We need your expert advises to design a robust setup for the Dynatrace e.g. we have multiple network zones of PCI/Non-PCI for the web servers /application servers /database servers and few of them are heavily used and some of them are comparatively less.
Our idea is to deploy 2 x Private Security Gateways (to get the advantage of load balancer / failover) in the heavily used zones and 1 x Private Security Gateways in others.
So in the same zone we do not need to open the port # 9999 from OneAgent to the Private Security Gateways and we can open only a port # 8443 from OneAgent to the Dynatrace Cluster.
In case one of the Private Security Gateway goes down in the heavily used zones then the agents should connect to the next available Private Security Gateway and if both are not available then it should connect directly to the Dynatrace Servers Cluster and the same should apply on the less utilized zones.
Please have a glance on the below diagram and also let us know that how the private security gateway is talking to the Dynatrace Servers Cluster and on which TCP/IP port.
Note: A correction in the diagram that Zone A will have 2 x Private Security Gateways and Zone B will have 2 x Private Security Gateways.
Hello @Patrick H.
Please correct my understanding about the following:
Real time experience - Yes - for agents, connecting to private gateway has the highest priority. If no private gateway is reachable, the agent tries to connect to any of public gateways (if you have them in the environment). Connecting directly to cluster has the lowest priority.
Actually, if you look carefully at the endpoint list (serverAddress in ruxitagentproc.conf) it is sorted with the priorities above. Private > Public -> Cluster.
Agents do not check network hops (my experience) nor calculate subnets. Maybe they check network RTT to prioritize some private gateways before others.
Hello @Julius L.
Currently, we are planning to setup the Dynatrace environment, therefore, maybe can ask some silly questions.
Below statement is about the dnsEntryPoint of the security gateway. We do have Public Security Gateways in our designed environment, so how the agent will connect to the Public Security Gateway in case Private Security Gateway is not available and according to the sequence Private > Public -> Cluster.
Define the entry point for the Security Gateway (for example,
http://sg1.mydomain.com:9876). Via this URL, the Security Gateway is accessed by Dynatrace OneAgent. If not set, an auto-detected endpoint will be used. This entry can be used if the Security Gateway is accessed via, for example, an external IP address or load balancer.
AFAIK, if the dnsEntryPoint is specified during installation or afterwards in the gateway config, only this entry gets propagated to the endpoint list. So the agent will only try to connect to the address and port (and IPs) specified by the dnsEntryPoint.