Apigee mTLS supports multiple data centers so that you can scale your configuration to include more complex topologies such as a 12-node clustered installation.
The installation process for mTLS on a multi-data center topology is the same as it is for simpler topologies. However, you must ensure that your installation meets the prerequisites and that you change your configuration files as described in the sections that follow.
Prerequisites
To use Apigee mTLS with multiple data centers, you must:
- Uninstall
apigee-mtls
and reinstall it with the multiple data center configuration. You cannot modify an existing configuration. For more information, see Change an existing apigee-mtls configuration. - Open port 8302 on every host that is running mTLS.
- Ensure that all mTLS cluster members have unique IP addresses, which are consistent for all members of the cluster.
- When specifying configuration files, use absolute paths in your commands where ambiguity might exist.
- Add multi-data center configuration properties, as described in Configuration files for multiple data centers.
Configuration files for multiple data centers
To use Apigee mTLS with multiple data centers, you create a separate configuration file for each data center.
In each of the configuration files:
- Change the value of the
ALL_IP
configuration property to include all host IP addresses in all regions. - Ensure that the value of the
REGION
property is the name of the current region or data center. For example, "dc-1". - Add the following properties:
Property Description APIGEE_MTLS_MULTI_DC_ENABLE
Whether or not you are using a multi-data center configuration. Set to "y" if you are configuring multiple data centers. Otherwise, omit or set to "n". The default is omitted. MTLS_LOCAL_REGION_IP
A space-delimited list of all IP addresses used by the current region that you are configuring. For example, "10.0.0.1 10.0.0.2 10.0.0.3". For the second region in the configuration, use the
MTLP_REMOTE_REGION_1_IP
property.MTLS_REMOTE_REGION_1_NAME
The name of the second region in a multi-data center configuration. For example, "dc-2". In the second region's configuration file, you'll use "dc-2" for
REGION
and "dc-1" forMTLS_REMOTE_REGION_1_NAME.
MTLS_REMOTE_REGION_1_IP
A space delimited list of all IP addresses used by the second region in a multi-data center configuration. For example, "10.0.0.4 10.0.0.5 10.0.0.6".
The following examples show the configuration files for two data centers ("dc-1" and "dc-2"). Properties that are specific to a multi-data center configuration are highlighted):
dc-1 Configuration File
ALL_IP="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.132 10.126.0.133 10.126.0.104 10.126.0.106 10.126.0.105 10.126.0.95 10.126.0.102 10.126.0.100 10.126.0.112" LDAP_MTLS_HOSTS="10.126.0.114 10.126.0.106" ZK_MTLS_HOSTS="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.106 10.126.0.105 10.126.0.95" CASS_MTLS_HOSTS="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.106 10.126.0.105 10.126.0.95" PG_MTLS_HOSTS="10.126.0.104 10.126.0.112" RT_MTLS_HOSTS="10.126.0.113 10.126.0.96 10.126.0.105 10.126.0.95" MS_MTLS_HOSTS="10.126.0.114 10.126.0.106" MP_MTLS_HOSTS="10.126.0.113 10.126.0.96 10.126.0.105 10.126.0.95" QP_MTLS_HOSTS="10.126.0.132 10.126.0.133 10.126.0.102 10.126.0.100" ENABLE_SIDECAR_PROXY="y" ENCRYPT_DATA="zRNQ9lhRySNTfegiLLLfIQ==" PATH_TO_CA_CERT="/opt/consul-agent-ca.pem" PATH_TO_CA_KEY="/opt/consul-agent-ca-key.pem" APIGEE_MTLS_MULTI_DC_ENABLE="y" REGION="dc-1" MTLS_LOCAL_REGION_IP="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.132 10.126.0.133 10.126.0.104" MTLS_REMOTE_REGION_1_NAME="dc-2" MTLS_REMOTE_REGION_1_IP="10.126.0.106 10.126.0.105 10.126.0.95 10.126.0.102 10.126.0.100 10.126.0.112"
dc-2 Configuration File
ALL_IP="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.132 10.126.0.133 10.126.0.104 10.126.0.106 10.126.0.105 10.126.0.95 10.126.0.102 10.126.0.100 10.126.0.112" LDAP_MTLS_HOSTS="10.126.0.114 10.126.0.106" ZK_MTLS_HOSTS="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.106 10.126.0.105 10.126.0.95" CASS_MTLS_HOSTS="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.106 10.126.0.105 10.126.0.95" PG_MTLS_HOSTS="10.126.0.104 10.126.0.112" RT_MTLS_HOSTS="10.126.0.113 10.126.0.96 10.126.0.105 10.126.0.95" MS_MTLS_HOSTS="10.126.0.114 10.126.0.106" MP_MTLS_HOSTS="10.126.0.113 10.126.0.96 10.126.0.105 10.126.0.95" QP_MTLS_HOSTS="10.126.0.132 10.126.0.133 10.126.0.102 10.126.0.100" ENABLE_SIDECAR_PROXY="y" ENCRYPT_DATA="zRNQ9lhRySNTfegiLLLfIQ==" PATH_TO_CA_CERT="/opt/consul-agent-ca.pem" PATH_TO_CA_KEY="/opt/consul-agent-ca-key.pem" APIGEE_MTLS_MULTI_DC_ENABLE="y" REGION="dc-2" MTLS_LOCAL_REGION_IP="10.126.0.106 10.126.0.105 10.126.0.95 10.126.0.102 10.126.0.100 10.126.0.112" MTLS_REMOTE_REGION_1_NAME="dc-1" MTLS_REMOTE_REGION_1_IP="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.132 10.126.0.133 10.126.0.104"
For information about the standard configuration properties, see Step 1: Update your configuration file.
Test a multi-data center configuration
The raft list-peers
command displays a list of IP addresses that are defined in
MTLS_LOCAL_REGION_IP
, meaning they are located within the same data center.
The following examples show sample output from a raft list-peers
command:
[ec2-user]# consul operator raft list-peers Node ID Address State Voter RaftProtocol prc-test-1-2119 d1361917-b244-42 10.126.0.151:8300 leader true 3 prc-test-0-2119 fad66fc3-22a0-43 10.126.0.155:8300 follower true 3 prc-test-2-2119 78847b12-dd83-44 10.126.0.159:8300 follower true 3 prc-test-6-2119 60bb50ac-37b6-52 10.126.0.152:8300 leader true 3 prc-test-7-2119 515bbdfd-e968-53 10.126.0.147:8300 follower true 3 prc-test-8-2119 d869c9a5-b4f6-54 10.126.0.158:8300 follower true 3
Apigee mTLS has been tested on two data centers and is supported for two data centers only. You can, however, specify configurations of up to eight data centers by using the following properties:
MTLS_REMOTE_REGION_[2-8]_IP
MTLS_REMOTE_REGION_[2-8]_NAME
As previously stated, configurations of more than two data centers are not supported.