Configure High Availability

Access Gateway High Availability is a single admin node that maintains and propagates configuration changes to worker nodes. You can also use it as a regular admin node, and route requests from your load balancer to it.

You provision an admin node and designate it as High Availability. Next, you provision worker nodes and attach them to the High Availability admin node. These worker nodes obtain all configurations from this admin node, and you don't configure apps on them.

You can only access worker nodes that are part of a High Availability cluster using the Access Gateway Management console. The Access Gateway Admin UI console is only available on admin nodes and nodes that haven't been configured as worker nodes.

This architecture diagram shows the admin node passing configuration updates to the worker nodes.

The admin node also receives requests from the load balancer, like the worker nodes. You can remove it from the load balancer configuration if you don't want it to receive requests.

Reset the key associated with an Access Gateway node

Access Gateway nodes use various keys to communicate. You must reset the keys if you want to use an instance as a part of an Access Gateway High Availability cluster.
You only need to reset the keys once per instance.

1. Connect to the Access Gateway Management console.
   ssh oag-mgmt@[admin or worker]
2. Select 5 - System.
3. Select 1 - Change Hostname and follow the steps in Change Hostname in Change Hostname. Ensure that you update the hostname for both the admin and worker nodes before you configure High Availability. If you update a hostname after you configure High Availability, you must remove the node and add it again. See Remove a worker node from an Access Gateway cluster in Remove a worker node from an Access Gateway cluster. You can skip this step if you already set the hostname during deployment.
4. Return to the 5 - System menu.
5. Select 8 - High Availability.
   
6. Select 1 - Reset Key.
7. Enter y to reset the keys being used by the High Availability sync process or N to abort the reset process.
8. Enter x to exit or any other menu item to continue.
   

Add a worker node to a High Availability cluster

Verify that the admin and the worker nodes meet the following requirements:

• The nodes have already been provisioned.
• The nodes are reachable using Secure Shell.
• The nodes have had their keys reset. See Reset the key associated with an Access Gateway node

When you prepare workers, ensure that you're connected to a worker node and not an admin. Running the prepare worker operation on the cluster admin node makes the Access Gateway Admin UI console inoperable. Access Gateway version 2021.11.2 and later prohibit this operation. Reset the nodes that you previously used as admins before you reuse them as workers. See Reset Access Gateway: command line

1. Perform these tasks on the admin node:

   1. Connect to the Access Gateway Management console.ssh oag-mgmt@[admin.tld]
   2. Select 5 - System.
   3. Select 8 - High Availability.
   4. Select 2 - Prepare Admin.
   5. The admin node generates and displays an authorization token, which you provide to the worker node. Copy the authorization token to a secure location, such as a secure notes app.
   6. The admin node waits for connections from worker nodes. Leave the window open until all worker nodes have connected. Entering X prematurely cause the admin node to end the process and stop listing worker node additions. Enter X only after all worker nodes have appeared in the window.
   1. Return to the command prompt on the worker node that you're attaching.
2. Perform these tasks on each worker node:
   1. Connect to the Access Gateway Management console.ssh oag-mgmt@[worker.tld]
   2. Select 5 - System.
   3. Select 8 - High Availability.
   4. Select 3 - Prepare Worker.
   5. Paste the token into the Access Gateway Management console window. The worker node connects to the admin node and completes the authorization.
   6. Press any key to continue. The worker instance is ready for use.
   7. Enter X to exit.

3. Perform these tasks on the admin node:
   1. Verify that the worker nodes have been added. Return to the admin node's Access Gateway Management console. View the results of adding the new worker node. Each worker should appear in the list, similar to this example: Authorization token required to initiate setup from worker nodes is given below. Copy the text below this line and paste it on worker node when prompted. <admin...com>:927da506-xxxx-4520-xxxx-dd03b86f2a9b Worker nodes available so far: <worker1...com> <worker2...com> <worker3...com>
   2. Enter X to exit.

Verify the cluster configuration

1. Connect to the Access Gateway Management console.ssh oag-mgmt@[admin or worker]
2. Select 5 - System.
3. Select 8 - High Availability.
   
4. Select 6 - Check Status. This option shows the latest status of the cluster only after there's a configuration change or when the NGINX engine is restarted. If newly added nodes don't appear, perform any Access Gateway Admin UI console function or restart the NGINX engine. See the NGINX sub-menu in the Access Gateway Management console Services section. A list of cluster instances appears. Pass indicates that the node is reachable and functioning. Fail indicates that the node is non-functional. See the node log for more information.
5. Enter x to exit.