Setup a failover cluster

A failover cluster requires two Airlock Gateway instances:

  • One primary active node instance to handle the load during normal operation.
  • One failover passive node instance to take over the load in case the primary node is no longer responsive.

Remote activation of configuration modifications is possible over the Configuration Center and the Airlock Gateway REST API.

Procedure-related prerequisites

  • Configuration takes place in Airlock Gateway.
  • An Airlock Gateway license must be available for each Gateway instance.
  • You must be logged in as an admin in the Airlock Gateway Configuration Center.

Install and setup the primary active node and export configuration

  1. Install and configure an Airlock Gateway instance.
  2. Test and verify the functionality of your configuration.
  3. Go to:
    System Setup >> Nodes & Interfaces, section Failover Configuration.
  4. In the section Failover Configuration, create a failover configuration for each network interface that uses an external IP address (i.e., for each virtual host):
    1. Set an IP Private Failover IP Address (CIDR) (e.g. 10.0.0.1/30).
    2. Set an IP Mirror Failover IP Address (e.g., 10.0.0.2).
  5. Activate the configuration and verify that the Gateway works as required.
  6. The Gateway has been set up to operate as active node.
  7. Go to:
    Configuration Files to select Include private keys of certificates. Click the Export button to export the currently active configuration.
  8. The exported configuration file contains all settings and the private keys.

Install and setup the passive node and import configuration

  1. Install an Airlock Gateway instance.
  2. Go to:
    Configuration Files, import the configuration file of the active node Gateway instance and select Set up a Failover Cluster in the upcoming dialog.
  3. Activate the configuration on the Airlock Gateway.
  4. The Gateway has been set up to operate as passive node.

Transfer the passive node configuration into the active node

The following procedure takes place on the passive node:

  1. Go to:
    Configuration Files, select Include private keys of certificates, and click the Export button.
  2. The exported configuration file contains the private keys information and the IP failover addresses of both Gateways.

The following procedure takes place on the active node:

  1. Go to:
    Configuration, import the configuration file of the passive node Gateway instance.
  2. Activate the imported configuration.
  3. Both Gateway instances are now clustered and share the same set of private keys.

Remote configuration activation of the cluster

Remote configuration activation of the cluster is possible via Configuration Center and REST API, but can be limited depending on the cluster sync status. When a cluster is out of sync, the Gateway will enforce a configuration overwrite for activation.

  • A cluster will be out of sync for the following reasons:
  • After the initial setup.
  • After updating to a new Airlock Gateway version.
  • After one node has been activated locally.

Performing an overwrite will automatically re-sync the nodes and re-enables the merging option for upcoming remote activations.

  1. To re-sync the cluster:
  2. Perform a remote activation of the cluster configuration. Choose overwrite.
  3. Both Gateway instances are now in sync.