subcollection | copyright | lastupdated | lasttested | content-type | services | account-plan | completion-time | use-case | ||
---|---|---|---|---|---|---|---|---|---|---|
solution-tutorials |
|
2023-09-11 |
2022-09-11 |
tutorial |
vpc, cis, secrets-manager |
paid |
2h |
ApplicationIntegration, Cybersecurity, VirtualPrivateCloud |
{{site.data.keyword.attribute-definition-list}}
{: #vpc-multi-region} {: toc-content-type="tutorial"} {: toc-services="vpc, cis, secrets-manager"} {: toc-completion-time="2h"}
This tutorial may incur costs. Use the Cost Estimator to generate a cost estimate based on your projected usage. {: tip}
This tutorial walks you through steps for setting up highly available and isolated workloads by provisioning {{site.data.keyword.vpc_full}}s (VPCs). You will create virtual server instances (VSIs) in multiple zones within one region to ensure the high availability of the application. You will create additional VSIs in a second region and configure a global load balancer (GLB) to offer high availability between regions and reduce network latency for users in different geographies. {: shortdesc}
You will provision an {{site.data.keyword.cis_full_notm}} ({{site.data.keyword.cis_short_notm}}) service as the GLB from the catalog, and an {{site.data.keyword.secrets-manager_full_notm}} service from the catalog to manage the Transport Layer Security (TLS) certificate for all incoming HTTPS requests.
{: #vpc-multi-region-objectives}
- Understand the isolation of workloads through infrastructure objects available for virtual private clouds.
- Use a load balancer between zones within a region to distribute traffic among virtual servers.
- Use a global load balancer between regions to implement high availability, increase resiliency and reduce latency.
{: caption="Figure 1. Architecture diagram of the tutorial" caption-side="bottom"} {: style="text-align: center;"}
- The admin (DevOps) provisions VSIs in subnets under two different zones in a VPC in region 1 and repeats the same in a VPC created in region 2.
- The admin creates a load balancer with a backend pool of servers in different zones of region 1 and a frontend listener. Repeats the same in region 2.
- The admin provisions a {{site.data.keyword.cis_full_notm}} instance with an associated custom domain and creates a global load balancer pointing to the load balancers created in two different VPCs.
- The admin enables HTTPS encryption by adding the domain SSL certificate to the {{site.data.keyword.secrets-manager_short}} service.
- The user makes an HTTP/HTTPS request and the global load balancer handles the request.
- The request is routed to the load balancers both on the global and local level. The request is then fulfilled by the available server instance.
{: #vpc-multi-region-prereqs}
- Check for user permissions. Be sure that your user account has sufficient permissions to create and manage VPC resources. See the list of required permissions for VPC.
- You need an SSH key to connect to the virtual servers. If you don't have an SSH key, see the instructions for creating a key for VPC.
{: #vpc-multi-region-create-infrastructure} {: step}
In this section, you will create your own VPC in region 1 with subnets created in two different zones of region 1 followed by the provisioning of VSIs.
{: #vpc-multi-region-21}
- Navigate to the Virtual private clouds page and click on Create.
- Under the Location section, select a Geography and Region, for example
Europe
andLondon
. - Enter
vpc-region1
for the name of your VPC, select a Resource group and optionally, add Tags to organize your resources. - Uncheck Allow SSH and Allow ping from the Default security group. SSH access will later be added to a maintenance security group. The maintenance security group is added to an instance to allow SSH access from a bastion server. Ping access is not required for this tutorial.
- Leave Enable access to classic resources unchecked and Create a default prefix for each zone checked.
- Under Subnets change the name of the Zone 1 subnet. Click the pencil icon:
- Enter
vpc-region1-zone1-subnet
as your subnet's unique name. - Select the same Resource group as the VPC resource group.
- Leave the defaults in the other values.
- Click Save
- Enter
- Under Subnets change the name of the Zone 2 subnet. Click the pencil icon:
- Enter
vpc-region1-zone2-subnet
as your subnet's unique name. - Select the same Resource group as the VPC resource group.
- Leave the defaults in the other values.
- Click Save
- Enter
- Under Subnets delete the subnet in Zone 3. Click the minus icon.
- Click Create virtual private cloud to provision the instance.
