Displaying present location in the site.

Points to Note When Building an HA Cluster with EXPRESSCLUSTER on AWS: AWS Virtual IP Resources

EXPRESSCLUSTER Official Blog

June 13th, 2022

Machine translation is used partially for this article. See the Japanese version for the original article.

Introduction

EXPRESSCLUSTER X supports operating on Amazon Web Services (hereinafter called "AWS"). In this article, we introduce some points to note when building an HA cluster with EXPRESSCLUSTER. 
Please refer to this article when you will use EXPRESSCLUSTER on AWS.

Contents

This time, we introduce some points to note when building an "HA cluster based on VIP control" on AWS. This article is written assuming you are using EXPRESSCLUSTER X 5.0.

HA Cluster Configuration

The following figure shows an HA cluster configuration of 2-node mirror disk type "HA cluster based on VIP control".

Diagram of HA Cluster configuration

By using AWS virtual IP resources, you can use a virtual IP address (hereinafter called "VIP") on AWS. Clients in the VPC can access a cluster node (Active) via Route Table (VIP).

* We publish the configuration guide for clustering on AWS. For more details, please refer to the following URL:
popuphttps://www.nec.com/en/global/prod/expresscluster/en/doc/guide.html

Point 1: Are IAM Role Settings Correct?

First of all, confirm that IAM role settings assigned to EC2 instances are correct.
This procedure requires an environment where AWS CLI can be executed. It does not have to execute on the node that EXPRESSCLUSTER is installed.

You have to make a note each instance ID of the nodes (EC2 instances) on which EXPRESSCLUSTER is installed in advance.
The following example assumes that IAM role name is "expresscluster-role" and the policy name is "ExpressClusterPolicy".

Confirm the IAM Role

Confirm that the name of IAM role attached on the node (Instance ID: i-0123456789abcdef0) where EXPRESSCLUSTER is installed is correct.

$ aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-0123456789abcdef0
{
    "IamInstanceProfileAssociations": [
        {
            "InstanceId": "i-0123456789abcdef0",
            "State": "associating", <- Confirm that the value of "State" is "associating" or "associated"
            "AssociationId": "iip-assoc-0123456789abcdef0",
            "IamInstanceProfile": {
                "Id": "AGJAJVQN4F5WVLGCJABCM",
                "Arn": "arn:aws:iam::123456789012:instance-profile/clusterpro-role"  <- Confirm that the attached IAM role name (e.g. expresscluster-role) is correct.
            }
        }
    ]
}

Confirm the IAM Policy

Confirm that the name of the IAM policy attached to the IAM role is correct.
(In the following example, one IAM policy is attached to an IAM role. However, in some cases, multiple IAM policies are attached to an IAM role.)

$ aws iam list-attached-role-policies --role-name expresscluster-role
{
    "AttachedPolicies": [
        {
            "PolicyName": "ExpressClusterPolicy", <- Confirm that the attached IAM policy name (e.g. ExpressClusterPolicy) is correct.
            "PolicyArn": "arn:aws:iam::123456789012:policy/ExpressClusterPolicy"
        }
    ]
}

IAM policy has its version. therefore, confirm the version applied to the IAM policy.

$ aws iam get-policy --policy-arn "arn:aws:iam::123456789012:policy/ExpressClusterPolicy"
{
    "Policy": {
        "PolicyName": "ExpressClusterPolicy",
        "CreateDate": "2015-06-17T19:23;32Z",
        "AttachmentCount": "1",
        "IsAttachable": "true",
        "PolicyId": "Z27SI6FQMGNQ2EXAMPLE1",
        "DefaultVersionId": "v1", <- Confirm that the applied version is correct.
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:policy/ExpressClusterPolicy",
        "UpdateDate": "2015-06-17T19:23:32Z"
    }
}

Confirm that the IAM policy settings in the applied version are correct.

$ aws iam get-policy-version --policy-arn "arn:aws:iam::123456789012:policy/ExpressClusterPolicy" --version-id "v1" --query
PolicyVersion.Document
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:Describe*", <- Permissions required for the AWS VIP resource to work
                "ec2:ReplaceRoute" <- Permissions required for the AWS VIP resource to work
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Note: If multiple policies are attached to the IAM role, confirm that the required permissions have set in the whole policies.

Point 2: Is Python Installed Correctly?

The AWS virtual IP resource uses Python. Therefore, confirm that Python works correctly with the following steps.
Execute the following steps on all nodes where EXPRESSCLUSTER is installed.

Confirm Version of Python

For Windows, Log in as Administrator user, and execute the following command:

C:\Users\Administrator>python --version
Python 3.10.4  <- Confirm that the version number of Python is 2.7.5 or later, or 3.6.7 or later.

For Linux, Log in as root user, and execute the following command:

# python --version
Python 3.7.10 <- Confirm that the version number of Python is 2.7.5 or later, or 3.5.2 or later.

Confirm Value of Environment Variable (path)

For Windows, AWS virtual IP resources work with SYSTEM privileges. Therefore, the path to the python.exe must be registered in the PATH system environment variable.

C:\Users\Administrator>where python
C:\Python310\python.exe <- Confirm that the path to python.exe is correct

C:\Users\Administrator>wmic environment where (name='PATH' and SystemVariable='TRUE') get VariableValue <- Execute this command to display the PATH system environment variable
VariableValue

C:\Program Files\EXPRESSCLUSTER\bin;C:\Program Files\EXPRESSCLUSTER\runtime\x64;C:\Program Files\EXPRESSCLUSTER\runtime\x86;C:\Python310\Scripts\;C:\Python310\;
<- Confirm that the path to python.exe (C:\Python310) is registered in the PATH system environment variable
%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Amazon\cfn-bootstrap\;C:\Program Files\Amazon\AWSCLI\bin\  

For Linux, python must be under the default PATH(/sbin/bin, /usr/sbin, or /usr/bin).

