IBM Cloud Docs
Deploying server pools and origins in a single MZR

Deploying server pools and origins in a single MZR

Use this tutorial to deploy availability pools in a VPC for a single MZR. Creating server pools with origins provides your DevOps team with a staging environment so they can validate near-production ready code in parallel with an existing production environment.

This tutorial provides two use cases:

  • Testing with new code in a production environment with minimal impact
  • Creating A/B pools for testing

This tutorial uses a web server, which can provide a full stack within a single virtual server, you can also accomplish this using other types of 2- or 3-tier application stacks.

Objectives:

  • Create server pool and origins across availability zones
  • Understand IBM Cloud® Internet Services Global Load Balancer distribution algorithm

Architecture

The following diagram depicts the architecture of this solution.

Deploying server pools and origins in a single MZR.
Figure 1. Deploying server pools and origins in a single MZR

The following steps refer to the numbers in the diagram:

  1. DevOps provision 3 subnets:
    • Management (mgmt) subnet in AZ-1
    • Server subnet-1 in AZ-1
    • Server subnet-2 in AZ-2
  2. DevOps provisions the virtual servers
    • Bastion server (jumphost) in mgmt subnet and generates an SSH Key
    • DevOps provisions the virtual server web servers in subnet-1 and subnet-2 with security groups
  3. DevOps deploys 2 IBM Cloud Load Balancer, 1 in each AZ and points to the virtual server web servers in their respective zones.
  4. System admin enables HTTPS encryption by adding the domain SSL certificate to the certificate manager service.
  5. DevOps deploys a CIS instance with associated domain and create a global load balancer that points to each load balancer in each zone.
  6. Users can now make HTTP/HTTPS requests.

Before you begin

  • Check the permissions for IBM Cloud VPC. Your account needs to have permissions to create resources.
  • Generate SSH Keys from your workstation to connect bastion server

Create VPC, subnets, security groups, and virtual servers

In the following section, you create your own VPC in region 1 with subnets that are created in two different zones of region 1. You then provision the virtual servers.

To create your own IBM Cloud VPC in region 1, complete the following steps:

  1. From the VPC overview page, go to the VPCs page and click Create to begin.
  2. Under New virtual private cloud section:
    • Enter vpc-region1 as the name for your VPC.
    • Select a Resource group.
    • Optionally, add Tags to organize your resources.
  3. Use the default access control list (Allow all).
  4. Disable Allow SSH and Allow ping from the Default security group. Enable Enable access to classic resource.
  5. Enable Create a default prefix for each zone.
  6. Under New subnet for VPC:
    • Type vpc1-region1-zone1-mgmt as your subnet's unique name.
    • Select a Resource group.
    • Select a Location and zone 1. For example, London and London 1.
    • Select the number of IP addresses.
  7. Set Subnet access control list to Use VPC default.
  8. Set the Public gateway to Detached.
  9. Click Create virtual private cloud.

Create the subnet for the web server in the same region

  1. Click Subnets > Create and in the New Subnet for VPC window type vpc-region1-zone1-subnet1 as a unique name for your subnet.
  2. Select vpc-region1 as the VPC.
  3. Select a Resource group.
  4. Select a zone 1 location. For example, London 1.
  5. Select the number of IP addresses.
  6. Set Subnet access control list to VPC default.
  7. Set the Public gateway to Detached.
  8. Click Create virtual private cloud.

To confirm the creation of the subnets, click Subnets on the left pane and wait until the status changes to Available.

Create subnet in a different zone for the other web server

  1. Click Subnets > Create and in the New Subnet for VPC window type vpc-region1-zone2-subnet1 as a unique name for your subnet.
  2. Select a Resource group.
  3. Select a zone 2 location. For example, London 2.
  4. Select the number of IP addresses.
  5. Set Virtual Private Cloud.
  6. Set the Public gateway to Detached.
  7. Click Create subnet.

To confirm the creation of the subnet, click Subnets on the left pane and wait until the status changes to Available.

Create two security groups

These security groups allow only specific inbound traffic to the server and application.