{: #vpc-multi-region-4}
Enable inbound rules for HTTP (80) and HTTPS (443) ports to the application by defining rules in a security group. In later steps, you will add VSIs to the security group.
-
Navigate to the Security groups page and click on Create.
-
Enter
vpc-region1-sg
for the name, select the same Resource group as the VPC resource group. -
Select the previously created vpc-region1 virtual private cloud.
-
Add the same Inbound rules as found in the table below and then click Create security group.
Protocol Source type Source Value TCP Any 0.0.0.0/0 Ports 80-80 TCP Any 0.0.0.0/0 Ports 443-443 {: caption="Inbound rules" caption-side="bottom"}
{: #vpc-multi-region-5}
- Navigate to the Subnets page.
- Verify the status is for all subnets is Available.
- Click on vpc-region1-zone1-subnet followed by Attached resources, then under Attached instances click on Create.
- Enter
vpc-region1-zone1-vsi
as your virtual server's unique name. - Verify or set the Virtual private cloud, Resource group, Location and Zone fields.
- Enter
- Under the Image and profile section, click on Change image.
- In the Search items field, type
Ubuntu
and pick any version of the image and click on Select. - Under the Profile section, click on Change profile.
- Pick Compute with
2 vCPUs
and4 GB RAM
as your profile and click on Save. - Set SSH keys to the SSH key you created earlier.
- Under Network interfaces, click on the pencil icon on the row for the eth0 interface.
- Uncheck the default security group and check
vpc-region1-sg
. - Click Save.
- Uncheck the default security group and check
- Click Create virtual server.
- Repeat the above steps to provision a vpc-region1-zone2-vsi virtual server in the vpc-region1-zone2-subnet subnet.
{: #vpc-multi-region-20} {: step}
Repeat the above steps from Step 1 to provision a new VPC with subnets and virtual server instances in another region, for example, Frankfurt. Follow the same naming conventions as above while substituting region2
for region1
.
{: #vpc-multi-region-install-configure-web-server-vsis} {: step}
Follow the steps mentioned in securely access remote instances with a bastion host for secured maintenance of the servers. Use a bastion host which acts as a jump
server and a maintenance security group to the VSIs previously provisioned. One bastion host in each VPC is required.
{: tip}
Once you successfully SSHed into the server provisioned in subnet of zone 1 of region 1,
-
At the prompt, run the following commands to install Nginx as your web server
sudo apt-get update sudo apt-get install nginx
{: codeblock}
-
Check the status of the Nginx service with the following command:
sudo systemctl status nginx
{: codeblock}
The output should show you that the Nginx service is active and running.
-
Optionally verify that Nginx works as expected.
curl localhost
. You should see the default Nginx welcome page. -
To update the html page with the region and zone details, run the below command
nano /var/www/html/index.nginx-debian.html
{: codeblock}
Append the region and zone to the
h1
tag quotingWelcome to nginx!
to now readWelcome to nginx! server running in **zone 1 of region 1**
and save the changes. -
Verify the changes by running a
curl localhost
command. -
Repeat the above steps to install and configure the web server on the VSIs in subnets of all the zones and don't forget to update the html to include the respective region and zone information.
{: #vpc-multi-region-distribute-traffic-with-load-balancers} {: step}
In this section, you will create two load balancers. One in each region to distribute traffic among multiple server instances under respective subnets within different zones.
{: #vpc-multi-region-lb-security-group}
To allow traffic to the application, you need to enable inbound and outbound rules for HTTP (80) and HTTPS (443) ports. In later steps, when creating load balancers, you will add them to the security group defining those rules.
-
Navigate to the Security groups page and click on Create.
-
Select the previously created vpc-region1 virtual private cloud.
-
Enter
vpc-lb-sg
for the name, select the same Resource group as the VPC resource group. -
Add the same Inbound rules as found in the table below.
Protocol Source type Source Value TCP Any 0.0.0.0/0 Ports 80-80 TCP Any 0.0.0.0/0 Ports 443-443 {: caption="Inbound rules" caption-side="bottom"} -
Add the same Outbound rules as found in the table below and then click Create security group.
Protocol Source type Source Value TCP Any 0.0.0.0/0 Ports 80-80 TCP Any 0.0.0.0/0 Ports 443-443 {: caption="Outbound rules" caption-side="bottom"} -
Repeat the steps above in region 2.
