IBM Cloud Docs
Deploy isolated workloads across multiple locations and zones

Deploy isolated workloads across multiple locations and zones

This tutorial may incur costs. Use the Cost Estimator to generate a cost estimate based on your projected usage.

This tutorial walks you through steps for setting up highly available and isolated workloads by provisioning IBM Cloud® Virtual Private Clouds (VPCs). You will create virtual server instances (VSIs) in multiple zones within one region to ensure the high availability of the application. You will create additional VSIs in a second region and configure a global load balancer (GLB) to offer high availability between regions and reduce network latency for users in different geographies.

You will provision an IBM Cloud Internet Services (CIS) service as the GLB from the catalog, and an IBM Cloud Secrets Manager service from the catalog to manage the Transport Layer Security (TLS) certificate for all incoming HTTPS requests.

Objectives

  • Understand the isolation of workloads through infrastructure objects available for virtual private clouds.
  • Use a load balancer between zones within a region to distribute traffic among virtual servers.
  • Use a global load balancer between regions to implement high availability, increase resiliency and reduce latency.

Architecture
Architecture diagram of the tutorial

  1. The admin (DevOps) provisions VSIs in subnets under two different zones in a VPC in region 1 and repeats the same in a VPC created in region 2.
  2. The admin creates a load balancer with a backend pool of servers in different zones of region 1 and a frontend listener. Repeats the same in region 2.
  3. The admin provisions a IBM Cloud Internet Services instance with an associated custom domain and creates a global load balancer pointing to the load balancers created in two different VPCs.
  4. The admin enables HTTPS encryption by adding the domain SSL certificate to the Secrets Manager service.
  5. The user makes an HTTP/HTTPS request and the global load balancer handles the request.
  6. The request is routed to the load balancers both on the global and local level. The request is then fulfilled by the available server instance.

Before you begin

  • Check for user permissions. Be sure that your user account has sufficient permissions to create and manage VPC resources. See the list of required permissions for VPC.
  • You need an SSH key to connect to the virtual servers. If you don't have an SSH key, see the instructions for creating a key for VPC.

Create virtual private clouds, subnets and virtual server instances

In this section, you will create your own VPC in region 1 with subnets created in two different zones of region 1 followed by the provisioning of VSIs.

Create a virtual private cloud

  1. Navigate to the Virtual private clouds page and click on Create.
  2. Under the Location section, select a Geography and Region, for example Europe and London.
  3. Enter vpc-region1 for the name of your VPC, select a Resource group and optionally, add Tags to organize your resources.
  4. Uncheck Allow SSH and Allow ping from the Default security group. SSH access will later be added to a maintenance security group. The maintenance security group is added to an instance to allow SSH access from a bastion server. Ping access is not required for this tutorial.
  5. Leave Enable access to classic resources unchecked and Create a default prefix for each zone checked.
  6. Under Subnets change the name of the Zone 1 subnet. Click the pencil icon:
    • Enter vpc-region1-zone1-subnet as your subnet's unique name.
    • Select the same Resource group as the VPC resource group.
    • Leave the defaults in the other values.
    • Click Save
  7. Under Subnets change the name of the Zone 2 subnet. Click the pencil icon:
    • Enter vpc-region1-zone2-subnet as your subnet's unique name.
    • Select the same Resource group as the VPC resource group.
    • Leave the defaults in the other values.
    • Click Save
  8. Under Subnets delete the subnet in Zone 3. Click the minus icon.
  9. Click Create virtual private cloud to provision the instance.

Create a security group to allow inbound traffic to your application

Enable inbound rules for HTTP (80) and HTTPS (443) ports to the application by defining rules in a security group. In later steps, you will add VSIs to the security group.

  1. Navigate to the Security groups page and click on Create.

  2. Enter vpc-region1-sg for the name, select the same Resource group as the VPC resource group.

  3. Select the previously created vpc-region1 virtual private cloud.

  4. Add the same Inbound rules as found in the table below and then click Create security group.

    Inbound rules
    Protocol Source type Source Value
    TCP Any 0.0.0.0/0 Ports 80-80
    TCP Any 0.0.0.0/0 Ports 443-443

Provision virtual server instances

  1. Navigate to the Subnets page.
  2. Verify the status for all subnets is Available.
  3. Click on vpc-region1-zone1-subnet followed by Attached resources, then under Attached instances click on Create.
    1. Enter vpc-region1-zone1-vsi as your virtual server's unique name.
    2. Verify or set the Virtual private cloud, Resource group, Location and Zone fields.
  4. Under the Image and profile section, click on Change image.
  5. In the Search items field, type Ubuntu and pick any version of the image and click on Save.
  6. Under the Profile section, click on Change profile.
  7. Pick Compute with 2 vCPUs and 4 GB RAM as your profile and click on Save.
  8. Set SSH keys to the SSH key you created earlier.
  9. Under Network attachments with Virtual network interface, click on the pencil icon on the row for the eth0 interface.
    • Click on Next.
    • Check vpc-region1-sg and uncheck the VPC default security group.
    • Click on Next a few times and then on Save.
  10. Click Create virtual server.
  11. Repeat the above steps to provision a vpc-region1-zone2-vsi virtual server in the vpc-region1-zone2-subnet subnet.

