cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Managed cluster nodes with custom domain and certificate, DNS round-robin or loadbalancer

fstekelenburg
DynaMight Pro
DynaMight Pro

With a Dynatrace Managed deployment, where two nodes were added to an initial node, to form a three nodes cluster, the first node was deployed with a custom domain name and SSL certificate. (e.g. https://dm.customer.org). Since in the public endpoints configuration the Dynatrace Web UI URL is set to the custom domain, all UI interaction, as well as integrations using this domain name are still pointed to node#1.

We want to extend this, so that all three nodes are used/involved. After all, it's a cluster.

As far as I can see there are three methods to accomplish this.

Simple - give all nodes their own domain name
Users will have to browse to node 2 and 3 manually (dm2.customer.org - dmN).
This is not the preferred method, users should go to the main domain and end up at one of the clusters.
So there remains the options:

Loadbalancer
Put a load-balancing solution in front of the cluster nodes, load the SSL certificate for ssl offloading on the loadbalancer, and point the main domain for the Dynatrace Web UI URL to the IP's of the loadbalancer(s).
The communication between LB and cluster nodes either have to be secure, which probably implies all nodes have to have their node certificate, or not secure, but then with firewall and host security the communication LB<>Cluster has to be secured.
The benefit of this approach are the benefits of load balancing, advanced availability checks and configuration, and true load balancing techniques, as well as SSL offloading.
This however means investment in setting up a loadbalancer solution.

DNS Round robin
Setup the domain for all nodes' IPs. All the nodes' IP will be added in DNS under the domain name.
The SSL certificate for the domain can then also be loaded onto the other cluster nodes.
DNS will then take care of the redirection to one of the cluster nodes.
This is more or less related to what is described in Solved: Dynatrace Managed Cluster with custom domain name setup - Dynatrace Community
This seems as a simple yet effective solution, with no further investment needs.
Time-outs in case of node outage may be an issue, however modern browsers ought to try the next IP in seconds in case of unavailability.
Another question is, how to securely connect to one of the specific nodes? I thinks that that is only possible if the certificate loaded has SAN applied and the nodes also have their own domain names added to it.
At this moment it seems we first would like to use this approach.

Are my assumptions right, and is the DNS round-robin method a viable and supported solution?


fstekelenburg_0-1634220529309.png

 

2 REPLIES 2

Julius_Loman
DynaMight Guru
DynaMight Guru

Hello @fstekelenburg ,

DNS failover is a common solution I've seen across customers (but I haven't seen that with Dynatrace Managed). Let's call it a low-cost solution. 😁 Typically a very short DNS TTL of 60 seconds will do the trick, but you need a script to check the node availability and set the DNS record. I remember having issues if you put multiple records for a DNS name. Some browsers or clients are not able to handle that correctly.

For connecting to an explicit node securely you have two options:

  • Issue the certificate with a SAN extension. SAN is nowadays required anyway for Chrome-based browsers. So issue a certificate having the clustered name as well as each node name. Afaik, SAN can have like tenths of DNS names.
  • When you want to connect, just put a record into your hosts file (/etc/hosts , c:\windows\system32\drivers\etc\hosts ), so your browser will ignore the DNS and use the hosts file

Typically I recommend the load balancer approach. Most customers have appliances such as F5 which can be configured quickly and you don't have to set up this DNS load balancing.

TEMPEST a.s., Slovakia, Dynatrace Master Partner

Hello @fstekelenburg, you have written-up a good summary of the options.

 

We have had a relatively good experience using DNS round-robin with our D-M three-node clusters. Sometimes users may see the node outage in their browser during rolling node outages, i.e. during cluster updates, but all they have to do is refresh their browser.

 

Using the same certificate on the three servers works, albeit your org may mandate some care when copying the private key.

 

As you are aware, OneAgent traffic will fail-over to cluster nodes if/when Environment ActiveGates fail. We have successfully tested this on our DNS R-R setup. Would the LB/SSL-offload also function well in AG failovers?