{: #vpc-multi-region-8}
- Navigate to the Load balancers page and click Create.
- Select Application Load Balancer (ALB) as the Load balancer type.
- Under the Location section, select the same Geography and Region you used for the previously created vpc-region1 virtual private cloud.
- Enter
vpc-lb-region1
for the name, select the same Resource group as the VPC resource group. - Select the previously created vpc-region1 virtual private cloud.
- Select the Subnets of vpc-region1-zone1-subnet and vpc-region1-zone2-subnet.
- Click Create pool to create a new back-end pool of VSIs that acts as equal peers to share the traffic routed to the pool. Set the parameters with the values below and click Create when done.
- Name:
region1-pool
- Protocol:
HTTP
- Session stickiness:
None
- Proxy protocol:
Disabled
- Method:
Round robin
- Health check path:
/
- Health protocol:
HTTP
- Health port: Leave blank
- Interval(sec):
15
- Timeout(sec):
5
- Max retries:
2
- Name:
- Click Attach server to add server instances to the pool.
- From the Subnets dropdown, select vpc-region1-zone1-subnet and vpc-region1-zone2-subnet.
- Select the instances your created and set
80
as the port. - Click Attach to complete the creation of a back-end pool.
- Click Create listener to create a new front-end listener; A listener is a process that checks for connection requests.
- Back-end pool:
region1-pool
- Protocol:
HTTP
- Proxy protocol: not checked
- Port:
80
- Maximum connections: Leave it empty and click Create.
- Back-end pool:
- Under Security Groups check
vpc-lb-sg
and uncheck the default security group. - Click Create load balancer to provision the load balancer.
- Repeat the steps above in region 2, this time naming the load balancer
vpc-lb-region2
and the back-end poolregion2-pool
.
{: #vpc-multi-region-9}
- Wait until the status of the load balancer changes to Active.
- Open the Hostname in a web browser.
- Refresh the page several times and notice the load balancer returning results from different zones or virtual server instances with each refresh.
- Save the address for future reference.
You may have noticed that the requests are not encrypted and supports only HTTP. You will configure an SSL certificate and enable HTTPS in the next section.
{: #vpc-multi-region-global-load-balancer} {: step}
Your application is now running in two regions, but it's missing one component for the users to access it transparently from a single entry point.
In this section, you will configure {{site.data.keyword.cis_full_notm}} ({{site.data.keyword.cis_short_notm}}) to distribute the load between the two regions. {{site.data.keyword.cis_short_notm}} provides Global Load Balancer (GLB), Caching, Web Application Firewall (WAF) and Page rule to secure your applications while ensuring the reliability and performance for your cloud applications.
To configure a global load balancer, you will need:
- to point a custom domain to {{site.data.keyword.cis_short_notm}} name servers,
- to retrieve the IP addresses or hostnames of the VPC load balancers,
- to configure health checks to validate the availability of your application,
- and to define origin pools pointing to the VPC load balancers.
{: #vpc-multi-region-10}
The first step is to create an instance of {{site.data.keyword.cis_short_notm}} and to point your custom domain to {{site.data.keyword.cis_short_notm}} name servers.
-
If you don't own a domain, you can buy one from a registrar.
-
Navigate to {{site.data.keyword.cis_full_notm}} in the {{site.data.keyword.Bluemix_notm}} catalog.
-
Pick a plan, set the service name and resource group, and click Create to create an instance of the service.
-
When the service instance is provisioned, click on Add domain.
-
Enter your domain name and click Next.
-
Setup your DNS records is an optional step and can be skipped for this tutorial. click on Next.
-
When the name servers are assigned, configure your registrar or domain name provider to use the name servers listed.
-
At this point you can click on Cancel to get back to the main page, after you've configured your registrar or the DNS provider, it may require up to 24 hours for the changes to take effect.
When the domain's status on the Overview page changes from Pending to Active, you can use the
dig <your_domain_name> ns
command to verify that the new name servers have taken effect. {: tip}
{: #vpc-multi-region-11}
A health check helps gain insight into the availability of pools so that traffic can be routed to the healthy ones. These checks periodically send HTTP/HTTPS requests and monitor the responses.