Create resources in another location

Repeat the above steps from Step 1 to provision a new VPC with subnets and virtual server instances in another region, for example, Frankfurt. Follow the same naming conventions as above while substituting region2 for region1.

Install and configure web server on the virtual server instances

Follow the steps mentioned in securely access remote instances with a bastion host for secured maintenance of the servers. Use a bastion host which acts as a jump server and a maintenance security group to the VSIs previously provisioned. One bastion host in each VPC is required.

Once you successfully SSHed into the server provisioned in subnet of zone 1 of region 1,

  1. At the prompt, run the following commands to install Nginx as your web server
    sudo apt-get update
    sudo apt-get install nginx
    
  2. Check the status of the Nginx service with the following command:
    sudo systemctl status nginx
    
    The output should show you that the Nginx service is active and running.
  3. Optionally verify that Nginx works as expected. curl localhost. You should see the default Nginx welcome page.
  4. To update the html page with the region and zone details, run the below command
    nano /var/www/html/index.nginx-debian.html
    
    Append the region and zone to the h1 tag quoting Welcome to nginx! to now read Welcome to nginx! server running in **zone 1 of region 1** and save the changes.
  5. Verify the changes by running a curl localhost command.
  6. Repeat the above steps to install and configure the web server on the VSIs in subnets of all the zones and don't forget to update the html to include the respective region and zone information.

Distribute traffic between zones with load balancers

In this section, you will create two load balancers. One in each region to distribute traffic among multiple server instances under respective subnets within different zones.

Create a security group to allow inbound and outbound traffic through the load balancers

To allow traffic to the application, you need to enable inbound and outbound rules for HTTP (80) and HTTPS (443) ports. In later steps, when creating load balancers, you will add them to the security group defining those rules.

  1. Navigate to the Security groups page and click on Create.

  2. Select the previously created vpc-region1 virtual private cloud.

  3. Enter vpc-lb-sg for the name, select the same Resource group as the VPC resource group.

  4. Add the same Inbound rules as found in the table below.

    Inbound rules
    Protocol Source type Source Value
    TCP Any 0.0.0.0/0 Ports 80-80
    TCP Any 0.0.0.0/0 Ports 443-443
  5. Add the same Outbound rules as found in the table below and then click Create security group.

    Outbound rules
    Protocol Source type Source Value
    TCP Any 0.0.0.0/0 Ports 80-80
    TCP Any 0.0.0.0/0 Ports 443-443
  6. Repeat the steps above in region 2.

Configure load balancers

  1. Navigate to the Load balancers page and click Create.
  2. Select Application Load Balancer (ALB) as the Load balancer type.
  3. Under the Location section, select the same Geography and Region you used for the previously created vpc-region1 virtual private cloud.
  4. Enter vpc-lb-region1 for the name, select the same Resource group as the VPC resource group.
  5. Select the previously created vpc-region1 virtual private cloud.
  6. Select the Subnets of vpc-region1-zone1-subnet and vpc-region1-zone2-subnet.
  7. Click Create pool to create a new back-end pool of VSIs that acts as equal peers to share the traffic routed to the pool. Set the parameters with the values below and click Create when done.
    • Name: region1-pool
    • Protocol: HTTP
    • Session stickiness: None
    • Proxy protocol: Disabled
    • Method: Round robin
    • Health check path: /
    • Health protocol: HTTP
    • Health port: Leave blank
    • Interval(sec): 15
    • Timeout(sec): 5
    • Max retries: 2
    • Click on Create.
  8. Click Attach server to add server instances to the pool.
    • From the Subnets dropdown, select vpc-region1-zone1-subnet and vpc-region1-zone2-subnet.
    • Select the instances your created and set 80 as the port.
    • Click Attach to complete the creation of a back-end pool.
  9. Click Create listener to create a new front-end listener; A listener is a process that checks for connection requests.
    • Back-end pool: region1-pool
    • Protocol: HTTP
    • Proxy protocol: not checked
    • Port: 80
    • Maximum connections: Leave it empty and click Create.
  10. Under Security Groups check vpc-lb-sg and uncheck the default security group.
  11. Click Create load balancer to provision the load balancer.
  12. Repeat the steps above in region 2, this time naming the load balancer vpc-lb-region2 and the back-end pool region2-pool.

