Avi GSLB for (n+1) Horizon Deployments
Overview
Global Server Load Balancing (GSLB) is the act of balancing an application’s load across instances of the application that have been deployed to multiple locations. Application load at any one of those locations is usually managed by a local load balancer.
With companies and employees alike preferring to work from home or work on the go, there really is no guarantee where users may be at any point in time. This is a concern to most companies as they plan to create front doors for user productivity. The challenge is much larger than just availability, disaster recovery, or business continuity today than it was a couple of years ago.
The go-to solution for this is Global Server Load Balancing. With GSLB, access to resources is controlled with DNS queries and health checking. Knowing if a site is healthy or not, GSLB serves back the IP in the form of a DNS record of the site the user should access based on the configured logic.
If you have multiple instances of application/UAG servers deployed across the globe, and your users are geographically dispersed then, GSLB is required.
Prerequisites
Ensure the following prerequisites are met before configuring GSLB for (n+1) Horizon Deployments:
-
Avi Controllers are set up in all the data centers.
-
Avi cloud configuration is complete.
-
Avi sites are added in GSLB and DNS virtual services are configured on the individual sites as per the requirement.
-
UAG servers configured as per requirements along with other Horizon components for n+1 deployments.
Note: This is a n+1 deployment i.e., only primary protocol traffic (XML/API traffic) will go through the Avi VIP. Blast and PCoIP traffic will go to UAG servers directly.
The GSLB entries to be made are shown here.
Reference Architecture
Avi Vantage can be deployed on on-prem or on any cloud ecosystem which allows for easy deployment to load balance Horizon traffic in any ecosystem. Avi GSLB enables distributing the load across multiple, geographically dispersed data centers.
Only two GSLB sites are shown here. You can add more GSLB sites as per the requirement.
Consider the request flow with the sample topology:
- Avi is running in two locations (GSLB sites):
- On-premises (Avi GSLB Site 1)
- Public Cloud (Avi GSLB Site 2)
Each site has its own Avi Controller Cluster (represented by a single Controller icon)
- The Avi load balancer for UAG has virtual services running in Avi GSLB Site 1 and Avi GSLB Site 2 respectively:
- uagvip.site1.com
- uagvip.site2.com
-
Avi GSLB Site 1 and Avi GSLB Site 2 have global DNS services (Avi DNS1, Avi DNS2 respectively). They are equally authoritative for the subdomain appshzn.com.
-
Avi monitors the health of the virtual services to choose the best location (that is, rule out unhealthy locations)
- It synchronizes configuration and state across GSLB sites, to ensure VS1 and VS2 can continue despite certain failures
Note: The IP and FQDN used in the example are for illustration purposes only. Replace this with your real environment details.
The GSLB service (GS) app domain name is demo.appshzn.com
.
The DNS entries to be made are as follows:
For Site 1:
FQDN | Entity Description | IP Address (used for DNS entries) | Real IP |
---|---|---|---|
uagvip.site1.com | FQDN of Avi LB VIP | VIP1 | 10.10.5.200 |
uag1.site1.com | FQDN of UAG server1 on site 1 | UAG server1 IP on site 1 i.e. 10.58.17.163 | 10.58.17.163 |
uag2.site1.com | FQDN of UAG server 2 on site 1 | UAG server2 IP on site 1 i.e. 10.58.17.164 | 10.58.17.164 |
For Site 2:
FQDN | Entity Description | IP Address (used for DNS entries) | Real IP |
---|---|---|---|
uagvip.site2.com | FQDN of Avi LB VIP | VIP2 | 10.10.10.100 |
uag1.site2.com | FQDN of UAG server1 on site 2 | UAG server1 IP on site 2 i.e. 10.98.17.163 | 10.98.17.163 |
uag2.site2.com | FQDN of UAG server 2 on site 2 | UAG server2 IP on site 2 i.e. 10.98.17.164 | 10.98.17.164 |
Note: If there are more than two UAG servers then the host entry/DNS entry has to be added for all the UAG servers.
UAG servers need their own Public IP addresses as this is (n+1) deployment
Request Flow for (n+1) Deployments
The request flow for this deployment is as shown below:
- User sends a request to access demo.appshzn.com over the internet.
- The request goes to the Corporate DNS server that further sends the DNS query to one of the two Avi DNS servers: Avi DNS 1 or Avi DNS 2.
- Assume that the request goes to Avi DNS 1. Avi DNS 1 selects the UAG VIP depending on the GSLB algorithm.
- Assume that Avi DNS responds to the client with the IP address of Site 2 VIP (uagvip.site2.com).
- Now the client sends a request directly to the Avi LB on site 2 (uagvip.site2.com).
- The Avi load balancer does the load balancing and sends the request to one of the backend UAG servers. In this case, Avi sent the request to UAG server 1 on site 2 (uag1.site2.com).
- UAG sends 307 redirect to client with uag1.site2.com FQDN.
- Client looks for location header and queries the host in the location header (uag1.site2.com ).
- Due to the DNS entries that were created (shown in the tables above), the FQDN (uag1.site2.com) will be resolved to UAG server IP.
- All further flows, including the ones for secondary protocol (Blast/PCoIP), will now go to uag1.site2.com directly, bypassing Avi LB.
