Configure multiple data centers for Apigee mTLS

Apigee mTLS supports multiple data centers so that you can scale your configuration to include more complex topologies such as a 12-node clustered installation.

The installation process for mTLS on a multi-data center topology is the same as it is for simpler topologies. However, you must ensure that your installation meets the prerequisites and that you change your configuration files as described in the sections that follow.

Prerequisites

To use Apigee mTLS with multiple data centers, you must:

  • Uninstall apigee-mtls and reinstall it with the multiple data center configuration. You cannot modify an existing configuration. For more information, see Change an existing apigee-mtls configuration.
  • Open port 8302 on every host that is running mTLS.
  • Ensure that the entire mTLS cluster is a flat network. This means that data centers:
    • Cannot be within different subnets
    • Cannot use NAT (Network Address Translation) between datacenters
  • When specifying configuration files, use absolute paths in your commands where ambiguity might exist.
  • Add multi-data center configuration properties, as described in Configuration files for multiple data centers.

Configuration files for multiple data centers

To use Apigee mTLS with multiple data centers, you create a separate configuration file for each data center.

In each of the configuration files:

  1. Change the value of the ALL_IP configuration property to include all host IP addresses in all regions.
  2. Ensure that the value of the REGION property is the name of the current region or data center. For example, "dc-1".
  3. Add the following properties:
    Property Description
    APIGEE_MTLS_MULTI_DC_ENABLE Whether or not you are using a multi-data center configuration. Set to "y" if you are configuring multiple data centers. Otherwise, omit or set to "n". The default is omitted.
    MTLS_LOCAL_REGION_IP A space-delimited list of all IP addresses used by the current region that you are configuring. For example, "10.0.0.1 10.0.0.2 10.0.0.3".

    For the second region in the configuration, use the MTLP_REMOTE_REGION_1_IP property.

    MTLS_REMOTE_REGION_1_NAME The name of the second region in a multi-data center configuration. For example, "dc-2".

    In the second region's configuration file, you'll use "dc-2" for REGION and "dc-1" for MTLS_REMOTE_REGION_1_NAME.

    MTLS_REMOTE_REGION_1_IP A space delimited list of all IP addresses used by the second region in a multi-data center configuration. For example, "10.0.0.4 10.0.0.5 10.0.0.6".

The following examples show the configuration files for two data centers ("dc-1" and "dc-2"). Properties that are specific to a multi-data center configuration are highlighted):

dc-1 Configuration File

ALL_IP="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.132 10.126.0.133 10.126.0.104 10.126.0.106 10.126.0.105 10.126.0.95 10.126.0.102 10.126.0.100 10.126.0.112"
LDAP_MTLS_HOSTS="10.126.0.114 10.126.0.106"
ZK_MTLS_HOSTS="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.106 10.126.0.105 10.126.0.95"
CASS_MTLS_HOSTS="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.106 10.126.0.105 10.126.0.95"
PG_MTLS_HOSTS="10.126.0.104 10.126.0.112"
RT_MTLS_HOSTS="10.126.0.113 10.126.0.96 10.126.0.105 10.126.0.95"
MS_MTLS_HOSTS="10.126.0.114 10.126.0.106"
MP_MTLS_HOSTS="10.126.0.113 10.126.0.96 10.126.0.105 10.126.0.95"
QP_MTLS_HOSTS="10.126.0.132 10.126.0.133 10.126.0.102 10.126.0.100"
ENABLE_SIDECAR_PROXY="y"
ENCRYPT_DATA="zRNQ9lhRySNTfegiLLLfIQ=="
PATH_TO_CA_CERT="/opt/consul-agent-ca.pem"
PATH_TO_CA_KEY="/opt/consul-agent-ca-key.pem"

