X

Best Practices from Oracle Development's A‑Team

  • June 19, 2020

See How Easily You Can Deploy App Gateway with HA

Introduction

The App Gateway is an appliance from Identity Cloud Service (IDCS) that acts as a reverse proxy to your downstream applications.  In a nut-shell, downstream applications can receive headers and/or an IDCS User token to be consumed by the application. This post will describe how to configure the App Gateway using a Load Balancer (LBR) from Oracle Cloud Infrastructure (OCI).  Why would you do this? The same reason you may want to deploy multiple applications/servers for High Availability (HA). 

 

Configuration

Deploy App Gateway

Before setting up a LBR in OCI; first we will need to create at least two compute nodes of the App Gateway appliance. 

You can read about the setting up the App Gateway from my colleague Tim Melander; Part 1 and Part 2.  Part 2 has the specific instructions on how to install/configure App Gateway; make sure that the host name you provide points to the LBR.  You may have to create a DNS entry for your domain to point to the LBR; you can read more about setting up the LBR and DNS here.

Keep in mind that once you've configured the App Gateway in IDCS you can use that same configuration artifact for both instances of App Gateway that you install.  There is no need to create another App Gateway configuration in IDCS; which is helpful as you will only have a single management item to configure.

Setting up a Load Balancer

So now let's go and setup a load balancer in OCI.  Click on the "hamburger" menu on the top left and select Networking->Load Balancers and then select 'Create Load Balancer'. 

Lets setup a basic public load balancer.  Here I selected a Small Public Load Banancer using my existing VCN and public subnet.

 

On the Choose Backends screen, add the backend compute nodes you created for App Gateway or you can do this later once the LBR is created. Notice the URL Path for the health check; this URL should return a HTTP status code of 200.  That is how the Load Balancer knows the state of the App Gateway appliance.

 

Now let's configure a Listener.  In production we recommend that you setup HTTPS; so you will need import a certificate.

 

Now that we have SSL terminating at the Load Balancer, we will need to pass in a header so that the App Gateway knows that these request originated as HTTPS.  This is described in the documentation here.

First we need to create a Rule Set. 

 

The Rule Set should state that a header named 'is_ssl' will have the value of 'ssl'.

Now let's add the Rule Set to the Listener. For every request coming from the LBR, a header 'is_ssl' will be passed to the App Gateway.

 

That's it!  You now have HA for App Gateway.

 

Summary

You can see how simple it is to setup HA for the App Gateway.  Some helpful tips:

  1. Create a custom image from the App Gateway vmdk file.
    • Use the custom image to create as many compute nodes you need.
  2. The App Gateway compute node should only be on a private subnet.
    • The LBR can communicate to the private IPs compute node.
  3. Create a 'HTTP' LBR for testing, always use HTTPS (SSL) in production.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha