vCloud Automation Center 6 Load Balancer configuration

Every Distributed vCloud Automation Center 6 installation involves configuring load balancing at several levels. As load balancers have historically been the responsibility of the network team, many virtualization/server admins are not comfortable with them.  Further, if your load balancing request is not clear and detailed the network team will return the request back and ask for more clarifications and any extra required details. This seems to give many Cloud/Virtualization admins a hard time when trying to complete a vCloud Automation 6 Distributed install. In a try to help the rest of us get the info they need to pass to the network team to configure the load balancing required to complete a vCAC Distributed install, I will try to provide as much details required in this post.

Note: This still applicable for vRealize Automation 6.x and vRealize Automation 7.x. Please note vCloud Automation Center (vCAC) has changed named to vRA (vRealize Automation) after 6.0.

Let’s start by trying to figuring out where do we need to plug in our load balancers, and which components we need to load balance. How about a diagram which present where load balancers fit in a vCAC Distributed install:

vCAC Distributed install Load balancer

 Below is the required configuration for load balancing vCloud Automation Center 6 at each level:

vCloud Automation Center Appliance (VIP):

The vCAC Appliances will be setup in an Active/Active configuration with the below configuration:

  • Transport Protocol: Https (443)
  • Load balancing Method: Least Response Time
  • Enable session affinity or sticky session  (Source IP or Cookies)
  • Health Check URL: https://<Your vCAC Appliance FQDN>      Ex: https://vcacapp01.vt.com

IaaS Windows Virtual Machine (Model Manager and Web Service) – VIP:

  • Transport Protocol: Https (443)
  • Load balancing Method: Least Response Time
  • Enable session affinity or sticky session
  • Health Check URL: https://<Your IaaS Web Machine FQDN>      Ex: https://iaasweb01.vt.com

IaaS Windows Virtual Machine (Manager Service) – VIP:

  • Transport Protocol: Https (443)
  • Load balancing Method: Failover
  • Session affinity or stick session will not be setup for Manager Service as it is active passive and the passive node should have no requests sent to it at all.
  • Health Check URL: https://<Your Manager Service FQDN>/VMPS2               Ex: https://iaasmgr01.vt.com/VMPS2

vCAC Distributed Install Load Balancer
Few more questions I have frequently encountered when discussing load balancers in vCAC 6 environment

  • Do you want to pass HTTPS right through to end server or terminate the HTTPS session at the load balancer?

Both configuration work, though I have noticed most customers go with a pass through configuration as it seems to be the easier to achieve as well it scale well as it distributes the SSL Termination workload across multiple VMs rather than it being solely processed by a single  load balancer. On the other hand, the main advantage of SSL Termination on the load balancer is that the load balancer can add extra security feature at layer 7 as it can block requests that is coming on port 443 but not being HTTPS (Please note this assume your load balancer support such a feature F5 for example support such feature).

  • How do you configure session affinity/persistence for IaaS Web & vCAC Appliance?

Source IP seems to be used most often being the easiest to setup and being available on most load balancers, though cookies based affinities/persistence is another way of achieving the same result.

  • For “Manager Service” you indicate load balancing is failover.  Will both severs be up and running and responding to a health monitor?

Manager Service is  Active/passive, where only a single Manager Service handle all the requests. The heath monitor address provided will only be a life on a single machine at a time.  Manager Service is actually only running on one machine where it is off on the second machine and has to be started manually in case of failure.

  • What about DEM Worker & Proxy Agents?

For those who looked at the components involved in a vCAC Distributed install, you will noticed I have not mentioned the DEM Worker or Proxy Agents. Both of these components are Active/Active, but how the load is distributed to them is managed internally by vCAC and does not required any load balancer interaction and hence not mentioned earlier in this blog post.

Hope this help at least one person save time getting the load balancing part of vCAC Distributed setup completed. If you are that person, please make my day and leave me a comment with your feedback.

Comments

  1. Great post! What do you recommend using hardware or software based load balancing solutions for vCAC?

  2. Ivo, It seems to have always dependent on what is my customer is familiar with, as both seems to do as a good of a job. In particular that many of the hardware load balancer vendors are coming up with their own software versions. On the other hand, if you currently don’t have a load balancer and looking for a cheaper alternative, software load balancer seems to come at a cheaper cost most of the time and that in turn allow you to shed the extra cash for getting a redundant configuration and to protect it the same way you protect your other VMs. I have noticed software load balancers taking over lately due to these advantages.

  3. Jens Mattfeld says

    Hi, one question that I have in regards of load balancing. Can I put Iaas Web Component and Manager Service on one VM? Meaning that I have 2 VMs with both Web Component and Manager Service installed and then setup the loadbalancers for each of them? How do the loadbalancers address the Web Component and the Manager service then?

    thanks, Jens

  4. Hi Jens,

    I know that is supported and workable. Actually this is how they have done it in the reference architecture. You can load balance the Web server and leave the Manager Service without a load balancer as you will have to fail it over manually any way or you can setup a different VIP for each service.

    Hope this help.

    Thanks,
    Eiad

  5. Eiad:

    What do you, or your customers, do to ensure that only one instance of the manager service is running?

  6. Kalyan Ponugoti says

    Hi Eiad,

    What we need mention in “Iaas Server field” under “Model Manager Data” tab when we install IaaS web and Model Manager components on first server? Is that VIP name or the same server where we are installing the components?

    Thanks,
    Kalyan

  7. Kalyan, That would be the VIP.

  8. Hi Eiad,

    I’m in process of installing vRAC 6.2 in distributed deployment. I have 3 load balancers (vRAC Appliance, IaaS Web and IaaS Mgr) configured. I’ve installed 2 vRAC nodes in HA/Cluster mode with a VIP and an external vPostgres DB along with a mirror DB and that all work just fine.