To specify which traffic to allow to the application, you deploy the following rules, which are added to virtual servers in the later steps.

  1. Navigate to Security Groups and click Create.
  2. Verify Regions is correct. For example, London.
  3. Click Create to create a new security group.
  4. Type vpc-region1-jumphost-sg for Name.
  5. Create the following Inbound rules:
    • Protocol: TCP
    • Source Type: Any
    • Port: Any
  6. Create the Outbound rules as:
    • Protocol: TCP
    • Destination Type: Any
    • Port: Any
  7. Verify that the Region is correct. For example, London.

Provision a bastion (jumphost) virtual server

  1. Go to Subnets.
  2. Verify that the status is Available, then click vpc-region1-zone1-mgmt > Attached > Attached Instances and click Create to create a new Attached Instance.
  3. Enter jumphost-vsi as your virtual server's unique name.
  4. Select the VPC that you created (vpc-region1), the Resource group, and Location.
  5. Set the Operating System image to Ubuntu Linux and pick any version of the image.
  6. Select Compute with 2vCPUs and 8 GB RAM as your profile. To check other available profiles, click All profiles.
  7. Under SSH keys click New key to add the SSH key that you created in the Before you begin section.
  8. Under Network interfaces, click the Edit icon next to the Security Groups.
    • Verify region1-zone1-mgmt is selected as the subnet.
    • Disable the preselected security group and select vpc-region1-jumphost-sg.
    • Click Save.
  9. Click Create virtual server instance.
  10. Go to the jumphost virtual server on the IBM Cloud console and switch the public gateway to Attached.
  11. Connect to the jumphost server by using SSH.
  12. Create an SSH key on the jumphost server.
  13. Copy the SSH key of the jumphost server. You use this key when you configure the web server virtual servers.

Provision web server virtual servers

  1. Go to Subnets.
  2. Verify that the status is Available, then click vpc-region1-zone1-mgmt > Attached resources > New instance.
  3. Enter vpc-region1-zone1-vsi as your virtual server's unique name.
  4. Select the VPC your created (vpc-region1), the Resource group, Location, and Zone.
  5. Set the image to Ubuntu Linux and pick any version of the image.
  6. Select Compute with 2 vCPUs and 4 GB RAM as your profile. To check other available profiles, click All profiles.
  7. Under SSH keys click New key to add the SSH key that was created on jumphost-vsi.
  8. Under Network interfaces, click the Edit icon next to the Security Groups.
    • Select vpc-region1-zone1-subnet as the subnet.
    • Disable the default security group and check vpc-region1-webserver-sg.
    • Click Save.
  9. Click Create virtual server instance.
  10. Repeat steps 1-7 to provision a virtual server in vpc-region1-zone2-vsi in zone 2 of region 1.

Install and configure web server on all virtual servers

After you successfully connect to the server in the subnet of zone 1 of region 1 by using SSH, complete the following steps to install and configure the Nginx web server.

Complete this procedure for each web server virtual server (vpc-region1-zone1-vsi, vpc-region1-zone2-vsi).

  1. Open a command line, and run the following commands.

    sudo apt-get update

    sudo apt-get install -y nginx

  2. Check the status of the Nginx service.

    sudo systemctl status nginx

    The output shows you that the Nginx service is active and running.

  3. Enable UFW.

    sudo ufw enable

  4. Enable SSH.

    sudo ufw allow openssh

  5. Enable nginx.

    sudo ufw allow 'nginx full'

  6. Enable UFW.

    sudo ufw enable

  7. Validate.

    sudo ufw status verbose

  8. Verify that ports 22, 80, and 443 are allowed.

  9. Optionally, verify that Nginx works as expected by using the following command:

    curl localhost

    If Nginx is working, you see default Nginx welcome page.

  10. Update the html page with the region and zone details.

    nano /var/www/html/index.nginx-debian.html

  11. Save your changes.

  12. Verify the changes.

    curl localhost

Distribute traffic between zones with load balancers

In the following section, you create two load balancers, one in each region. This load balancer distributes traffic among multiple server instances to subnets within different zones.