-
In the {{site.data.keyword.cis_full_notm}} dashboard, navigate to Reliability > Global Load Balancers.
-
Select Health checks and click Create.
-
Set Name to
nginx
. -
Select HTTP for Monitor Type.
-
Set Port to
80
. -
Set Path to
/
. -
Click Create.
When building your own applications, you could define a dedicated health endpoint such as /health where you would report the application state. {: tip}
{: #vpc-multi-region-12}
A pool is a group of origin VSIs or load balancers that traffic is intelligently routed to when attached to a global load balancer. With VPC load balancers in two regions, you can define location-based pools and configure {{site.data.keyword.cis_short_notm}} to redirect users to the closest VPC load balancer based on the geographical location of the user requests.
{: #vpc-multi-region-13}
- Select Origin pools and click Create.
- Enter a name for the pool:
region-1-pool
. - Set Origin Name to
region-1
. - Set Origin Address to the hostname of region1 VPC load balancer, see the overview page of the VPC load balancer.
- Select a Existing health check and select the health check created earlier.
- Select a Health check region close to the location region 1.
- Click Save.
- Repeat the above steps for region 2.
{: #vpc-multi-region-19}
With the origin pools defined, you can complete the configuration of the load balancer.
-
Select Load balancers and click Create.
-
Keep the defaults of Enable:
On
and Proxy:Off
. -
Enter the name for the global load balancer,
lb
, this name will be the initial characters in the subdomain to access the application. (http://lb
.<your_domain_name>
). -
Click Add route.
-
Select the Region:
Default
. -
Select the origin pools that you just created, that is region-1-pool and region-2-pool.
-
Click Add.
-
Expand the section of Geo routes, you can distribute traffic based on the origin region.
You can add more routes if desired based on geographies and direct traffic to the closest pool. Click Add route, select a global load balancer region for example, Western Europe and select the pool desired for example region-2-pool and click Add. A request does not match any of the defined route, it will be redirected to the Default origin pools, users in the global load balancer region you have define will be directed to the closest Load Balancers/VSIs. {: note}
-
Click Create.
{: #vpc-multi-region-6} {: step}
HTTPS encryption requires signed certificates to be accessible from both the {{site.data.keyword.cis_short_notm}} global load balancer and the VPC load balancers. The {{site.data.keyword.secrets-manager_full_notm}} will be used to order or import and then manage the certificate for your domain. Identity and Access Management (IAM) service authorization is then configured to allow read access to the certificate from the desired service.
{: #vpc-multi-region-14}
-
If you have an existing {{site.data.keyword.secrets-manager_short}} instance, you can use it for this tutorial or create a new one if needed by following the steps outlined in Creating a Secrets Manager service instance.
-
Create an authorization that gives the VPC load balancer service access to the {{site.data.keyword.secrets-manager_short}} instance that contains the SSL certificate.
- Navigate to Identity and Access Authorizations.
- Click Create and select VPC Infrastructure Services as the source service.
- Select Resources based on selected attributes and then Load Balancer for VPC as the Resource type.
- {{site.data.keyword.secrets-manager_short}} as the Target service.
- Assign the Writer service access role.
- The target service instance may be All resources, or it may be your specific {{site.data.keyword.secrets-manager_short}} instance if desired. Leaver the All resources selected for now.
- Click on Authorize.
-
Continuing in the Manage authorizations page, create an authorization that gives the {{site.data.keyword.secrets-manager_short}} access to {{site.data.keyword.cis_short_notm}}:
- Click Create and choose {{site.data.keyword.secrets-manager_short}} as the source service.
- Choose All resources or just the {{site.data.keyword.secrets-manager_short}} created earlier.
- Internet Services as the target service.
- Choose All resources or just the {{site.data.keyword.cis_short_notm}} created earlier.
- Assign the Manager service access role.
- Click on Authorize.
If your {{site.data.keyword.cis_short_notm}} instance supports multiple domains, you can also assign Reader role to the {{site.data.keyword.cis_short_notm}} instance and Manager to the specific domain that is you are using for your solution. See granting service access to specific domains topic. {: tip}
IBM {{site.data.keyword.cis_short_notm}} supports proxying for global load balancers. When a load balancer is proxied, it means that its traffic runs directly through {{site.data.keyword.cis_short_notm}}. Load balancers support both DNS-only and HTTP proxy modes, consider which of the two alternatives below best match your use case before proceeding as the traffic routing behavior differs as follows:
- Alternative 1: Traffic that is proxied flows through CIS.
