Configure multiple data centers for Apigee mTLS

Apigee mTLS supports multiple data centers so that you can scale your configuration to include more complex topologies such as a 12-node clustered installation.

The installation process for mTLS on a multi-data center topology is the same as it is for simpler topologies. However, you must ensure that your installation meets the prerequisites and that you change your configuration files as described in the sections that follow.

Prerequisites

To use Apigee mTLS with multiple data centers, you must:

  • Uninstall apigee-mtls and reinstall it with the multiple data center configuration. You cannot modify an existing configuration. For more information, see Change an existing apigee-mtls configuration.
  • Open port 8302 on every host that is running mTLS.
  • Ensure that all mTLS cluster members have unique IP addresses, which are consistent for all members of the cluster.
  • When specifying configuration files, use absolute paths in your commands where ambiguity might exist.
  • Add multi-data center configuration properties, as described in Configuration files for multiple data centers.

Configuration files for multiple data centers

To use Apigee mTLS with multiple data centers, you create a separate configuration file for each data center.

In each of the configuration files:

  1. Change the value of the ALL_IP configuration property to include all host IP addresses in all regions.
  2. Ensure that the value of the REGION property is the name of the current region or data center. For example, "dc-1".
  3. Add the following properties:
    Property Description
    APIGEE_MTLS_MULTI_DC_ENABLE Whether or not you are using a multi-data center configuration. Set to "y" if you are configuring multiple data centers. Otherwise, omit or set to "n". The default is omitted.
    MTLS_LOCAL_REGION_IP A space-delimited list of all IP addresses used by the current region that you are configuring. For example, "10.0.0.1 10.0.0.2 10.0.0.3".

    For the second region in the configuration, use the MTLS_REMOTE_REGION_1_IP property.

    MTLS_REMOTE_REGION_1_NAME The name of the second region in a multi-data center configuration. For example, "dc-2".

    In the second region's configuration file, you'll use "dc-2" for REGION and "dc-1" for MTLS_REMOTE_REGION_1_NAME.

    MTLS_REMOTE_REGION_1_IP A space delimited list of all IP addresses used by the second region in a multi-data center configuration. For example, "10.0.0.4 10.0.0.5 10.0.0.6".

The following examples show the configuration files for two data centers ("dc-1" and "dc-2"). Properties that are specific to a multi-data center configuration are highlighted):

dc-1 Configuration File

ALL_IP="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.132 10.126.0.133 10.126.0.104 10.126.0.106 10.126.0.105 10.126.0.95 10.126.0.102 10.126.0.100 10.126.0.112"
LDAP_MTLS_HOSTS="10.126.0.114 10.126.0.106"
ZK_MTLS_HOSTS="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.106 10.126.0.105 10.126.0.95"
CASS_MTLS_HOSTS="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.106 10.126.0.105 10.126.0.95"
PG_MTLS_HOSTS="10.126.0.104 10.126.0.112"
RT_MTLS_HOSTS="10.126.0.113 10.126.0.96 10.126.0.105 10.126.0.95"
MS_MTLS_HOSTS="10.126.0.114 10.126.0.106"
MP_MTLS_HOSTS="10.126.0.113 10.126.0.96 10.126.0.105 10.126.0.95"
QP_MTLS_HOSTS="10.126.0.132 10.126.0.133 10.126.0.102 10.126.0.100"
ENABLE_SIDECAR_PROXY="y"
ENCRYPT_DATA="zRNQ9lhRySNTfegiLLLfIQ=="
PATH_TO_CA_CERT="/opt/consul-agent-ca.pem"
PATH_TO_CA_KEY="/opt/consul-agent-ca-key.pem"

APIGEE_MTLS_MULTI_DC_ENABLE="y"
REGION="dc-1"
MTLS_LOCAL_REGION_IP="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.132 10.126.0.133 10.126.0.104"
MTLS_REMOTE_REGION_1_NAME="dc-2"
MTLS_REMOTE_REGION_1_IP="10.126.0.106 10.126.0.105 10.126.0.95 10.126.0.102 10.126.0.100 10.126.0.112"

dc-2 Configuration File

ALL_IP="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.132 10.126.0.133 10.126.0.104 10.126.0.106 10.126.0.105 10.126.0.95 10.126.0.102 10.126.0.100 10.126.0.112"
LDAP_MTLS_HOSTS="10.126.0.114 10.126.0.106"
ZK_MTLS_HOSTS="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.106 10.126.0.105 10.126.0.95"
CASS_MTLS_HOSTS="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.106 10.126.0.105 10.126.0.95"
PG_MTLS_HOSTS="10.126.0.104 10.126.0.112"
RT_MTLS_HOSTS="10.126.0.113 10.126.0.96 10.126.0.105 10.126.0.95"
MS_MTLS_HOSTS="10.126.0.114 10.126.0.106"
MP_MTLS_HOSTS="10.126.0.113 10.126.0.96 10.126.0.105 10.126.0.95"
QP_MTLS_HOSTS="10.126.0.132 10.126.0.133 10.126.0.102 10.126.0.100"
ENABLE_SIDECAR_PROXY="y"
ENCRYPT_DATA="zRNQ9lhRySNTfegiLLLfIQ=="
PATH_TO_CA_CERT="/opt/consul-agent-ca.pem"
PATH_TO_CA_KEY="/opt/consul-agent-ca-key.pem"

APIGEE_MTLS_MULTI_DC_ENABLE="y"
REGION="dc-2"
MTLS_LOCAL_REGION_IP="10.126.0.106 10.126.0.105 10.126.0.95 10.126.0.102 10.126.0.100 10.126.0.112"
MTLS_REMOTE_REGION_1_NAME="dc-1"
MTLS_REMOTE_REGION_1_IP="10.126.0.114 10.126.0.113 10.126.0.96 10.126.0.132 10.126.0.133 10.126.0.104"

For information about the standard configuration properties, see Step 1: Update your configuration file.

Test a multi-data center configuration

The raft list-peers command displays a list of IP addresses that are defined in MTLS_LOCAL_REGION_IP, meaning they are located within the same data center.

The following examples show sample output from a raft list-peers command:

[ec2-user]# consul operator raft list-peers

Node              ID                Address            State     Voter  RaftProtocol
prc-test-1-2119   d1361917-b244-42  10.126.0.151:8300  leader    true   3
prc-test-0-2119   fad66fc3-22a0-43  10.126.0.155:8300  follower  true   3
prc-test-2-2119   78847b12-dd83-44  10.126.0.159:8300  follower  true   3
prc-test-6-2119   60bb50ac-37b6-52  10.126.0.152:8300  leader    true   3
prc-test-7-2119   515bbdfd-e968-53  10.126.0.147:8300  follower  true   3
prc-test-8-2119   d869c9a5-b4f6-54  10.126.0.158:8300  follower  true   3

Apigee mTLS has been tested on two data centers. You can, however, specify configurations of up to 17 data centers by using the following properties:

  • MTLS_REMOTE_REGION_[1-17]_IP
  • MTLS_REMOTE_REGION_[1-17]_NAME