Deploying DTS Behind Application Load Balancers

DRAFT

The DTS feature of Percussion is a set of dynamic micro applications that listen to AJAX requests from statically published content.  AWS allows for multiple deployment scenarios that can be used to obtain optimal scalability and fault tolerance for your website.  This scenario provides for a fail over DTS using Amazon's Http/Https  Application Load Balancers.

Virtual Private Cloud (VPC)

This post assumes that you have declared a VPC with a CIDR allowing multiple subnets.  Keep in mind when defining subnets to isolate services / applications, that each Amazon Application Load Balancer will consume 8 ip addresses.   In order to future proof we would recommend that you allocate a minimum address space of 59 (subnet mask /26 ) to allow for future growth.

Application Load Balancer

Key settings:

  • Internet Facing
  • Protocol: HTTPS
  • Port: 443
  • Encryption: TLS 1.2
  • Target Group: DTS Target Group
  • Security Group: DTS Security Group
  • Subnets/Zones: Minimum of 2 zones & 2 subnets
  • DNS: host name of this ALB is the Origin for the public DTS hostname

Target Group

Key Settings:

  • Protocol: HTTPS
  • Port 443 -> 8443
  • Encryption: TLS 1.2 
  • Instances:
    • Minimum of 2 EC2 targets deployed in zones specified in ALB configuration

EC2

Windows or Linux instances deployed with Percussion DTS. 

Key Settings:

  • Security group must allow CM1 instance on port 8443 and Application Load Balancer on port 8443
  • Memory: Minimum of 2GB RAM for DTS Linux, 4GB Windows
  • Config: Out of the box self signed SSL
  • Port: 8443
  • Instances: 1 in each zone
  • Database: One RDS database shared by each instance, MySQL, MSSQL
    • conf/perc/perc-datasources.properties

Cloudfront (Optional)

Most DTS requests are read-only and are cacheable.  In sites that do not use writeable DTS features but use mainly the metadata services, (Page Auto List, Blog List etc), configuring Cloudfront in front of the ALB can deliver good performance for DTS requests at Edge locations and minimize load on the DTS cluster.  

  • Origin:  Application load balancer
  • Port: 443
  • Http Redirects to HTTPS
  • Cache (at your option)
  • Forward Query Strings
  • Whitelist headers: host header

WAF (Optional)

Amazon's Web Application firewall service can be used to protect against common attacks using ACL, Rules, and Filters. If using Cloudfront, enable the WAF integration with CloudFront.  If using Application Load Balancer, enable the WAF integration on the load balancer.  Configuring the WAF is out of scope for this article.  Follow Amazon's documentation for best practices and more information. https://docs.aws.amazon.com/waf/index.html

TDB

  • Staging DTS
  • DNS Records
  • ACM Certificates

Leave a comment

*
*