Test the load balancers

  1. Wait until the status of the load balancer changes to Active.
  2. Open the Hostname in a web browser.
  3. Refresh the page several times and notice the load balancer returning results from different zones or virtual server instances with each refresh.
  4. Save the address for future reference.

You may have noticed that the requests are not encrypted and supports only HTTP. You will configure an SSL certificate and enable HTTPS in the next section.

Configure multi-location load-balancing

Your application is now running in two regions, but it's missing one component for the users to access it transparently from a single entry point.

In this section, you will configure IBM Cloud Internet Services (CIS) to distribute the load between the two regions. CIS provides Global Load Balancer (GLB), Caching, Web Application Firewall (WAF) and Page rule to secure your applications while ensuring the reliability and performance for your cloud applications.

To configure a global load balancer, you will need:

  • to point a custom domain to CIS name servers,
  • to retrieve the IP addresses or hostnames of the VPC load balancers,
  • to configure health checks to validate the availability of your application,
  • and to define origin pools pointing to the VPC load balancers.

Add a custom domain to IBM Cloud Internet Services

The first step is to create an instance of CIS and to point your custom domain to CIS name servers.

  1. If you don't own a domain, you can buy one from a registrar.

  2. Navigate to IBM Cloud Internet Services in the IBM Cloud catalog.

  3. Pick a plan, set the service name and resource group, and click Create to create an instance of the service.

  4. When the service instance is provisioned, click on Add domain.

  5. Enter your domain name and click Next.

  6. Setup your DNS records is an optional step and can be skipped for this tutorial. click on Next.

  7. When the name servers are assigned, configure your registrar or domain name provider to use the name servers listed.

  8. At this point you can click on Cancel to get back to the main page, after you've configured your registrar or the DNS provider, it may require up to 24 hours for the changes to take effect.

    When the domain's status on the Overview page changes from Pending to Active, you can use the dig <your_domain_name> ns command to verify that the new name servers have taken effect.

Configure Health Check for the Global Load Balancer

A health check helps gain insight into the availability of pools so that traffic can be routed to the healthy ones. These checks periodically send HTTP/HTTPS requests and monitor the responses.

  1. In the IBM Cloud Internet Services dashboard, navigate to Reliability > Global Load Balancers.

  2. Select Health checks and click Create.

  3. Set Name to nginx.

  4. Select HTTP for Monitor Type.

  5. Set Port to 80.

  6. Set Path to /.

  7. Click Create.

    When building your own applications, you could define a dedicated health endpoint such as /health where you would report the application state.

Define Origin Pools

A pool is a group of origin VSIs or load balancers that traffic is intelligently routed to when attached to a global load balancer. With VPC load balancers in two regions, you can define location-based pools and configure CIS to redirect users to the closest VPC load balancer based on the geographical location of the user requests.

Origin pool for the VPC load balancer

  1. Select Origin pools and click Create.
  2. Enter a name for the pool: region-1-pool.
  3. Set Origin Name to region-1.
  4. Set Origin Address to the hostname of region1 VPC load balancer, see the overview page of the VPC load balancer.
  5. Select a Existing health check and select the health check created earlier.
  6. Select a Health check region close to the location region 1.
  7. Click Save.
  8. Repeat the above steps for region 2.

Create the global load balancer

With the origin pools defined, you can complete the configuration of the load balancer.

  1. Select Load balancers and click Create.

  2. Keep the defaults of Enable: On and Proxy: Off.

  3. Enter the name for the global load balancer, lb, this name will be the initial characters in the subdomain to access the application. (http://lb.<your_domain_name>).

  4. Click Add route.

  5. Select the Region: Default.

  6. Select the origin pools that you just created, that is region-1-pool and region-2-pool.

  7. Click Add.

  8. Expand the section of Geo routes, you can distribute traffic based on the origin region.

    You can add more routes if desired based on geographies and direct traffic to the closest pool. Click Add route, select a global load balancer region for example, Western Europe and select the pool desired for example region-2-pool and click Add. A request does not match any of the defined route, it will be redirected to the Default origin pools, users in the global load balancer region you have define will be directed to the closest Load Balancers/VSIs.

