Overview of Sub Clustering
In a TAC where ESA and DSGs are setup, the configuration files are pushed from the ESA to the DSG nodes on the cluster. However, in versions prior to DSG 3.0.0.0, only a single copy of the gateway configurations could be pushed to the DSG nodes. The ability to push specific rulesets to specific nodes in the cluster was unavailable. From v3.0.0.0, this limitation has been eliminated by introducing the sub-clustering feature.
Sub-clustering allows the user to create separate clusters of the DSG nodes in a TAC. All the nodes in the sub-cluster contain the same rulesets. This enables the user to maintain different copies of rulesets for different sub-clusters. Sub-clusters can be used to define various Lines-of-Business (LOB) of the organization. The user can then create logical node groups to deploy the rulesets on different DSG nodes (LOBs) successfully.
For example, if an XYZ company is spread across the globe with multiple LOBs, then they can use sub-clustering feature to deploy the configurations to a particular node group, i.e. LOB1, LOB2, LOB3, and so on.
The following image illustrates how the sub-clustering feature is implemented for the DSG nodes.
The figure depicts three node groups LOB1, LOB2, LOB3. Consider LOB1, that caters to only HTTP and S3 services. The common is the service that is shared among all the LOBs. This common service includes the protection profiles, unprotection profiles, and so on, that can be used by the user. Only the tunnels that are used for the enabled services will be loaded. The other tunnels will not be loaded. Thus, for LOB1, only the HTTP and S3 tunnels will be loaded.
Perform the following steps to push the configurations to the LOB1 node group.
Add four DSG nodes from the cluster page and set the node group as LOB1.
For more information about adding a node and node group to the cluster, refer to the section Adding a Node to the Cluster.
Enable the Office 365 and S3 service1 services. These services will be pushed to the LOB1 node group. Disable the NFS service 1, SFTP service, restapi, Adlabs, salesforce, and S3 service 2 services
Select LOB1 to push the rulesets to all the four DSG nodes in the LOB1 node group.
Note: For more information about deploying the configurations to node groups, refer to the section Deploying the Configurations to Node Groups.
The following figure describes a sample use case for sub-clustering.
As shown in figure, consider LOB1, LOB2, and LOB3 are different lines of business that belong to an XYZ company. Each LOB are as follows:
- The LOB1 will use the S3 bucket’s folder 1 and office 365 SaaS services. This LOB is assigned to nodes D1, D2, D3, and D4.
- The LOB2 will use the Salesforce SaaS, SFTP server, and Adlabs Saas services. This LOB is assigned to nodes D5, D6, D7, and D8.
- The LOB3 will use the NFS share and S3 bucket’s folder 2 services. This LOB is assigned to nodes D9, D10, D11, and D12.
All other services in the RuleSet page will be disabled to deploy the configurations to LOB1 node group.
Important Notes
The sub-clustering feature can only be used when the DSG node is added from the Cluster screen of the DSG Web UI. It is recommended to add the node to the cluster only from this screen. While adding a node, a node group can be assigned to the DSG node. If a node group is not assigned, then a default node group is assigned to that DSG node.
For more information about adding the DSG node from cluster page, refer to the section Adding a Node to the Cluster.
The tunnels, certificates/keys, and gateway configuration files are common to all the DSGs in the cluster.
If the user is using the Selective Tunnel Reloading feature with sub-clustering, then ensure that you prefix dsg_ in the node group name while setting the tunnel configuration.
For DSG Appliances, rulesets are deployed based on the node groups that are mapped to it.
For DSG containers, the user can use CoP export API to export the configurations for a particular node group and then deploy it to the containers. This is achieved by passing the Node Group as a parameter to the export API.
For more information about CoP export API, refer to the section CoP Export API for deploying the CoP (Containers Only).
Sub-Clustering FAQs
| Questions | Answers |
|---|---|
| What if I have to change the node group assigned to a DSG node? | If you have to change the node group of a node, then login to the ESA Web UI, navigate to **Cloud Gateway > 3.3.0.0 {build number}**Cloud Gateway > 3.3.0.0 {build number}> Cluster, then on the node click the Actions drop down list and select Change Groups option. Specify the required node group name and save it. |
| What if I have to change the node group on multiple DSG nodes at a time? | If you have to change the node group of multiple DSG nodes at a time, then login to the ESA Web UI, navigate to **Cloud Gateway > 3.3.0.0 {build number}**Cloud Gateway > 3.3.0.0 {build number}> Cluster, then select the check box given for a individual node on which the node group must be changed, click the Actions drop down list, and select Change Groups on Selected Nodes option. Specify the node group name and save the changes. |
| From where should be the DSG nodes added to the cluster? | The DSG node must be only added from the Cluster page. Login to ESA Web UI, navigate to **Cloud Gateway > 3.3.0.0 {build number}**Cloud Gateway > 3.3.0.0 {build number}> Cluster, click Actions drop down list and select Add Node option. For more information about adding a node to the cluster, refer to the section Add Node. |
| What if while adding a node to cluster, the deployment node group is not specified? | If the deployment node group is not specified, then by default it will get assigned to the default node group. |
| Can the DSG node be assigned to different node groups at a time? | No, the DSG node can be assigned to only one node group at a time. If required, then you can change the node group but at a time the node will be associated to one node group. |
| What would happen if you add the DSG node from the CLI or TAC? | It is not recommended to add the DSG node from the CLI or TAC. The sub-clustering feature would not work with all the functionalities. |
| Can we deploy the configurations to multiple node groups? | Yes, if you have different node groups and you click Deploy to Node Groups option on the Cluster tab or Ruleset screen then it will show all the node groups created. Select the check box of the node groups to which the configurations must be pushed. |
| How to configure the services in the Ruleset page, to push it to a particular node group? | Enable the required services and deploy it to the intended node group. Note: Disable all the services that are not intended to be pushed on the node group. |
| Can I have separate node groups as LOB1, lob1, or any combination of letters for this node group name? | All the combination of letters of the node group name is considered as same and it will be displayed in the lowercase. |
| Can we deploy the configuration to the node group without providing the tag name or description? | Yes, the tag name and description are not the mandatory fields. If you do not provide the tag name, then the configuration version will be untagged. |
| What would happen if the node group has a recently deployed configuration and you are assigning that node group to a DSG node? | In this scenario, the recently deployed configuration for that node group will be redeployed to the DSG node. |