cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Looking to upgrade from Dynatrace Managed to SaaS? See how

How to use Cluster Active Gates with Load Balancer for Agentless Monitoring

shashank_b_agra
Organizer

Hi, We are in a process of setting up 2 new Cluster AG's with a public VIP load balancer which will route the traffic to Active gates.

Once that is done we need to set up agentless monitoring to monitor an application which is hosted externally and outside our Corporate network. We are going to provide a JStag from Dynatrace which will be embedded to the application html files.

 

My question is how will the traffic flow in this case? I believe it will be something like -

 

External App (RUM Traffic) -> VIP Load balancer -> Active Gates -> Cluster Nodes

 

 

But how will the RUM traffic know where to go? Does that JStag contains the IP:port of that load balancer or IP:port of Active gate.

 

I was reading this very helpful article but still not clear how the traffic will flow in this case. Let me know if someone can help.

https://community.dynatrace.com/t5/Best-practices/Recommendations-for-configuring-a-load-balancer-fo...

 

9 REPLIES 9

The_AM
Dynatrace Champion
Dynatrace Champion

Hi Shashank,


Your deployment will look something like integrating with load balancer.

Basically, you need to set the public ActiveGate URL to be the load balancer address. This is within the Cluster Management Console (at least that's where it used to be, though potentially it's moved to the main Dynatrace UI). You set this as the cluster ActiveGate load balancer address (preferable if this a FQDN address & port, rather than IP address). The reason I mention FQDN is because it needs to have a valid public HTTPS certificate, which would normally be issued to a domain name.
This is described within Dynatrace Help, see Set up agentless monitoring.


The RUM applications will automatically send to this address for newly setup agentless RUM applications. And for existing RUM applications, it may depend on RUM settings or the insertion method to determine if the configuration updates will be applied automatically, without needing to change the jstag or js code snippet.

If for some reason you need to setup OneAgent instrumented applications to also use the cluster ActiveGate load balancer address over CORS, you can set that up under advanced settings by following the Dynatrace Help, see Use Dynatrace infratructure as endpoint for RUM monitoring signals

Regards,
Andrew M.

Regards,
Andrew M.

Hi @The_AM Thank you for the detailed response. I believe you are talking about this attached page. If you see there is already a AG gate URL mentioned but it is internally hosted and not publically available that's why you can see the Errors when i click on "Test Connection URL".

 

Now this AG is already accepting the requests from one agents which are installed on internal servers. So when i change the URL to the new AG (load balancer URL) then will it affect the existing monitoring of applications because I already have multiple applications within my corporate network which are being monitored in Dynatrace.

Does change of this Cluster ActiveGate URL will affect the existing application and Monitoring?

 

shashank_b_agra_0-1615940394093.png

 

@shashank_b_agra
Please see this topic for setting up the SSL certificate for cluster ActiveGate.

You will need to "Test connection" the the load-balancer URL on port 443 - being externally available (public). And yes, once the Cluster ActiveGate address is changed, the OneAgents will attempt routing via the new location.

The Managed deployments scenario page (I linked before), has the following information:

The Cluster ActiveGate requires:

  • A publicly available IP address
  • A domain name with a valid SSL certificate, since external communication is only supported in a secure manner using HTTPS (port 443). This domain must be different from the Web UI domain. You can choose to provide a domain and a SSL certificate on your own or let Dynatrace do this for you. Dynatrace can generate a domain and a valid SSL certificate on your behalf.

I am thinking for your scenario, you may benefit from an architectural planning session. Because it sounds like you are trying to handle both environment ActiveGate traffic from OneAgents internally, and RUM traffic from external websites. So, in that case, it's a bit more complex setup. It sounds like you'd like to avoid sending traffic from internal up to your DMZ where your load-balancer may live?
Also for major architectural changes like this, I'd strongly recommend testing the setup firstly against a non-production cluster if you have one available for this purpose.

For reference, Dynatrace has Architects that specialize in this area. You could try reaching out via your Dynatrace ONE specialist (in-product live chat) or customer success manager to find out more or seek further help with your specific situation.

Regards,
Andrew M.

Regards,
Andrew M.

@The_AM Hi Andrew, Thanks again for the detailed explanation. It is really really useful and kind of widening my view.

So my current deployment consist of 2 Environment AG's and 1 Cluster AG, all of them hosted internally.

 

Now we recently received a requirement to monitor RUM traffic for an application hosted externally so we want to do agentless monitoring and hence we are building new Load balanced AG's and making it public. I guess the first thing I would need to do is find out if the existing one agents are sending the traffic to Env AG or directly to the Cluster AG. I believe this can be done by checking the oneagent logs?