- Alternative 2: Traffic that is non-proxied (DNS-only mode) flows directly from the client to the origin. In DNS-only mode, none of the CIS security, performance, and reliability features are applied.
{: caption="Traffic flow" caption-side="bottom"} {: style="text-align: center;"}
For more information read through the Proxying DNS records and global load balancers topic.
{: #vpc-multi-region-15}
This first alternative creates a wildcard certificate for custom domain, replace example.com
with your custom domain name in the steps below, and then proxies it in the {{site.data.keyword.cis_full_notm}} ({{site.data.keyword.cis_short_notm}}) allowing you to take advantage of industry leading security, protection and performance capabilities.
Currently ordering certificates is by using Let's Encrypt, you may follow the topic Supported certificate authorities for updates. Using Let's Encrypt requires an ACME account. Follow the steps outlined in the Connecting third-party certificate authorities topic to create or register your account. In addition, you are required to add a DNS provider following the steps in the Connecting DNS providers topic. For this tutorial, you must add {{site.data.keyword.cis_short_notm}} as your DNS provider. {: tip}
Initially HTTPS is configured from the user to {{site.data.keyword.secrets-manager_short}} only.
- Order a certificate in {{site.data.keyword.secrets-manager_short}}
- Open the {{site.data.keyword.secrets-manager_short}} service and select Secrets on the left.
- Click Add.
- If you are using a new {{site.data.keyword.secrets-manager_short}} instance you will need to configure it prior to ordering your certificate. Follow the steps outlined under Preparing to order public certificates.
- Click on Public certificate and then click on Next.
- Complete the form:
- Name - type a name you can remember.
- Description - enter a description of your choice.
- Click on Next.
- Under Certificate authority select your configured Let's Encrypt certificate authority engine.
- Under Key algorithm, pick your preferred algorithm,
- Bundle certificates - leave off
- Automatic certificate rotation - leave off
- Under DNS provider select your configured DNS provider instance
- Click on Select domains check the Select with wildcard and leave the domain itself unchecked and click on Done.
- Click Next.
- Review your selections and click on Add.
- You don't need to wait for the activation to complete to execute the next step, but you do need to wait for it to complete prior to verifying success.
- Configure HTTPS from client web browsers to the {{site.data.keyword.cis_short_notm}} endpoint. In {{site.data.keyword.cis_short_notm}} configure TLS Security:
- Open the Security panel and choose TLS.
- For the Mode choose Client-to-edge. This will terminate HTTPS connections at the global load balancer and will switch to HTTP connections to the VPC load balancer.
- In the {{site.data.keyword.cis_short_notm}} configure the global load balancer to use TLS:
- Open Reliability panel and choose Global load balancers.
- Locate the global load balancer created earlier and turn on Proxy.
- In a browser open https://lb.example.com to verify success.
Next configure HTTPS from {{site.data.keyword.cis_short_notm}} to the VPC load balancer.
Add an HTTPS listener to the VPC load balancers:
-
Navigate to VPC then Load balancers and click vpc-lb-region1.
-
Choose Front-end listeners.
-
Click Create listener.
-
Select the Default back-end pool:
region1-pool
orregion2-pool
. -
Select HTTPS and enter for Port a value of
443
. -
Select the {{site.data.keyword.secrets-manager_short}} instance you created earlier, the SSL Certificate drop down should show the certificate name that you ordered using your {{site.data.keyword.secrets-manager_short}} instance earlier from Let's Encrypt. Click on Create.
If the SSL Certificate drop down does not have example.com you may have missed the authorization step above that gives the VPC load balancer access to the {{site.data.keyword.secrets-manager_short}} service. Verify that the {{site.data.keyword.secrets-manager_short}} service has a certificate for example.com. {: tip}
-
Repeat the above steps for the vpc-lb-region2 load balancer.
The wildcard certificate created will allow access to domain name like vpc-lb-region1.example.com. Open the the Overview tab of the VPC load balancer vpc-lb-region1 and notice that the Hostname is xxxxxxx-REGION.lb.appdomain.cloud. The wildcard certificate is not going to work. Fix that problem by creating an alias and then update the configuration.