  9. Click Create.

Secure with HTTPS

HTTPS encryption requires signed certificates to be accessible from both the CIS global load balancer and the VPC load balancers. The IBM Cloud Secrets Manager will be used to order or import and then manage the certificate for your domain. Identity and Access Management (IAM) service authorization is then configured to allow read access to the certificate from the desired service.

Create and authorize a Secrets Manager instance

  1. If you have an existing Secrets Manager instance, you can use it for this tutorial or create a new one if needed by following the steps outlined in Creating a Secrets Manager service instance.

  2. Create an authorization that gives the VPC load balancer service access to the Secrets Manager instance that contains the SSL certificate.

    • Navigate to Identity and Access Authorizations.
    • Click Create and select VPC Infrastructure Services as the source service.
    • Select Specific resources, Resource type and then Load Balancer for VPC.
    • Secrets Manager as the Target service.
    • Assign the Writer service access role.
    • The target service instance may be All resources, or it may be your specific Secrets Manager instance if desired. Leaver the All resources selected for now.
    • Click on Authorize.
  3. Continuing in the Manage authorizations page, create an authorization that gives the Secrets Manager access to CIS:

    • Click Create and choose Secrets Manager as the source service.
    • Choose All resources or just the Secrets Manager created earlier.
    • Internet Services as the target service.
    • Choose All resources or just the CIS created earlier.
    • Assign the Manager service access role.
    • Click on Authorize.

    If your CIS instance supports multiple domains, you can also assign Reader role to the CIS instance and Manager to the specific domain that is you are using for your solution. See granting service access to specific domains topic.

IBM CIS supports proxying for global load balancers. When a load balancer is proxied, it means that its traffic runs directly through CIS. Load balancers support both DNS-only and HTTP proxy modes, consider which of the two alternatives below best match your use case before proceeding as the traffic routing behavior differs as follows:

  • Alternative 1: Traffic that is proxied flows through CIS.
  • Alternative 2: Traffic that is non-proxied (DNS-only mode) flows directly from the client to the origin. In DNS-only mode, none of the CIS security, performance, and reliability features are applied.

Traffic flow
Traffic flow

For more information read through the Proxying DNS records and global load balancers topic.

Alternative 1: Proxy, traffic flows through CIS

This first alternative creates a wildcard certificate for custom domain, and then proxies it in the IBM Cloud Internet Services (CIS) allowing you to take advantage of industry leading security, protection and performance capabilities. Replace example.com with your custom domain name in the steps below.

Currently ordering certificates is by using Let's Encrypt, you may follow the topic Supported certificate authorities for updates. Using Let's Encrypt requires an ACME account. Follow the steps outlined in the Connecting third-party certificate authorities topic to create or register your account. In addition, you are required to add a DNS provider following the steps in the Connecting DNS providers topic. For this tutorial, you must add CIS as your DNS provider.

Initially HTTPS is configured from the user to Secrets Manager only.

  1. Order a certificate in Secrets Manager
    • Open the Secrets Manager service and select Secrets on the left.
    • Click Add.
    • If you are using a new Secrets Manager instance you will need to configure it prior to ordering your certificate. Follow the steps outlined under Preparing to order public certificates.
    • Click on Public certificate and then click on Next.
    • Complete the form:
      • Name - type a name you can remember.
      • Description - enter a description of your choice.
      • Click on Next.
      • Under Certificate authority select your configured Let's Encrypt certificate authority engine.
      • Under Key algorithm, pick your preferred algorithm,
      • Bundle certificates - leave off
      • Automatic certificate rotation - leave off
      • Under DNS provider select your configured DNS provider instance
      • Click on Select domains check the Select with wildcard and leave the domain itself unchecked and click on Done.
    • Click Next.
    • Review your selections and click on Add.
    • You don't need to wait for the activation to complete to execute the next step, but you do need to wait for it to complete prior to verifying success.
  2. Configure HTTPS from client web browsers to the CIS endpoint. In CIS configure TLS Security:
    • Open the Security panel and choose TLS.
    • For the Mode choose Client-to-edge. This will terminate HTTPS connections at the global load balancer and will switch to HTTP connections to the VPC load balancer.
  3. In the CIS configure the global load balancer to use TLS:
    • Open Reliability panel and choose Global load balancers.
    • Locate the global load balancer created earlier and turn on Proxy.
  4. In a browser open https://lb.example.com to verify success.

Next configure HTTPS from CIS to the VPC load balancer.

Add an HTTPS listener to the VPC load balancers:

  1. Navigate to VPC then Load balancers and click vpc-lb-region1.

  2. Choose Front-end listeners.

  3. Click Create listener.

  4. Select the Default back-end pool: region1-pool or region2-pool.

  5. Select HTTPS and enter for Port a value of 443.

  6. Select the Secrets Manager instance you created earlier, the SSL Certificate drop down should show the certificate name that you ordered using your Secrets Manager instance earlier from Let's Encrypt. Click on Create.