 

We don't have any testing environment to test these changes unfortunately but I am going to speak to someone over the chat about this but you have been really helpful. I have couple of more questions before I stop bothering you again 😉

  1. If i change the Cluster AG URL to the Load Balancer and the agents deployed internally will start communicating  to that new AG, will it cause any data lag because the data will be flowing like Corp Network -> LB (DMZ) -> Cluster AG -> Cluster Nodes.
  2. Do i need to do some manual configuration changes in order for above to happen or oneagent starts communicating automatically?
  3. Will it cause any monitoring loss or monitoring unavailibility?
  4. If oneagent is speaking to Env AG and Env AG is speaking to Cluster AG, will this new change in Cluster AG URL affect anything on Env AG?

 

You don't have to answer all of these but any guidance will be very helpful and then I will speak to the Dynatrace Advisor.

Hello @shashank_b_agra 

As the maximum information already shared by @The_AM, I would like to share the following recommendation by Dynatrace and my personal experience as well.

  • Normally it’s fine to install an Environment ActiveGate at any time following OneAgent installation. In some cases, however, the OneAgent installer must know about your Environment ActiveGate installation before OneAgent can be installed.
  • Normally it’s fine to install a Cluster ActiveGate at any time following OneAgent installation. In some cases, however, the OneAgent installer must know about your Cluster ActiveGate installation before OneAgent can be installed. In such instances, you must first install the Cluster ActiveGate and then download the OneAgent installer.

The following links for more insight.

https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-activegate/installation/ins...

https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-managed/installation/how-to...

 

I used to add cluster/environment AG on a demand basis and never felt any issue. I make sure only one thing that the communication between the existing OneAgents must be open to the new environment/cluster component.

Also, if I added an additional cluster AG, then make sure the communication port opens between the environment and cluster AG because the traffic flow in this sequence.

 

Regards,

Babar

Hi @Babar_Qayyum Thanks for your response. So I am going to raise the connectivity today from my existing Environment Active Gates -> New Cluster AG. Since this new set up is using Load balancer which is available on a new public IP and port 443 so the connectivity I need to open will be on this port right rather than port 9999 on which the Cluster AG will listen on?

 

Also will this new flow cause any data or monitoring lag because first we are sending the traffic from internal network to DMZ then it routes back again to Cluster AG which are hosted internally and then to Cluster Nodes?

 

Is there a possibility that we can by pass the Cluster AG for existing oneagent installations and only use that for RUM traffic coming from external applications?

Hello @shashank_b_agra 

 

By default, AG listens on port 9999 which is SSL. If you want to keep the same port then the communication from the environment AG must be open to the 9999 rather than the 443.

 

What I used to do is the following:

 

 

Public IP > VIP Load balancer Port:443 (nating to the cluster AG nodes) > Cluster Active Gates Port:9998 (to change from HTTPS to HTTP) > Cluster Nodes Port:443

 

 

Regards,

Babar

Hi @Babar_Qayyum Thank you. So I am also arranging a Dynatrace specialist to take a look at the new design but I have  last couple of questions if it is possible for you to answer -

 

  1. Will the new setup causes any data or monitoring lag for existing installations because the data will be flowing like One Agent (Internal) -> Env AG (Internal) -> LB (DMZ) -> Cluster AG (internal) -> Cluster Nodes (internal). I am not sure if it is possible to by pass the Cluster AG in this case for existing installations.
  2. From Env AG, what ports do i need to open the connectivity to? Like i said my new AG set up contains 2 server with 1 load balancer. So the connectivity should be open to the Load balancer right?
  3. Do i need to do some manual configuration changes in Env AG in order for above to happen or oneagent/Env AG starts communicating automatically?
  4. Will it cause any monitoring loss or monitoring unavailability?

 

Hello @shashank_b_agra 

  1. Will the new setup causes any data or monitoring lag for existing installations because the data will be flowing like One Agent (Internal) -> Env AG (Internal) -> LB (DMZ) -> Cluster AG (internal) -> Cluster Nodes (internal). I am not sure if it is possible to by pass the Cluster AG in this case for existing installations.
    • If the communication ports are open from the OneAgents to the Environment AG and Environment AG to the Cluster AG then there should not be an issue. Make sure the ports MUST be open from Environment AG to Cluster AG and from Cluster AG to the Dynatrace Cluster. As you aware that Dynatrace node also has a builtin AG, then you can make sure that port (443) is  open from OneAgents to the Dynatrace cluster so in case of any unexpected issues, the OneAgents can go and connect to the local AG.
  2. From Env AG, what ports do i need to open the connectivity to? Like i said my new AG set up contains 2 server with 1 load balancer. So the connectivity should be open to the Load balancer right?
    • Do you mean the F5?
  3. Do i need to do some manual configuration changes in Env AG in order for above to happen or oneagent/Env AG starts communicating automatically?
    • There is no need to change anything on the Environment AG. You might have to change on the Cluster AG in case you are going to change the default port.
  4. Will it cause any monitoring loss or monitoring unavailability?
    • Logically, there should not be any loss.

Regards,

Babar

Featured Posts