Objective
With the release of AWS Transit Gateway, a route table scenario for the Recovery Kit for EC2 is now available with the configuration where the on-premises environment (on-premises in the figure below) using AWS Direct Connect is connected to the HA cluster nodes located in VPC (VPC A) via AWS Transit Gateway.
This document describes the requirements and basic operations for building connections from an on-premises environment using AWS Direct Connect with LifeKeeper for Windows.
This document does not cover the basic settings, operations, and technical details of LifeKeeper and Amazon Web Service (AWS). For terms, operations and technical information related to LifeKeeper and AWS, that are the prerequisites of this configuration, review the related documents and user websites.
Requirements
The following is a summary of requirements that should be met for an AWS environment and instances created on it.
Requirements for AWS Environment
Create a base environment on AWS to provide services. The requirements for using this configuration are as follows.
Amazon Virtual Private Cloud (VPC)
- VPC needs to be configured in AWS.
- The subnet where the primary instance is located and the subnet where the standby instance is located must be created in different Availability Zones (AZ).
Amazon Elastic Compute Cloud (EC2)
- At least 2 instances are required.
- A primary instance and a standby instance need to be configured to start with different AZ for each.
- Instances are connected to Elastic Network Interface (ENI).
- Instances are required to satisfy LifeKeeper’s installation requirements.
- The AWS Command Line Interface (AWS CLI) needs to be installed in each of EC2 instances. For the details, please refer to AWS Command Line Interface installation.
- You need to be able to access Amazon EC2 Web Services endpoint URL (EC2 URL) using https and Amazon EC2 metadata URL (http://169.254.169.254/) using http.
AWS Identity and Access Management (IAM)
In order for LifeKeeper for Windows to operate in AWS, an IAM user or IAM role with the following access privileges are required. Configure an EC2 IAM role or configure AWS CLI appropriately so that it can be accessed from root user of the EC2 instance.
- ec2:CreateRoute
- ec2:DescribeNetworkInterfaceAttribute
- ec2:DescribeRouteTables
- ec2:ModifyNetworkInterfaceAttribute
- ec2:ReplaceRoute
AWS Transit Gateway
- The VPC with the cluster nodes and the on-premises environment where the clients are located must be connected via AWS Transit Gateway; not via Virtual Private Gateway.
- Enable the Default route table association and the Default route table propagation when creating AWS Transit Gateway.
- Connect VPC by creating Transit Gateway Attachment.
- Connect to AWS Direct Connect by selecting the created AWS Transit Gateway in the Gateway association configuration of Direct Connect Gateway. At this time, configure both the network address of the VPC where the cluster nodes are located and the virtual IP address in Allowed prefixes.
LifeKeeper Software Requirements
You need to install the same version of LifeKeeper software and patches on each server. The Application Recovery Kit (ARK) required for this configuration is shown below. For the specific LifeKeeper requirements, please refer to: LifeKeeper for Windows Technical Documentation and LifeKeeper for Windows Release Notes
- LifeKeeper IP Recovery Kit
- LifeKeeper Recovery Kit for EC2
Setup Procedure
This section describes the general procedure to setup the environment shown below.
Preparations
Create an environment that meets the Requirements. Install LifeKeeper on each instance and create a communication path between Node1 and Node2.
Creating an IP Resource
Create a virtual IP resource. The IP resource address must be outside the CIDR block managed by the VPC.
Creating an EC2 Resource
- Create EC2 resources. For the IP resource requested when creating resources, specify the resource created in “Create IP Resource” above. Specify the Route Table (Backend Cluster) as the EC2 resource type required when creating resources.
Creating Resources for Protected Services
- Create resources for the services you want to protect. If an IP resource is required for resource creation, specify the resource created in “IP Resource Creation” above. Configure resource dependencies so that the resources of the protected service are the parent resources and the EC2 resources are the child resources.
Creating a Route Table
Configure a route table as shown below.
- Add the route information to the on-premises environment network to the route table of the VPC or subnet where the cluster nodes are located.
On-premises network address | Created Transit Gateway |
- Add the route information to the Virtual IP address in the route table of the Transit Gateway.
Virtual IP address | VPC where the cluster nodes are located |
- Configure the routing information of clients and routers in the on-premises environment so that the destination of packets to the network address and virtual IP address of the VPC where the cluster nodes are located are the Direct Connect.
Once configured, make sure that the client can access the private address and virtual IP address of the cluster server.
Known Issues and Troubleshooting
The LifeKeeper for Windows Recovery Kit for EC2 has the following known issues.
- If there is an entry in the route table of another VPC with a virtual IP as a destination in the same account and region as the VPC where the cluster node is located, the resource will fail to start because that entry is also subject to monitoring and modification.
To avoid the above problem, the address used as the virtual IP should be different from the virtual IP used for other purposes in the same account and same region, even in a different VPC.
Post your comment on this topic.