Hi, We are in a process of setting up 2 new Cluster AG's with a public VIP load balancer which will route the traffic to Active gates.
Once that is done we need to set up agentless monitoring to monitor an application which is hosted externally and outside our Corporate network. We are going to provide a JStag from Dynatrace which will be embedded to the application html files.
My question is how will the traffic flow in this case? I believe it will be something like -
External App (RUM Traffic) -> VIP Load balancer -> Active Gates -> Cluster Nodes
But how will the RUM traffic know where to go? Does that JStag contains the IP:port of that load balancer or IP:port of Active gate.
I was reading this very helpful article but still not clear how the traffic will flow in this case. Let me know if someone can help.
Your deployment will look something like integrating with load balancer.
Basically, you need to set the public ActiveGate URL to be the load balancer address. This is within the Cluster Management Console (at least that's where it used to be, though potentially it's moved to the main Dynatrace UI). You set this as the cluster ActiveGate load balancer address (preferable if this a FQDN address & port, rather than IP address). The reason I mention FQDN is because it needs to have a valid public HTTPS certificate, which would normally be issued to a domain name.
This is described within Dynatrace Help, see Set up agentless monitoring.
The RUM applications will automatically send to this address for newly setup agentless RUM applications. And for existing RUM applications, it may depend on RUM settings or the insertion method to determine if the configuration updates will be applied automatically, without needing to change the jstag or js code snippet.
If for some reason you need to setup OneAgent instrumented applications to also use the cluster ActiveGate load balancer address over CORS, you can set that up under advanced settings by following the Dynatrace Help, see Use Dynatrace infratructure as endpoint for RUM monitoring signals
Hi @The_AM Thank you for the detailed response. I believe you are talking about this attached page. If you see there is already a AG gate URL mentioned but it is internally hosted and not publically available that's why you can see the Errors when i click on "Test Connection URL".
Now this AG is already accepting the requests from one agents which are installed on internal servers. So when i change the URL to the new AG (load balancer URL) then will it affect the existing monitoring of applications because I already have multiple applications within my corporate network which are being monitored in Dynatrace.
Does change of this Cluster ActiveGate URL will affect the existing application and Monitoring?
Please see this topic for setting up the SSL certificate for cluster ActiveGate.
You will need to "Test connection" the the load-balancer URL on port 443 - being externally available (public). And yes, once the Cluster ActiveGate address is changed, the OneAgents will attempt routing via the new location.
The Managed deployments scenario page (I linked before), has the following information:
The Cluster ActiveGate requires:
I am thinking for your scenario, you may benefit from an architectural planning session. Because it sounds like you are trying to handle both environment ActiveGate traffic from OneAgents internally, and RUM traffic from external websites. So, in that case, it's a bit more complex setup. It sounds like you'd like to avoid sending traffic from internal up to your DMZ where your load-balancer may live?
Also for major architectural changes like this, I'd strongly recommend testing the setup firstly against a non-production cluster if you have one available for this purpose.
For reference, Dynatrace has Architects that specialize in this area. You could try reaching out via your Dynatrace ONE specialist (in-product live chat) or customer success manager to find out more or seek further help with your specific situation.
@The_AM Hi Andrew, Thanks again for the detailed explanation. It is really really useful and kind of widening my view.
So my current deployment consist of 2 Environment AG's and 1 Cluster AG, all of them hosted internally.
Now we recently received a requirement to monitor RUM traffic for an application hosted externally so we want to do agentless monitoring and hence we are building new Load balanced AG's and making it public. I guess the first thing I would need to do is find out if the existing one agents are sending the traffic to Env AG or directly to the Cluster AG. I believe this can be done by checking the oneagent logs?
We don't have any testing environment to test these changes unfortunately but I am going to speak to someone over the chat about this but you have been really helpful. I have couple of more questions before I stop bothering you again 😉
You don't have to answer all of these but any guidance will be very helpful and then I will speak to the Dynatrace Advisor.
As the maximum information already shared by @The_AM, I would like to share the following recommendation by Dynatrace and my personal experience as well.
The following links for more insight.
I used to add cluster/environment AG on a demand basis and never felt any issue. I make sure only one thing that the communication between the existing OneAgents must be open to the new environment/cluster component.
Also, if I added an additional cluster AG, then make sure the communication port opens between the environment and cluster AG because the traffic flow in this sequence.
Hi @Babar_Qayyum Thanks for your response. So I am going to raise the connectivity today from my existing Environment Active Gates -> New Cluster AG. Since this new set up is using Load balancer which is available on a new public IP and port 443 so the connectivity I need to open will be on this port right rather than port 9999 on which the Cluster AG will listen on?
Also will this new flow cause any data or monitoring lag because first we are sending the traffic from internal network to DMZ then it routes back again to Cluster AG which are hosted internally and then to Cluster Nodes?
Is there a possibility that we can by pass the Cluster AG for existing oneagent installations and only use that for RUM traffic coming from external applications?
By default, AG listens on port 9999 which is SSL. If you want to keep the same port then the communication from the environment AG must be open to the 9999 rather than the 443.
What I used to do is the following:
Public IP > VIP Load balancer Port:443 (nating to the cluster AG nodes) > Cluster Active Gates Port:9998 (to change from HTTPS to HTTP) > Cluster Nodes Port:443
Hi @Babar_Qayyum Thank you. So I am also arranging a Dynatrace specialist to take a look at the new design but I have last couple of questions if it is possible for you to answer -