Consideration | Detail |
Security | A front-end firewall is typically deployed in front of the load balancer. In some environments additional firewalls may be located between vCloud Director cells and the resource tiers managed by vCenter. Load balancers might also provide NAT/SNAT (source network address translation) and are typically configured to provide this for the clustered cells. VMware recommends that access be secured between cells and the other management and resource group components. Refer to the vCloud Director Installation and Configuration Guide for ports that must be opened. |
Single vCloud Director site and scope | This architecture covers load balancing of a single vCloud Director site or instance. It does not cover client application load balancing or global load balancing. |
Sizing recommendations for number of cells | VMware recommends that the number of vCloud Director cell instances = n + 1, where n is the number of vCenter Server instances providing compute resources for vCloud consumption. Based on the service definition requirements, two vCloud Director cell instances are sufficient to increase availability and upgradability (first upgrading one vCloud Director cell, then the other). |
Requirements for multicell configurations | Multiple vCloud Director cells require NTP (Network Time Protocol), which is a design guideline for all elements of the vCloud infrastructure. See the white paper, Timekeeping in VMware Virtual Machines (www.vmware.com/files/pdf/Timekeeping-In-VirtualMachines.pdf) for more information on how to set up NTP. |
Load balancer availability | At least two load balancers in a HA configuration should be used to reduce single points of failure. There are multiple strategies for this depending on vendor or software used. |
Proxy configuration | Each load-balanced vCloud Director cell requires setting a proxy console IP address that is typically provided by the load balancer. |
Rest API URL configuration | The vCloud service URL should map to the address provided via the load balancer. This is configured in the vCloud Director administrator GUI as well as in the load balancer configuration. This is the address that should be used to check the health status of the vCloud Director cell. |
Awareness of Multicell Roles | Some vCloud Director cell tasks (such as image transfer) can consume a lot of resources. All cells can perform the same set of tasks, but it is possible to set policies that affect which ones are used. See the advanced configuration settings. |
Load balancer session persistence | Sessions are generally provided in secure methods and are terminated at the cells. Because of this, session persistence should be enabled using SSL. |
Load balancing algorithm | Least connections or round-robin is generally acceptable. |
vCloud Director cell status health checks | Configure the load balancer service to check the health of individual vCloud Director cells. Because each cell responds via HTTPS, this can be configured via the IP and API end point URL. Load balancers might support other types of health checks. Check services periodically based on load. A good starting point is to check every five seconds. In the second example, the versions supported by this end point are returned as XML. |
Public IP/port | Specify the service IP appropriately before adding cells to the service group. Typically, port 443 (standard HTTPS) is the only port exposed. |
Web Application Firewall | Can be used to apply URL restrictions on vCloud Director access to Admin or organization portals based on source address. Requires SSL sessions to be terminated on the load balancer. |
SSL Initiation | Used when SSL is terminated on the load balancer to initiate an SSL session to the vCloud Director cells (which only accept HTTPS). |
Advanced configurations | Load balancers can also provide Layer 7 content switching or direction, which can allow a vCloud Director configuration to send certain types of client traffic to “dedicated” cells. Though each cell can perform any function, it is possible to separate functions by directing certain types of requests to specific cells. |
Connection mapping | When a cell joins an existing vCloud Director server group, it might try and load balance sessions. This can impact connection mapping through the load balancer as it is unaware of the balancing that occurring within the server group. |