APIGEE_MTLS_MULTI_DC_ENABLE="y"
REGION="dc-1"
MTLS_LOCAL_REGION_IP="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.132 10.126.0.133 10.126.0.104"
MTLS_REMOTE_REGION_1_NAME="dc-2"
MTLS_REMOTE_REGION_1_IP="10.126.0.106 10.126.0.105 10.126.0.95 10.126.0.102 10.126.0.100 10.126.0.112"

dc-2 Configuration File

ALL_IP="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.132 10.126.0.133 10.126.0.104 10.126.0.106 10.126.0.105 10.126.0.95 10.126.0.102 10.126.0.100 10.126.0.112"
LDAP_MTLS_HOSTS="10.126.0.114 10.126.0.106"
ZK_MTLS_HOSTS="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.106 10.126.0.105 10.126.0.95"
CASS_MTLS_HOSTS="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.106 10.126.0.105 10.126.0.95"
PG_MTLS_HOSTS="10.126.0.104 10.126.0.112"
RT_MTLS_HOSTS="10.126.0.113 10.126.0.96 10.126.0.105 10.126.0.95"
MS_MTLS_HOSTS="10.126.0.114 10.126.0.106"
MP_MTLS_HOSTS="10.126.0.113 10.126.0.96 10.126.0.105 10.126.0.95"
QP_MTLS_HOSTS="10.126.0.132 10.126.0.133 10.126.0.102 10.126.0.100"
ENABLE_SIDECAR_PROXY="y"
ENCRYPT_DATA="zRNQ9lhRySNTfegiLLLfIQ=="
PATH_TO_CA_CERT="/opt/consul-agent-ca.pem"
PATH_TO_CA_KEY="/opt/consul-agent-ca-key.pem"

APIGEE_MTLS_MULTI_DC_ENABLE="y"
REGION="dc-2"
MTLS_LOCAL_REGION_IP="10.126.0.106 10.126.0.105 10.126.0.95 10.126.0.102 10.126.0.100 10.126.0.112"
MTLS_REMOTE_REGION_1_NAME="dc-1"
MTLS_REMOTE_REGION_1_IP="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.132 10.126.0.133 10.126.0.104"

For information about the standard configuration properties, see Step 1: Update your configuration file.

Test a multi-data center configuration

When you check the quorum status in your multi-data center configuration, the output is dependent on the computer (more specifically, the computer’s data center) on which you execute the raft list-peers command.

The raft list-peers command displays a list of IP addresses that are defined in MTLS_LOCAL_REGION_IP, meaning they are located within the same data center.

The following examples show sample output from a raft list-peers command on each data center:

dc-1 raft quorum test

[ec2-user]# consul operator raft list-peers

Node              ID                Address            State     Voter  RaftProtocol
prc-test-1-2119   d1361917-b244-42  10.126.0.151:8300  leader    true   3
prc-test-0-2119   fad66fc3-22a0-43  10.126.0.155:8300  follower  true   3
prc-test-2-2119   78847b12-dd83-44  10.126.0.159:8300  follower  true   3

[ec2-user]# cat /opt/silent.conf | grep MTLS_LOCAL_REGION_IP

MTLS_LOCAL_REGION_IP="10.126.0.155 10.126.0.151 10.126.0.159"

dc-2 raft quorum test

[ec2-user]# consul operator raft list-peers
Node             ID                Address            State     Voter  RaftProtocol
prc-test-6-2119  60bb50ac-37b6-52  10.126.0.152:8300  leader    true   3
prc-test-7-2119  515bbdfd-e968-53  10.126.0.147:8300  follower  true   3
prc-test-8-2119  d869c9a5-b4f6-54  10.126.0.158:8300  follower  true   3

[ec2-user]# cat /opt/silent.conf | grep MTLS_LOCAL_REGION_IP

MTLS_LOCAL_REGION_IP="10.126.0.147 10.126.0.152 10.126.0.158"

Apigee mTLS has been tested on two data centers and is supported for two data centers only. You can, however, specify configurations of up to eight data centers by using the following properties:

  • MTLS_REMOTE_REGION_[2-8]_IP
  • MTLS_REMOTE_REGION_[2-8]_NAME

As previously stated, configurations of more than two data centers are not supported.