-
A DNS CNAME record can be created to allow clients to look up vpc-lb-region1.example.com and resolve xxxxxxx-REGION.lb.appdomain.cloud.
- In the {{site.data.keyword.cis_short_notm}}, open Reliability panel and choose DNS.
- Scroll down to DNS Records and create a record of Type: CNAME, Name: vpc-lb-region1, TTL: Automatic and Alias Domain Name: VPC load balancer Hostname.
- Add a DNS CNAME record for vpc-lb-region2.
-
Now adjust the global load balancer to use the new CNAME records.
- Open Reliability panel and choose Global Load Balancers.
- Find and edit the Origin Pools to change the Origins Origin Address to vpc-lb-region1.example.com.
- Repeat the above steps for vpc-lb-region2.example.com.
-
Turn on end-to-end security.
- Open the Security panel and choose TLS.
- For the Mode choose End-to-end CA signed. This will use HTTPS connections at the global load balancer and HTTPS connections to the VPC load balancer.
In a browser open https://lb.example.com to verify success
{: #vpc-multi-region-16}
In this alternative you will order an SSL certificate for lb.example.com
from Let's Encrypt{: external} through {{site.data.keyword.secrets-manager_short}} and configure the global load balancer.
It is not currently possible to order a certificate directly for a {{site.data.keyword.cis_short_notm}} global load balancer, but it is possible to order one for a CNAME record. So we will create a CNAME to order the certificate.
-
Open the {{site.data.keyword.cis_short_notm}} service you created by earlier, you can find it in the Resource list
-
Navigate to Global Load Balancers under Reliability and click DNS.
-
Scroll down to DNS Records section and create a new record:
- Type:
CNAME
- Name:
lb
- TTL:
default (Automatic)
- Alias Domain Name:
zzz.example.com
- Click Add Record
- Type:
-
Order a certificate in {{site.data.keyword.secrets-manager_short}}
- Open the {{site.data.keyword.secrets-manager_short}} service and select Secrets on the left.
- Click Add and then Public certificate. Click on Next.
- Complete the form:
- Name -
lb-alias
. - Description - enter a description of your choice.
- Click on Next.
- Under Certificate authority select your configured Let's Encrypt certificate authority engine.
- Under Key algorithm select
RSA4096
- Bundle certificates - leave off
- Automatic certificate rotation - leave off
- Under DNS provider select your configured DNS provider instance
- Click on Select domains
- Expand the domain listed to view the list of subdomains and select the check box next to the lb.example.com and click on Done.
- Name -
- Click Next.
- Review your selections and click on Add.
Create a HTTPS listener:
-
Navigate to the VPC Load balancers page.
-
Select vpc-lb-region1
-
Under Front-end listeners, Click Create
- Protocol: HTTPS
- Port: 443
- Back-end pool: POOL in the same region
- Choose the current region as your SSL region
- Choose the SSL certificate order name you just created for lb.example.com
-
Click Save to configure an HTTPS listener
Repeat the above steps in the load balancer of region 2.
In a browser open https://lb.example.com to verify success
{: #vpc-multi-region-17}
By now, you should have seen that most of the time you are accessing the servers in region 1 as it's assigned higher weight compared to the servers in region 2. Let's introduce a health check failure in the region 1 origin pool,
-
Navigate to the list of virtual server instances.
-
Click three dots(...) next to the server(s) running in zone 1 of region 1 and click Stop.
-
Repeat the same for server(s) running in zone 2 of region 1.
-
Return to GLB under {{site.data.keyword.cis_short_notm}} service and wait until the health status changes to Critical.
-
Now, when you refresh your domain url, you should always be hitting the servers in region 2.
Don't forget to start the servers in zone 1 and zone 2 of region 1. {: tip}
{: #vpc-multi-region-removeresources} {: step}
- Remove the global load balancer, origin pools and health checks under the {{site.data.keyword.cis_short_notm}} service
- Remove the certificates in the {{site.data.keyword.secrets-manager_short}} service.
- Remove the load balancers, VSIs, subnets and VPCs.
- Under Resource list, delete the services used in this tutorial.
{: #vpc-multi-region-related}