Hi Manoj, The PAM appliance is accessed by users only through the HTTPS port. There is no difference between PAM client or browser sessions. The https://<PAMserver>/health.php page can be used for availability. Error 503 is returned if the node is not available to serve users. The load balancer should let the SSL connection pass through and it should have sticky client sessions, i.e. continue to connect a given client/IP to the same cluster node within a short time. This is critical e.g. if SAML authentication is configured where the connection is redirected to an external SAML IdP and once authenticated there goes back to PAM. The connection must come back to the same PAM node that redirected to the IdP. In general an existing user session is only valid on the PAM cluster node that it was established on.
There are 3 types of Elastic load balancer offered in AWS: Application load Balancer(Layer-7); Network Load Balancer(Layer -4); Classic Load balancer (both Layer-4,7). With the current understanding and requirement from the client, I can easily not choose network load balancer has this will not span across AZ's and work only on Layer 4.
And also after reading your comments about https and both the nodes of the Multisite cluster will listen only to https, The SSL termination cannot happen at the load balancer level meaning the traffic between the load balancer and the instance cannot be http as the PAM nodes will only respond to HTTPS. Is my understanding right here?
Between Application LB and Classic LB, Which one does CA recommend for a multi-site cluster( Active-Passive node)?
Additional question about passive node. The secondary site in passive mode will not server any end users https requests?
Since you will be tunnelling the SSL traffic from the client/browser through the LB to the PAM server, it doesn't make sense to me to use application layer load balancing (i.e. the application layer payload is encrypted).
If the SSL traffic is terminated at the load balancer level. The traffic from the LB to the PAM node will be non-encrypted. And PAM instances can work only with HTTPS and they don't take HTTP traffic. I think this is reason to chose application load balancer against network load balancer.
Pearse commented on the LB type, classic LB preferred over application LB. I think you misunderstand multi-site clusters. There are no passive nodes in PAM clusters. All nodes are active, including those in secondary sites, and are meant to serve users. Please see https://docops.ca.com/ca-privileged-access-manager/3-1-1/EN/deploying/set-up-a-cluster for details. That page shows a sample cluster configuration where PAM users (that are not administrators) in fact are connected to secondary site nodes only and the primary site is accessed by PAM administrators only.