Standby –
...
Two separate DPOD
...
installations with no shared storage
Assumptions:
- The customer has DataPower appliances deployed using either an Active/Passive or Active/Stand-by configuration. All DataPower appliances in any of these configurations have unique IP addresses.
- Two DPOD servers nodes are installed (requires DPOD version 1.0.5 +), one operates as the active Active node and the other one as standby nodeStandby. After installing the standby secondary DPOD node, it must be configured as a standby nodeto run in Standby state. See "makeStandby" API under DR REST API.
- Both DPOD servers nodes should have the same environment name. The environment name is set by the customer during DPOD software deployment or during upgrade, and and is visible at in the top navigation bar (circled in red in the image below):
- When the DPOD node is in a DR Standby mode, a message label is shown displayed next to the environment name in the Web Console. A refresh (F5) may be required to reflect recent changes if the makeStandby API has just been executed, or when the DPOD status has changed from active to standby or vice versa. See the image below:
- As both nodes are up, no configuration or data replication can exist in this scenario. The customer is expected to configure each DPOD node as a standalone including all system parameters, security groups / roles/ LDAP parameters/ Certificates, custom reports and reports scheduling, custom alerts and alerts scheduling, maintenance plan and user preferences. DPOD is not performing any configuration synchronization.
- Importantly, the customer must add DataPower instances to each installation in order to monitor all DataPower Devices (active, standby and passive). Since Starting with DPOD v1.0.5 a new REST API may be utilized to add a new DataPower device to DPOD without using the UI (see Devices REST API). As both servers are up, no configuration or data replication can exist in this scenario. Especially, customer must add The customer must add DataPower instances to the standby DPOD server node and set the agents for each device from the Device Management page in the web console (or by using the Devices REST API). Setting up the devices in the standby DPOD server node will not make any changes to the monitored DataPower devices (no log targets, host aliases or configuration changes will be made).
- All DPOD network services (NTP, SMTP, LDAP etc.) have the same IP addresses even after failover (otherwise a post configuration script is required to be run by the DR software).
- The customer has a 3rd party software tool or scripts that can:
- Identify unavailability of the primary DPOD node.
- Change the state of the secondary node (that is in standby state) to Active state
- The standby DPOD server node can still be online as disk replication is not required.
- This scenario will not provide High Availability for data. To load data from the Primary node, the customer is required to restore backups taken from primary nodes.
- During state transition of the Secondary DPOD from Active back to Standby there might be some data loss.
During a disaster:
- The customer's DR software should Identify a failure in DPOD primary server node (e.g. by pinging an access IP, sampling the user interface URL or both).
- The customer's DR software should enable the standby DPOD server node by calling the "standbyToActive" API (see DR REST API). This API will point DPOD's log targets and host aliases of the monitored devices to the standby server node and enable most timers timer based services (e.g. Reports, Alerts ...) on the secondary serversnodes.
- The customer's DR software should change the DNS name for the DPOD servernode's web console to reference an actual IP address or use an NLB in front of both DPOD web consoles.
DPOD will be available in the following way:
- Although the standby secondary DPOD server node has a different IP address, all the DataPower appliances will still be able to access it since their internal host aliases pointing to DPOD will be replaced (step 2 above).
- As all DataPower appliances retain the same IP addresses - DPOD can continue to sample them.
Although the
secondarysecondary DPOD node has a different IP address, all users can access DPOD’s web console because its DNS name has been changed or it is behind an NLB (step 3 above).
Note -Note All Data from the originally Active DPOD will not be available!
In a "Return to Normal" scenario:
- Right after re-launching the primary servernode, make a call to the "standbyToInactive" API (see DR REST API) to disable the standby servernode.
- Call the "activeBackToActive" API (see DR REST API) to re-enable the primary server - this node. This will point DPOD's log targets and host aliases on the monitored devices back to the primary DPOD servernode.
- The customer's DR software should change the DNS name for the DPOD servernode's web console to reference an actual IP address or use an NLB in front of both DPOD web consoles.
