Objective
With the release of AWS Transit Gateway and AWS Transit Gateway inter-region peering, the Recovery Kit for EC2 route table scenario is now available for configurations where a client in a VPC (VPC B in the figure below) connects to an HA cluster located in a different region and VPC (VPC A in the figure below).
This document describes the requirements and basic operations for building a configuration where a client connects to a LifeKeeper for Windows HA cluster in another region.
This document does not explain the basic settings, operations or technical details of LifeKeeper or Amazon Web Service (AWS). For terms, operations and technical information related to LifeKeeper and AWS required for this configuration, review the related documents and user websites.
Requirements
The following requirements should be met when using this configuration. Below is a summary of requirements for the AWS environment and instances created on it.
Requirements for an AWS Environment
Create a base environment on AWS to provide services. The requirements for using this configuration are as follows.
Amazon Virtual Private Cloud (VPC)
- A VPC needs to be configured in AWS.
- The VPC where the client is located must be configured in a different region from the VPC where the cluster nodes are located.
- Create a subnet for the primary instance and a subnet for the standby instance in the VPC where the cluster nodes reside. The subnets must be created in different Availability Zones (AZ).
Amazon Elastic Compute Cloud (EC2)
- At least 2 instances are required.
- A primary instance and a standby instance need to be configured to launch in different AZs.
- Cluster node instances are connected to an Elastic Network Interface (ENI).
- Cluster node instances must satisfy LifeKeeper installation requirements.
- The AWS Command Line Interface (AWS CLI) must be installed on all of the cluster instances. Refer to Installing the AWS CLI for more details.
- The cluster nodes need to be able to access the Amazon EC2 web service endpoint URL (EC2 URL) using https and the Amazon EC2 metadata URL (http://169.254.169.254/) using http.
AWS Identity and Access Management (IAM)
In order for LifeKeeper to operate in AWS, an IAM user or IAM role with the following access privilege is required. Please configure EC2 IAM role or configure AWS CLI appropriately so that it can be accessed by the admin user of the EC2 instance.
- ec2:CreateRoute
- ec2:DescribeNetworkInterfaceAttribute
- ec2:DescribeRouteTables
- ec2:ModifyNetworkInterfaceAttribute
- ec2:ReplaceRoute
AWS Transit Gateway
- The VPC with cluster nodes and VPCs with clients should not be directly connected to each other with AWS Inter-Region VPC Peering. Instead, create an AWS Transit Gateway in each region and connect the AWS Transit Gateways with AWS Transit Gateway inter-region peering.
- Enable the default route table association and the default route table propagation when creating an AWS Transit Gateway.
- Create a Transit Gateway Attachment to connect to the VPC.
- An AWS Transit Gateway inter-region peering connection between AWS Transit Gateways should be enabled by creating a Transit Gateway Attachment.
LifeKeeper Software Requirements
The same version of LifeKeeper software and patches must be installed on each server. The Application Recovery Kits (ARKs) required for this configuration are shown below. For the specific LifeKeeper requirements, please refer to: LifeKeeper for Windows Technical Documentation and LifeKeeper for Windows Release Notes.
- LifeKeeper IP Recovery Kit
- LifeKeeper Recovery Kit for EC2
Setup Procedure
This section describes the general procedure to set up the environment shown in the figure below.
Preparations
Create an environment that satisfies the Requirements. Install LifeKeeper on each instance and create a communication path between node1 and node2.
Creating an IP Resource
Create a Virtual IP resource. The IP resource address must be outside of the CIDR block managed by VPC.
Creating an EC2 Resource
Create an EC2 resource. For the IP resource requested when creating a resource, specify the resource created in “Creating an IP Resource”. Specify “Route Table (Backend Cluster)” for the EC2 resource type when creating the resource.
Creating Resources for Protected Services
Create a resource for the service or application you want to protect. If an IP resource is required when creating a resource, specify the resource created in “Creating an IP Resource”. Configure resource dependencies so that the resources of the protected service are the parent resources and the EC2 resources are the child resources.
Configuring the Route Table
Configure a route table as shown below.
- Add the route information to the on-premises environment network to the route table of the VPC or subnet where the cluster nodes are located.
Network address of the VPC where the clients are located | Transit Gateway (for cluster nodes) |
- Add the route information to the VPC network where the client is located and the route information to the virtual IP address to the route table of the Transit Gateway (for cluster nodes).
Network address of the VPC where the clients are located | Transit Gateway (for a client) |
Virtual IP address | VPC where the cluster nodes are located |
- Add the route information to the VPC network where the cluster nodes are located and the route information to the virtual IP address to the route table of the Transit Gateway (for a client).
Network address of the VPC where the cluster nodes are located | Transit Gateway (for cluster nodes) |
Virtual IP address | Transit Gateway (for cluster nodes) |
- Add the route information of the network to the VPC where the cluster nodes are located and virtual IP address to the route table of the VPC or subnet where the client is located.
Network address of the VPC where the cluster nodes are located | Transit Gateway (for a client) |
Virtual IP address | Transit Gateway (for a client) |
Once configured, make sure that the client can access the private address and virtual IP address of the cluster server.
Known Issues and Troubleshooting
The LifeKeeper for Windows Recovery Kit for EC2 has the following known issues.
- If there is an entry in the route table of another VPC with a virtual IP as a destination in the same account and region as the VPC where the cluster node is located, the resource will fail to start because that entry is also subject to monitoring and modification.
To avoid this issue, the address used as the virtual IP should be different from the virtual IP used for other purposes in the same account and same region, even in a different VPC.
Post your comment on this topic.