Configuring Load Balancing UAG
The configuration steps for load balancing UAG are as below:
- Creating Custom Health Monitor for UAG
- Creating Pools
- Creating SSL Profile and Install SSL Certificate
- Creating an L7 Virtual Service and HTTP request policies
Follow the steps given below to configure site 1:
Creating Custom Health Monitor for UAG
To create a custom health monitor,
- From the Avi UI, navigate to Templates > Profiles > Health Monitors.
- Click on Create.
- Select the vCenter cloud that was created for Horizon.
- Enter the following details in the New Health Monitor screen.
Field Value Send Interval 30 Receive Timeout 10 Client Requested Data GET /favicon.ico HTTP/1.0 Response Code 2xx The New Health Monitor screen is as shown below:
- Click on Save.
Creating SSL Profile for Pool
Create an SSL Profile for the UAG pool with the configuration given below:
- Accepted Versions: 1.2
- Cipher List:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- Navigate to Templates > SSL/TLS Profile > Create
- Select Application Profile.
- Enter the details as shown below:
- Click on Save.
Creating Pools
Creating the UAG L7 Pool
To create the pool,
- In Avi Vantage, navigate to Applications > Pools.
- Select the vCenter cloud from the Select Cloud sub-screen.
- Click on Next.
- Click on Create Pool.
- In the New Pool: screen, update the details as shown below:
- To bind the monitor, click on Add Active Monitor and select the HTTPS monitor that was created.
- Click on Next.
- Click on Enable SSL and select the appropriate SSL profile as shown below:
- Click on Next.
- In the Step 2: Servers tab, add the Server IP Address of the UAG servers created earlier and click on Add Server.
- Click on Next.
- Navigate to Step 3: Advanced tab > Step 4: Review.
- Click on Next and then click on Save.
Installing the SSL certificate Required for L7 VIP
The SSL connection is being terminated at the Avi virtual service. Therefore, the SSL certificate must be assigned to the virtual service . It is recommended to install a certificate which is signed by a valid certificate authority instead of using self-signed certificates.
Install the certificate in Avi Vantage, and ensure the CA certificate is imported and linked. For information, refer to Import Certificates.
Note: For this set up, a certificate named Horizon_Certificate
has been installed.
Disabling Connection Multiplexing
In case of UAG load balancing, disable connection multiplexing for the System-Secure-HTTP-VDI
profile.
To disable connection multiplexing,
- Navigate to Templates > Profiles> Application > System-Secure-HTTP-VDI.
- Click on the edit icon.
- Disable the option Connection Multiplexing as shown below:
- Click on Save.
Creating L7 Virtual Service and HTTP Request Policies
The L7 virtual service requires an SSL profile.
To create the SSL Profile,
- Navigate to Templates > SSL/TLS Profile > Create
- Select Application Profile.
- Enter the details as shown below:
- Click on Save.
After creating the SSL Profile, create the virtual service.
To create the new L7 virtual service,
- From the Avi UI, navigate to Applications > Virtual Services.
- Click on Create Virtual Service > Advanced Setup.
- Use the
System-Secure-HTTP-VDI
as the Application Profile. - Configure the virtual service as shown below:
- Click on Next.
- Go to Policies > HTTP Request Policies and add policies as shown below:
Note: Similarly, create policies on Site 2 as well. Change the host header and IP address of the server accordingly. - Click Save.
- Click on Next > Next .
- Click Save.
Load Balancing Connection Server
Both L4 and L7 virtual services are supported to Load balance traffic to connection servers. However, it is recommended to use L7 virtual services. To know how to use L7 virtual service to load balance traffic to connection servers, refer to the Configure Avi Vantage for VMware Horizon article.
The configuration for Site 2 Controller is similar to that of Site 1.
Follow the configuration steps for Site 1 to configure Site 2.
With this, the LB configuration on both the sites is completed.
Avi GSLB Configuration
- Go to the Avi leader site.
- Navigate to Applications > GSLB services.
- Click Create > Advanced Set up.
- Add the details as shown in the example below:
- Click on Add Pool.
- In the New pool screen, add the pool members - UAG L7 VS from both the sites.
- Set the Pool Members Load Balancing Algorithm to Round Robin.
- Click on Save > Save.
Important Configurations to Check on UAG for This Solution
1.Host redirect mapping should be configured on all UAGs.
Notes:
- Ensure the following:
- The source host is the GSLB FQDN
- The redirect host is the UAG’s FQDN
- Upload the TLS server certificate for the internet interface on all the UAG servers
Other Considerations
-
All the host names/FQDNs must be added in SAML IDP as shown in the example below:
-
Add the SAN certificate to UAG as explained in the [Configuring TLS/SSL Certificates for Unified Access Gateway Appliances] (https://docs.vmware.com/en/Unified-Access-Gateway/3.1/com.vmware.uag-31-deploy-config.doc/GUID-68FA36E0-4F12-40D8-BC56-EBA994677AF4.html). Install the same certificate and key pair on Avi and bind it to the UAG L7 VS.
In some cases, when accessing the VMware Horizon Client, multiple icons for the same site can be displayed as shown below:
This issue will be resolved in the upcoming releases for Horizon Client.