Hi Ed,
Finally, i think i only can reach out to you here in CA Communities.
In regards to the section of AWS AMI Cluster Requirements, it is quite vague. I've done all the steps mentioned. However, i faced difficulty in performing Step 4: Create an extra EIP to serve as the cluster VIP address, but do not assign this EIP to any instance.
This is actually not detailed enough. There is additional step like assigning an internal IP to the extra EIP as CA PAM cannot take in just the EIP only when configuring the cluster.
So, I've assigned an internal IP from Zone 1 to the EIP, another internal IP from Zone 1 as well to Primary CA PAM and 1 more internal IP from Zone 2 to Secondary CA PAM.
However, this will means that the CA PAM cluster is facing towards the Internet as any users can access CA PAM as long he /she knows the VIP (EIP). This raise security concerns and customers is not comfortable at all. In addition, there is also concern that if AWS - Zone 1 is down, the whole cluster will break as VIP resides in Zone 1.
So, I have no choice but to deploy an AWS ELB in front of the CA PAMs to do the load balancing and users will mainly access the Primary CA PAM based on stickiness set in the ELB. Users will only access Secondary CA PAM if Primary CA PAM is down and the routing is done automatically by the AWS ELB. I also have set up to a cluster to ensure that the both CA PAM maintains database sync and the VIP eventually becomes useless in this set up.
I will like to to ask a question to you, Ed. In terms of redundancy for CA PAM, is the latter set up a better choice over the former one?