HAProxy as a Load Balancer for vRealize Automation

In this post I’m going to show how to use HAProxy as a load balancer for vRealize Automation. I used Ubuntu 14.04 LTS for the OS.

Install HAProxy

 sudo apt-get install haproxy

Add sub interfaces to VM

/etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

auto eth0:0
iface eth0:0 inet static
address 192.168.3.7
netmask 255.255.255.0

auto eth0:1
iface eth0:1 inet static
address 192.168.3.10
netmask 255.255.255.0

auto eth0:2
iface eth0:2 inet static
address 192.168.3.27
netmask 255.255.255.0

HAProxy Config

A lot of this config are the defaults. I added the section so you can enable to the LB stats page. The bottom has my edits for vRA. There are three sections for the appliance, IaaS Web and IaaS Manager. I’m not an HAProxy expert so probably has some things that could be improved. I tried to add all the recommendations (persistence, load balancing policy, timeout, etc) as described in the vRA LB Guide.

/etc/haproxy/haproxy.cfg


global
 log /dev/log local0
 log /dev/log local1 notice
 chroot /var/lib/haproxy
 stats socket /run/haproxy/admin.sock mode 660 level admin
 stats timeout 30s
 user haproxy
 group haproxy
 daemon
 debug

maxconn 2048
ssl-server-verify none

# Default SSL material locations
 ca-base /etc/ssl/certs
 crt-base /etc/ssl/private
 tune.ssl.default-dh-param 2048

# Default ciphers to use on SSL-enabled listening sockets.
 # For more information, see ciphers(1SSL). This list is from:
 # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
 ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
 ssl-default-bind-options no-sslv3

defaults
 log global
 mode http
 option forwardfor
 option forwardfor
 option httplog
 option dontlognull
 timeout connect 5000
 timeout client 50000
 timeout server 50000
 errorfile 400 /etc/haproxy/errors/400.http
 errorfile 403 /etc/haproxy/errors/403.http
 errorfile 408 /etc/haproxy/errors/408.http
 errorfile 500 /etc/haproxy/errors/500.http
 errorfile 502 /etc/haproxy/errors/502.http
 errorfile 503 /etc/haproxy/errors/503.http
 errorfile 504 /etc/haproxy/errors/504.http

listen stats
 bind 192.168.3.201:80
 mode http
 log global
 stats enable
 stats uri /stats
 stats realm Haproxy\ Statistics
 stats auth admin:VMware1!

# vRA 7.1 Distributed

# vRA VA

frontend vra71-va
 bind 192.168.3.7:443 ssl crt /etc/ssl/private/wildcard.pem
 mode http
 default_backend vra71-va-backend

backend vra71-va-backend
 mode http
 balance roundrobin
 stick on src table vra71-va-backend
 stick-table type ip size 200k expire 30m
 default-server inter 3s
 timeout check 10s
 option httpchk GET /vcac/services/api/health
 http-check expect status 204

 server vra71c 192.168.3.11:443 check ssl verify none
 server vra71d 192.168.3.12:443 check ssl verify none

# vRA IaaS Web

frontend vra71-iaas-web
 bind 192.168.3.10:443 ssl crt /etc/ssl/private/wildcard.pem
 mode http
 default_backend vra71-iaas-web-backend

backend vra71-iaas-web-backend
 mode http
 balance roundrobin
 stick on src table vra71-iaas-web-backend
 stick-table type ip size 200k expire 30m
 default-server inter 3s
 timeout check 10s
 option httpchk GET /wapi/api/status/web
 http-check expect string REGISTERED

 server vra71c-web 192.168.3.13:443 check ssl verify none
 server vra71d-web 192.168.3.14:443 check ssl verify none

# vRA IaaS Mgr

frontend vra71-iaas-mgr-https
 bind 192.168.3.27:443 ssl crt /etc/ssl/private/wildcard.pem
 mode http
 default_backend vra71-iaas-mgr-backend

backend vra71-iaas-mgr-backend
 mode http
 balance roundrobin
 stick on src table vra71-iaas-mgr-backend
 stick-table type ip size 200k expire 30m
 default-server inter 3s
 timeout check 10s
 option httpchk GET /VMPSProvision
 http-check expect rstring ProvisionService

 server vra71c-mgr 192.168.3.25:443 check ssl verify none
 server vra71d-mgr 192.168.3.26:443 check ssl verify none

Certificate

This is the wildcard cert I’m using for vRA. You just need to include the cert and private key in the proper order.

/etc/ssl/private/wildcard.pem 

-----BEGIN CERTIFICATE-----
MIIF7zCCA9egAwIBAgICEAkwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT
MREwDwYDVQQIDAhDb2xvcmFkbzEMMAoGA1UECgwDTGFiMQwwCgYDVQQLDANMYWIx
...
w5HvHhi/K6f1qeeBr+xKxTEvz3gfQvxEgSxMmMRbffqGM4UbMHkDuJq4H4yrow48
XavIE+zwl1EiDvzEcz5ThbAWSL5fRu6SB0eeYldr4uEGJ/8=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAwekJRhfC3NHja9waE5W0lxA3HebfThF9nMbUpoYUK+TvFKz7
Mkl9mUp/RS/YDYsVnQ3cUNx83bITDmc3EbIVYzF8rMv1BjQCM4ewrhhbQuBnivoI
...
7XcWYfeZuFz2GJ+3+Wt6EzEaV3DmoU0nuULRkoOSFi7FXCxsFLPVzzuZZgRWXFiN
q6p+3O9rYgelJ0P4a5mtPlWdJJZ2bAe9A0tB/px+xdFtuEuzyed0gbA=
-----END RSA PRIVATE KEY-----

Stats Page

Here is an example of what the HAProxy stats page looks like:

2016-10-10_21-09-59.png

 

 

Advertisements


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s