Configure load balancers

  1. Go to Load balancers and click Create... New load balancer for VPC.
  2. Type vpc-lb-region1-zone1 as the unique name
  3. Select vpc-region1 as your Virtual private cloud, select the Resource group, set Region as region1 and set Type to Public.
  4. Select vpc-region1-zone1-subnet1 for Subnets.
  5. Click New pool to create a new back-end pool of virtual servers that acts as equal peers to share the traffic that is routed to the pool. Set the parameters with the following values and click Create.
    • Name: region1-zone1-pool
    • Protocol: HTTP
    • Method: Round robin
    • Session stickiness: None
    • Health check path: /
    • Health protocol: HTTP
    • Health port: Leave blank
    • Interval (sec): 15
    • Timeout (sec): 5
    • Max retries: 2
  6. Click Attach to add server instances to the region1-pool.
    • Add the CIDR range that is associated with vpc-region1-zone1-subnet and select the instance your created and set 80 as the port.
    • Click Save to complete the creation of a back-end pool.
  7. Click New listener to create a new front-end listener. A listener is a process that checks for connection requests.
    • Protocol: HTTP
    • Port: 80
    • Back-end pool: region1-zone1-pool
    • Max connections: Leave it empty and click Create.
  8. Click Create load balancer to provision a load balancer.
  9. Repeat this procedure for the zone 2 load balancer.

You can configure the load balancers for HTTPS, refer to Secure with HTTPS to configure an SSL certificate and enable HTTPS.

Test the load balancers

Complete this procedure for each load balancer.

  1. Wait until the status of the load balancer changes to Active.
  2. Click the Hostname to copy the hostname and open it in a web browser.
  3. Save the address for future reference.

Provision a IBM Cloud Internet Services instance and configure custom domain

In the following section, you create an IBM Cloud Internet Services instance, configure a custom domain by pointing it to CIS name servers and later configure a global load balancer.

  1. Navigate to the IBM Cloud Internet Services in the IBM Cloud catalog.
  2. Enter a Service name, select a resource group, and click Create to provision an instance of the service. You can use any pricing plans for this tutorial.
  3. After the service instance is provisioned, set your domain name by clicking Let's get started, enter your domain name, and click Connect and continue.
  4. Click Next step. When the name servers are assigned, configure your registrar or domain name provider to use the name servers listed. If you are using the IBM Cloud domain service, see Getting started with Domain Name Registration.
  5. After you configured your registrar or the DNS provider, it might require up to 24 hours for the changes to take effect.
  6. After the domain's status on the overview page changes from Pending to Active, use the dig <mydomain.com> ns command to verify that the new name for the servers took effect.

Configure a global load balancer

In the following section, you configure a global load balancer (GLB) distributing the incoming traffic to the VPC load balancers configured in different IBM Cloud regions.

Distribute traffic across regions with a global load balancer

  1. From the IBM Cloud console, select Resource list.

  2. Expand Services and select the Internet Services that you created.

  3. With the Internet Services instance open, select Reliability > Global Load Balancers.

  4. Click Create load balancer.

  5. Add lb to the Balancer hostname. The resulting fully qualified name would be lb.mydomain.com.

  6. Set Proxy to Off.

  7. Set TTL to 60 seconds.

  8. Click Add pool to define a default origin pool.

  9. For Origin Pools, select Create New. Set the following values:

    Field Value or action
    Name vpc-region1
    Health Check Create new /n HTTP /n Path: /n Port: 80
    Health Check Region Eastern North America
    Origins Name: Zone1 /n Address: fully qualified domain name (without http://) /n Weight: 0.5 /n Click Add origin /n Name: Zone2 /n Address: fully qualified domain name (without http://) /n Weight: 0.5

  10. Click Add to add the origin pool.

  11. Click Create to create the Global Load Balancer.

Wait until the Health check status changes to Healthy. Open the URL of the load balancer: lb.mydomain.com.

Related Content

For a detailed example, watch the video Patching, updating web servers with minimal downtime in a high available environment.