Planning for high availability

IBM® Security Identity Governance and Intelligence virtual appliance with a load balanced cluster provides not only the expected high availability but also provides scalability.

Load balancer settings and requirements

Load balancing is a technique to extend user requests between two or more virtual appliances in a predefined cluster. Each virtual appliance in this cluster is called a node. Use of multiple nodes in such a cluster increases reliability and availability through redundancy.

Note: If you did not configure M.2 when you set up the virtual appliance, use the management interface set command to configure it.

Load balancer requirements

The most common mechanism to make a highly available deployment is to add a load balancer that distributes user requests to underlying servers. This deployment locks down any direct access to individual servers. In addition to making a highly available deployment of the IBM Security Identity Governance and Intelligence virtual appliance, it also provides horizontal scalability. See Figure 1.

Typical load balancer deployment — Figure 1. Deployment diagram of a typical load balancer in a customer environment

As shown in Figure 1, provide one or more backup load balancers or routers to avoid the load balancer itself from becoming a single point of failure.

The load balancer can be a dedicated hardware or software node that can route incoming requests to an IBM Security Identity Governance and Intelligence virtual appliance. This condition is true irrespective of whether the requests are coming from inside or outside a company network. See the request that is numbered as 1 in the diagram. Since these requests typically contain sensitive information such as user IDs or passwords, both the traffic paths must be over SSL. For example, see requests 1 and 2. The client request over SSL (marked #1) ends at the load balancer and a new SSL request (marked #2) is sent to a virtual appliance.

Load balancer installation requirements

The load balancer must meet the following requirements:

Choose Layer-7 or Layer-4 load balancers for this installation.
To use layer-4 load balancer, all nodes must have the same fully qualified domain name (FQDN). The SSL certificates for all nodes must have the same distinguished name.
The load balancer must be able to send separate SSL requests for each of the incoming requests.

Load balancer configuration requirements

In the load balancer configuration

Enable Session Affinity for the load balancer. Use a load balancer with session affinity to route the traffic for the same client session to the same virtual appliance.
The load balancer must detect unresponsive virtual appliances and stop directing any traffic to them.
As shown in Figure 1, keep one or more of the load balancer backups ready to avoid the load balancer as a single point of failure.