# which python
/usr/bin/python <- Confirm that the python exists under the default PATH(/sbin /bin, /usr/sbin or /usr/bin).

Point 3: Does AWS CLI work correctly?

AWS virtual IP resource executes AWS CLI for activation.
Therefore, confirm that AWS CLI is installed correctly with the following steps.
Execute the following steps on all nodes where EXPRESSCLUSTER is installed.

Confirm Version of AWS CLI

For Windows, excute the following command to confirm the version number of AWS CLI.

C:\Users\Administrator>aws --version
aws-cli/1.22.93 Python/3.10.4 Windows/10 exec-env/EC2 botocore/1.24.38 <- Confirm that the version number of aws-cli is 1.6 or later.

For Linux, excute the following command to confirm the version number of AWS CLI.

# aws --version
aws-cli/1.18.147 Python/2.7.18 Linux/5.10.109-104.500.amzn2.x86_64 botocore/1.18.6  <- Confirm that the version number of aws-cli is 1.6 or later.

Confirm Value of Environment Variable (path)

For Windows, AWS virtual IP resources work with SYSTEM privileges. Therefore, the path to the aws.exe must be registered in the PATH system environment variable.

C:\Users\Administrator>where aws
C:\Program Files\Amazon\AWSCLI\aws.exe <- Confirm that the path to aws.exe is correct

C:\Users\Administrator>wmic environment where (name='PATH' and SystemVariable='TRUE') get VariableValue <- Execute this command to display the PATH system variable.
VariableValue

C:\Program Files\EXPRESSCLUSTER\bin;C:\Program Files\EXPRESSCLUSTER\runtime\x64;C:\Program Files\EXPRESSCLUSTER\runtime\x86;C:\Python310\Scripts\;C:\Python310\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Amazon\cfn-bootstrap\;C:\Program Files\Amazon\AWSCLI\Bin  <- Confirm that the path to aws.exe (C:\Program Files\Amazon\AWSCLI) is registered in the PATH system variable

For Linux, aws must be under the default PATH(/sbin, /bin, /usr/sbin, /usr/bin, or /usr/local/bin).

# which aws
/usr/bin/aws <- Confirm the aws is under the default PATH(/sbin, /bin, /usr/sbin, /usr/bin, or /usr/local/bin).

Setup the AWS CLI

Execute the following command to confirm the region specification is correct in the AWS CLI settings.

For Windows (execute as "Administrator"),

C:\Users\Administrator>aws configure list
   Name                    Value             Type    Location
   ----                    -----             ----    --------
   profile                <not set>             None    None
   access_key     ****************ABCD         iam-role                         <- Confirm that "iam-role" is set in the "Type" column of the "access_key" row
   secret_key     ****************ABCD         iam-role                         <- Confirm that "iam-role" is set in the "Type" column of the "secret_key" row
   region           us-east-1      config-file    ~/.aws/config        <- Confirm the value of the AWS region you are using appears in the "Value" column of the "region" row

For Linux (execute as "root"),

# aws configure list
   Name                    Value             Type    Location
   ----                    -----             ----    --------
   profile                <not set>             None    None
   access_key     ****************ABCD         iam-role                         <- Confirm that "iam-role" is set in the "Type" column of the "access_key" row
   secret_key     ****************ABCD         iam-role                        <- Confirm that "iam-role" is set in the "Type" column of the "secret_key" row
    region           us-east-1      config-file    ~/.aws/config        <- Confirm the value of the AWS region you are using appears in the "Value" column of the "region" row

Confirm the Operation of the AWS CLI

Execute the following command to confirm that VPC information is displayed. Make a note of the VPC ID of your VPC in advance.

And, confirm that you can get the VPC (e.g. VPC ID:vpc-01234567) information, where the nodes (EC2 instances) installed EXPLESSCLUSTER are located, using the AWS CLI.

For Windows, the execution command and result are as follows.

C:\Users\Administrator>aws ec2 describe-vpcs --vpc-ids vpc-01234567
{
    "Vpcs": [
        {
            "VpcId": "vpc-01234567",
            "InstanceTenancy": "default",
            "Tags": [
                {
                    "Value": "MyVPC",
                    "Key": "Name"
                }
            ],
            "State": "available",
            "DhcpOptionsId": "dopt-01234567",
            "CidrBlock": "10.0.0.0/16",
            "IsDefault": false
        }
    ]
}

For Linux, the execution command and result are as follows.

# aws ec2 describe-vpcs --vpc-ids vpc-01234567
{
    "Vpcs": [
        {
            "VpcId": "vpc-01234567",
            "InstanceTenancy": "default",
            "Tags": [
                {
                    "Value": "MyVPC",
                    "Key": "Name"
                }
            ],
            "State": "available",
            "DhcpOptionsId": "dopt-01234567",
            "CidrBlock": "10.0.0.0/16",
            "IsDefault": false
        }
    ]
}

If you wait more than a minute and you don't get a response, it may have lost a communication path to the Internet. In that case, confirm your network settings are correct.

Confirm the Operation of the AWS Virtual IP Resource

After checking the above three points, you can try starting the AWS virtual IP resource.
Start "Failover group" or "AWS virtual IP resource", then, confirm that appear the green icon.
And, try moving "Failover group" between servers. If you see green icons on the another server instance, you can determine that they are working properly.

Conclusion

This time, we introduced on frequently asked questions (including items that developers inadvertently make mistakes when building the environment). How did you like it?

If you consider introducing the configuration described in this article, you can perform a validation with the popuptrial module of EXPRESSCLUSTER. Please do not hesitate to contact us if you have any questions.