Planning for high availability
IBM® Security Identity Governance and Intelligence virtual appliance with a load balanced cluster provides not only the expected high availability but also provides scalability.
Load balancer settings and requirements
Load balancer requirements
The most common mechanism to make a highly available deployment is to add a load balancer that distributes user requests to underlying servers. This deployment locks down any direct access to individual servers. In addition to making a highly available deployment of the IBM Security Identity Governance and Intelligence virtual appliance, it also provides horizontal scalability. See Figure 1.
![Typical load balancer deployment](../../images/loadbalancer.png)
As shown in Figure 1, provide one or more backup load balancers or routers to avoid the load balancer itself from becoming a single point of failure.
The load balancer can be a dedicated hardware or software node that can route incoming requests
to an IBM Security Identity Governance and Intelligence virtual appliance. This condition is true
irrespective of whether the requests are coming from inside or outside a company network. See the
request that is numbered as 1
in the diagram. Since these requests typically
contain sensitive information such as user IDs or passwords, both the traffic paths must be over
SSL. For example, see requests 1
and 2
. The client request over
SSL (marked #1
) ends at the load balancer and a new SSL request (marked
#2
) is sent to a virtual appliance.
Load balancer installation requirements
- Choose
Layer-7
or Layer-4 load balancers for this installation.To use layer-4 load balancer, all nodes must have the same fully qualified domain name (FQDN). The SSL certificates for all nodes must have the same distinguished name.
- The load balancer must be able to send separate SSL requests for each of the incoming requests.
Load balancer configuration requirements
- Enable Session Affinity for the load balancer. Use a load balancer with session affinity to route the traffic for the same client session to the same virtual appliance.
- The load balancer must detect unresponsive virtual appliances and stop directing any traffic to them.
- As shown in Figure 1, keep one or more of the load balancer backups ready to avoid the load balancer as a single point of failure.