We are currently in the process of installing and configuring the PAM solution for a customer. At the architecture level, the solution is distributed in 2 data centers, geographicallylocated in different cities. For each data center there are 2 PAM Appliance, for a total of 4, which must be configured in high availability. The customer needs the balancing to be done by the PAM solution, but whenconfiguring the virtual ip the documentation indicates that both the VIP and the cluster membersmust be under the same red segment therefore, VIP can not guarantee high availability andreplication of the solution. The customer additionally requires that the case of the failure of the devices of a datacenter, the data center alternate ensure access and administration of the endpoints of manageddevices.As an alternative, i try to configure a second network card through the GB2 networkinterface, but it does not respond to ping. I have some questions that I would like to help me solve: How can you establish high availability of the PAM solution between the 2 data centers? Can you configure another network card over the GB2 network interface? The attached image can give an idea of the architecture and the problem. Any idea about it is welcome
As an alternative, i try to configure a second network card through the GB2 networkinterface, but it does not respond to ping. I have some questions that I would like to help me solve: How can you establish high availability of the PAM solution between the 2 data centers? Can you configure another network card over the GB2 network interface? The attached image can give an idea of the architecture and the problem. Any idea about it is welcome
My first question is, does the customer have an external load balancer? If so, I would recommend the following:
Datacenter 1 (PAM-001 and PAM-002) configured as a primary master site cluster with a VIP for the Datacenter, something like (DC1-PAM.company.com) and Datacenter 2 (PAM-003 and PAM-004) also configured with a VIP similarly (DC2-PAM.company.com). At this point, for full failover, you could utilize an external load balancer with weighting of 98% for Datacenter1 and 2% for Datacenter2. This would allow a single VIP controlled by an external load balancer to automatically direct traffic to the DR site should the primary site go down and leverage a single URL for access such as PAM.company.com.
If the customer does not have an external load balancer for their network, then you would have the two VIPs to direct traffic, but end users would need to know to switch the URL to the alternate site in the event of an outage.
The customer does not have an external load balancer for their network. if i configure two VIP how i can get instant replica of data at the two datacenter?
I may not have understood the HA clustering within PAM completely, so please excuse if this a silly question.
What about the data replication from primary site cluster to secondary site cluster. How does that work? At a given point of time if the users are connecting to Primary site VIP all the DB will be written on both the cluster nodes of primary site as they will active-active synchronized. but during failure of the primary site how does the data in primary site be replicated.
Hi Manoj, while the primary site is down there is nothing to be replicated. No credential changes will be possible. Synchronization is discussed in the online documentation, e.g. at https://docops.ca.com/ca-privileged-access-manager/3-0-2/EN/deploying/set-up-a-cluster/cluster-synchronization-promotion-and-recovery.
Also note the following paragraph in https://docops.ca.com/ca-privileged-access-manager/3-0-2/EN/deploying/set-up-a-cluster/cluster-configuration:
5. Under Multi-Site, determine the behavior of the secondary site when the primary site is unavailable. To change the behavior globally, first turn off the cluster. The options for the secondary site are:
Workflow functions are not available when the primary site is down.
Thanks for your response!!! My client is having all their infra in AWS and the proposed PAM solution is also in AWS. I have proposed couple of AWS instances one per availability zone and clustering established between the availability zones. Can this be example of Multi site cluster? This is production environment and for DR I have proposed cold standby with AWS instances readily waiting. And during the complete cluster failure the restoration will manual and this will achieved using scheduled backups. And things will operate from DR until the cluster issue fixed completely.
1. While the service is running for few days until the primary site is restored, will there be any challenges in restoring the data back to primary site since we have clustered environment in prod and standalone instance in DR?
2.We have plans to deploy the Primary node of the cluster in one availability zone and secondary node of the cluster on the other availability zone for redundancy in case of failure of zones. Does CA recommend this? Or what would be the acceptable network latency level for both nodes to work with no synchronization issues?
3. For having an cold standby CA-PAM in AWS instance - does this cost an additional license?
Hi Julian, for such a case you want to configure a multi-site cluster, here specifically 2 sites, see https://docops.ca.com/ca-privileged-access-manager/2-8-4/EN/deploying/set-up-a-cluster for details on configuring multi-site clusters. Configuration of multiple network interfaces should work. Each interface needs to be configured and enabled on the Configuration > Network > Network Settings page. There is a "RESTART NETWORKING" button on the page that you would use after changing and saving the network interface configuration.Cluster communication will only use the interface defined in the cluster configuration though. I am not sure what HA scenario you are trying to address with the second interface.
I see that you are using virtual appliances. Virtual appliances have some caveats when attempting to add network cards. Any network cards should be added BEFORE the first time you ever boot the system. Attempting to add another NIC after may cause catastrophic problems with PAM depending on your version. This is a actually related to the licensing control feature because PAM sees that the hardware has changed & assumes it has been tampered with. I believe the catastrophic results no longer happen in the 3.x branch, but the 2.x definitely still has this happen.
Please see this doc for more information on my statements:
Is it possible to add additional NIC cards to a virtual CA PAM appliance?
"NICs: One interface. Add extra required interfaces before initial boot."
Installation Requirements - CA Privileged Access Manager - 3.0.2 - CA Technologies Documentation
Hope this helps,
CA Technologies - North Ameirca