    While installing IaaS Web component, I’m running into issues. When I give vRAC VIP and IaaS Web VIP the installation fails. When I give a vRAC node w/o VIP and IaaS node FQDN name w/o Web VIP installation works. When I give vRAC VIP and IaaS node FQDN it works too. But when I give both VIPs then it fails. Some underlying issue with the Web Load Balancer. We have F5 as a standard for load balancing and we have followed the reference doc for HA from VMware but still have problems.

    The LB settings you posted look generic, can you please suggest settings w.r.t F5? (Ex: Load Balancing Method you specified is Least Response Time but F5 doesn’t show those settings. It show Least Connections (Members) or Least Connections (Node) options in the list.

    Please if possible can you send me the F5 based settings to my gmail at vmsavvy@gmail.com.

    Thanks in advance for your help!!

    Pardha.

  9. Hi Pardha, Where are you doing the SSL termination? Are you terminating at the F5 or are you direct it to the nodes? which kind of certificates are you using? When you downloaded the IaaS installer did you make sure to reach out the vRAC using its VIP name?

  10. Pardha Nallan says

    Hi Eiad, I’m using Domain Certificates. I’ve hit the vRAC VIP name to download the IaaS Installer. We made a few changes to the F5 configuration and installation went well. I’m pass through the problem now. Your post helped me a great deal.. The one change I think we made is directing the SSL termination to the nodes. That did the trick. Thanks for the post Eiad.

  11. Eiad & Pardha,

    I am running into a similar issue.

    Setup:
    2 vRealize 6.2 appliances – vcac01 & vcac02
    2 vRealize 6.2 appliances as postgres standalone – vcac03 is primary postgres & vcac04 is secondary
    2 IaaS Windows 2012 R2 servers (combined Web Component and Manager Service – iaas01 & iaas02 )
    SSO is using vcenter SSO
    2 F5 Vips: iaas-dev.com for vrealize appliances & iaas-dev-mgmt.com for the iaas servers.

    I ran the pre-req script from Brian Graf, and everything checks out but when we install IaaS, it fails. I’ve been searching all over the web, but there is really nothing for distributed installs.

    i am downloading the iaas installer from the vip address (iaas-dev.com)
    i’ve signed the appliances vip(iaas-dev.com) with a domain cert. i do notice that when i go to vip under port 5480, cert is still vmware’s self signed.
    i’ve not yet signed iaas01 or 02 server with a domain cert.

    Any help would be appreciated.

    error from log:
    C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\DeployRepository.xml(621,5): error MSB3073: The command “”C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\RepoUtil.exe” Assembly-SqlInstall -f “C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\DynamicOps.Core.Common.dll”,”C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\DynamicOps.Core.External.dll”,”C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\DynamicOps.Core.Licensing.dll”,”C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\DynamicOps.ManagementModel.Common.dll”,”C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\DynamicOps.VMWareModel.Common.dll”,”C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\DynamicOps.ReportsModel.Common.dll” -s sql-vcac -d “vCAC” –overwrite -v” exited with code 1.
    :Done Building Project “C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\DeployRepository.xml” (InstallRepoModel target(s)) — FAILED.
    :Build FAILED.

  12. Pardha Nallan says

    Hello Houa,

    I think you will have to get domain certs for IaaS components as well. The reason why you see vmware self signed cert when hitting port 5480 is because its client certificate. There is a different process to replace client certs which I ignored. Below are a few you can check up on..

    1. Check for MSDTC service in the IaaS nodes and also the SQL DB node, you have to have it running. I got failures because of this.
    2. Check if you have .NET 4.5.2 installed. I heard the installations fails because of this too. Remove and try it.
    3. Check in the Server Mgr roles where you have enabled Windows Process Activation Services. And sometimes IIS Anonymous and Windows Authentication can be misleading. They will check out in the pre-requisite checker but installation fails. One of the blogs pointed me that NTLM should be on top and Negotiate should be 2nd in Windows Authentication, weird but worked for me 🙂

    Also, are you installing Manager Service on both the iaas nodes? If yes, you will need a 3rd VIP, isn’t it??

    Please let us know and we’ll see if we can help you sail through this. I know the pain as I’ve been through exact same thing.

    Thanks Eiad – Your blog is helping so many folks out there like me.

    Regards,
    Pardha.

  13. Pardha,

    can you point me to the blog that you looked at for #3? #1&#2 check out fine for me. I’ve signed IIS with a cert too? What were the changes that you did for the F5 side?

    Thanks Again!

  14. Pardha Nallan says

    F5 is a good point Houa, a few threads I looked at…
    1. https://communities.vmware.com/message/2475323
    2. https://communities.vmware.com/thread/495999

    I did this to conclude the issue was with my F5.
    Install with vRAC LB and IaaS Web LB – Fail.
    Install with vRAC Node 1 name and IaaS Web Node 1 Name – Success.
    Install with vRAC LB and IaaS Web Node 1 Name – Success.. (this shows there is no problem with vRAC LB).
    Install with vRAC Node 1 name and IaaS Web LB – Fail. (this confirms issue with the IaaS LB).
    VMSavvy is my userid in those threads. My email is vmsavvy@gmail.com. If you can send a test email, I’ll attach a couple of files to you which helped me a lot..

  15. Houa,

    the admin URL using port 5480 is a separate cert than the vcac cert you intall in the setup.

  16. thanks guys, I got it working. I created a San cert and pretty much signed everything with it, I’m up and running now,

    thanks!

  17. Pardha Nallan says

    That’s good to know Houa. Dustin’s point is exactly right, needs a separate cert for port 5480.

Speak Your Mind

*