    If the SSL Certificate drop down does not have example.com you may have missed the authorization step above that gives the VPC load balancer access to the Secrets Manager service. Verify that the Secrets Manager service has a certificate for example.com.

  7. Repeat the above steps for the vpc-lb-region2 load balancer.

The wildcard certificate created will allow access to domain name like vpc-lb-region1.example.com. Open the the Overview tab of the VPC load balancer vpc-lb-region1 and notice that the Hostname is xxxxxxx-REGION.lb.appdomain.cloud. The wildcard certificate is not going to work. Fix that problem by creating an alias and then update the configuration.

  1. A DNS CNAME record can be created to allow clients to look up vpc-lb-region1.example.com and resolve xxxxxxx-REGION.lb.appdomain.cloud.

    • In the CIS, open Reliability panel and choose DNS.
    • Scroll down to DNS Records and create a record of Type: CNAME, Name: vpc-lb-region1, TTL: Automatic and Alias Domain Name: VPC load balancer Hostname.
    • Add a DNS CNAME record for vpc-lb-region2.
  2. Now adjust the global load balancer to use the new CNAME records.

    • Open Reliability panel and choose Global Load Balancers.
    • Find and edit the Origin Pools to change the Origins Origin Address to vpc-lb-region1.example.com.
    • Repeat the above steps for vpc-lb-region2.example.com.
  3. Turn on end-to-end security.

    • Open the Security panel and choose TLS.
    • For the Mode choose End-to-end CA signed. This will use HTTPS connections at the global load balancer and HTTPS connections to the VPC load balancer.

In a browser open https://lb.example.com to verify success

Alternative 2: DNS-only mode, traffic flows directly from the client to the VPC Load Balancers

In this alternative you will order an SSL certificate for lb.example.com from Let's Encrypt through Secrets Manager and configure the global load balancer.

It is not currently possible to order a certificate directly for a CIS global load balancer, but it is possible to order one for a CNAME record. So we will create a CNAME to order the certificate.

  1. Open the CIS service you created by earlier, you can find it in the Resource list

  2. Navigate to Global Load Balancers under Reliability and click DNS.

  3. Scroll down to DNS Records section and create a new record:

    • Type: CNAME
    • Name: lb
    • TTL: default (Automatic)
    • Alias Domain Name: zzz.example.com
    • Click Add Record
  4. Order a certificate in Secrets Manager

    • Open the Secrets Manager service and select Secrets on the left.
    • Click Add and then Public certificate. Click on Next.
    • Complete the form:
      • Name - lb-alias.
      • Description - enter a description of your choice.
      • Click on Next.
      • Under Certificate authority select your configured Let's Encrypt certificate authority engine.
      • Under Key algorithm select RSA4096
      • Bundle certificates - leave off
      • Automatic certificate rotation - leave off
      • Under DNS provider select your configured DNS provider instance
      • Click on Select domains
      • Expand the domain listed to view the list of subdomains and select the check box next to the lb.example.com and click on Done.
    • Click Next.
    • Review your selections and click on Add.

Create a HTTPS listener:

  1. Navigate to the VPC Load balancers page.

  2. Select vpc-lb-region1

  3. Under Front-end listeners, Click Create

    • Protocol: HTTPS
    • Port: 443
    • Back-end pool: POOL in the same region
    • Choose the current region as your SSL region
    • Choose the SSL certificate order name you just created for lb.example.com
  4. Click Save to configure an HTTPS listener

Repeat the above steps in the load balancer of region 2.

In a browser open https://lb.example.com to verify success

Failover test

By now, you should have seen that most of the time you are accessing the servers in region 1 as it's assigned higher weight compared to the servers in region 2. Let's introduce a health check failure in the region 1 origin pool,

  1. Navigate to the list of virtual server instances.

  2. Click three dots(...) next to the server(s) running in zone 1 of region 1 and click Stop.

  3. Repeat the same for server(s) running in zone 2 of region 1.

  4. Return to GLB under CIS service and wait until the health status changes to Critical.

  5. Now, when you refresh your domain url, you should always be hitting the servers in region 2.

    Don't forget to start the servers in zone 1 and zone 2 of region 1.

Remove resources

  • Remove the global load balancer, origin pools and health checks under the CIS service
  • Remove the certificates in the Secrets Manager service.
  • Remove the load balancers, VSIs, subnets and VPCs.
  • Under Resource list, delete the services used in this tutorial.