- During state transition of the Primary node from Active to Standby there might be some data loss.
Scenario D: Limited Active/Active –
...
Two separate DPOD
...
installations with no shared storage
Assumptions:
- The customer has DataPower appliances deployed using either an Active/Passive, Active/Active or Active/Stand-by configuration. All DataPower appliances in any of these configurations have unique IP addresses.
- Two DPOD servers nodes are installed (both are v1.0.5+), both operate as the activerunning in Active state.
- Both DPOD servers should nodes must have the different environment namenames. The environment name is set by the customer during DPOD software deployment, and is visible at the top navigation bar (circled in red in the image below):
. - Both DPOD servers nodes are configured separately to monitor all DataPower Devices (active, standby and passive). Since Starting with DPOD v1.0.5 a new REST API may be utilized to add a new DataPower device to DPOD without using the UI (see Devices REST API). As both servers nodes are up, no configuration replication can exist in this scenario.
- As both nodes are up, no data replication can exist in this scenario. The customer is expected to configure each DPOD node as a standalone deployment, including all system parameters, security groups / roles/ LDAP parameters / Certificates, custom reports and reports scheduling, custom alerts and alerts scheduling, maintenance plan and user preferences. DPOD is not performing any configuration synchronization.
- The customer added DataPower devices Importantly, the customer must add DataPower instances to each installation to monitor all DataPower Devices (active, standby and passive). Starting with DPOD v1.0.5, a new REST API may be utilized to add a new DataPower device to DPOD without using the UI (see Devices REST API). The customer must add DataPower instances to the standby DPOD server node and set the agents for each device from the Device Management page in the web console (or by using the Devices REST API). Setting up the devices in the standby DPOD server node will not make any changes to the monitored DataPower devices (no log targets, host aliases or configuration changes will be made). Customer ).
- All DPOD network services (NTP, SMTP, LDAP etc.) have the same IP addresses.
- The customer added DataPower devices to the standby DPOD node and set the agents for each device from the Device Management page in the web console (or by using the Devices REST API). The customer is expected to replicate all configurations and definitions for each installation. DPOD is not replication replicates neither data nor configurations/definitions.
- All DPOD network services (NTP, SMTP, LDAP etc.) have the different IP addresses .
- Important! - Since the two installations are completely independant independent and no data is replicated this may lead to - data inconsistency may follow, as once one may capture information while the other is shut down in Down state for maintenance or even started in different time. This might affect reports and alerts.
- Important! - Each DPOD installation will create 2 log targets for each domain 2 log targets. If one DataPower is connected to 2 DPODs than - then for each domain you will need 4 log targets. As DataPower have a limitation of ~1000 log targets starting FW 7.6 than , the customer must be aware notreach limitation of log targetstake care to not reach the log targets limit.
- All logs and information will be sent twice over the network thus network bandwidth will be doubled !
During a disaster:
- The customer's DR software should Identify a failure in DPOD primary server (e.g. by pinging access IP, sampling user interface URL or both)No action is required. The DataPower instance will push data to both instances.
...
DPOD will be available in the following way:
...
- The active node will continue to operate as it was operating before.
- All users can access DPOD’s web console because its DNS name has been changed or it is behind an NLB (step 3 above)as it was accessible before the disaster.
- Note - All Some Data from the originally Active DPOD will not be available! available
In a "Return to Normal" scenario:
- Right after re-launching the primary server, call the "standbyToInactive" API (see DR REST API) to disable the standby server.
- Call the "activeBackToActive" API (see DR REST API) to re-enable the primary server - this will point DPOD's log targets and host aliases on the monitored devices back to the primary DPOD server.
- The customer's DR software should change the DNS name for the DPOD server's web console to reference an actual IP address or use an NLB in front of both DPOD web consoles.No action is required. The DataPower instance will push data to both instance
- The data gathered throughout the disaster period can not be synced back to the recovered node
Backups
To improve product recovery, an administrator should perform regular backups as described in the backup section.
...