Enabling selective tunnel loading on DSG nodes
When the DSG nodes are in a cluster, generally, the ESA is responsible for pushing the Ruleset configurations to all the nodes in the cluster. In a situation where it is required that only specific tunnels are loaded on specific DSG nodes, the selective tunnel loading feature can be used.
The following figure describes how labels work with the tunnel and the DSG node definitions.
In the above figure, consider an example TAC, where exists an ESA and two DSG nodes, namely DSG Node 1 and DSG Node 2. The DSG Node 1 is an on-premise DSG, while the DSG Node 2 is a DSG on cloud. The DSG Ruleset configuration defined on the ESA includes multiple tunnel configurations, for instance, Tunnel A that must be loaded only on the DSG Node 1 and Tunnel B that must be loaded only on the DSG Node 2. The Tunnel C is common for both the DSG nodes and hence is loaded on both the nodes.
With the selective tunnel load feature, labels can be set for the tunnel and the nodes in a cluster such that only the required tunnel is loaded on the DSG node.
Perform the following steps to achieve selective tunnel loading.
Define the labels for each DSG node in a TAC.
Define the labels for each tunnel. This label name must match the label name defined in the DSG node label definition.
Deploy the DSG configuration from the ESA by performing the following steps.
- Login to the ESA Web UI.
- Navigate to Cloud Gateway > 3.3.0.0 {build number} > Cluster.
- Select the Refresh drop down menu and click Deploy.
Based on these definitions, when the DSG configuration is deployed, the Tunnel A configurations are loaded in the DSG Node 1 since the label, node1, defined in both the configurations is the same. Similarly, the Tunnel B configurations are loaded in the DSG Node 2 since the label, node2, defined in both the configurations is the same. Since no labels are defined for the Tunnel C, the Tunnel C configurations are loaded in the DSG Node 1 and DSG Node 2.
The default behavior of the Deploy functionality does not change with the enhancements provided by Selective Tunnel Loading. In a TAC, if a configuration is pushed from the ESA, then it will be pushed to all the DSG nodes that are a part of the TAC. The configuration may include a Data Security Policy, RuleSet, Tunnels, and Services associated with a Tunnel.
Adding a label to a DSG node for selective tunnel loading
Labels help you organize your nodes into groups or categories. By specifying a label for a node, you ensure that the node is a member of the label group. As part of enabling selective tunnel loading, the same label must be set for the DSG node in a Cluster and the Tunnel configuration. This section provides information about adding a label to the DSG node.
Ensure that the following prerequisites are met:
- The DSG nodes where the labels are defined must be in the same TAC.
- The TAC must be healthy.
- Ensure that the label defined for the DSG node is same as defined in the tunnel configuration.
To add a label to a DSG node for selective tunnel reloading:
Login to the DSG CLI Manager.
Navigate to Tools > Clustering > Trusted Appliances Cluster.
On the Cluster Services screen, navigate to Node Management : Add/Remove Cluster Nodes/Information, highlight OK and press Enter.
On the Node Management screen, navigate to Update Cluster Information, highlight OK and press Enter.
On the Update Cluster Information screen, navigate to Labels, and add the following label.
;dsg_onpremise
For example, if the NFS tunnel must be deployed only for the on-premise DSG node in a cluster, then ensure that the label parameter is set to the same label, such as dsg_onpremise, set for the on-premise DSG.
Highlight OK and press Enter.
Navigate to the Cluster Services screen and select List Nodes: Show Cluster Nodes & Status to verify if the label has been created successfully
Removing a label from a DSG node for selective tunnel loading
This section describes the steps to remove a label from the DSG node for Selective Tunnel Loading. It is recommended to be cautious before removing a label from the DSG node. By removing a label for a node, you ensure that the node is not a member of the label group. For example, if the NFS tunnel must be loaded only for the on-premise DSG node in a cluster, and a label parameter, such as dsg_onpremise, is removed for the on-premise DSG node, then the NFS tunnel will not be loaded on the on-premise DSG node in a cluster.
Ensure that the following prerequisites are met:
- The DSG nodes where the labels are removed must be in the same TAC.
- The TAC must be healthy.
To remove a label to a DSG node for selective tunnel reloading:
Remove the Tunnel label from the DSG node by performing the following steps.
Login to the DSG Web UI.
Click Transport > Tunnels.
Click to edit the tunnel.
Under Advanced Settings, remove the following key-value pair.
{"label":"dsg_onpremise"}
Remove the TAC label from the DSG node by performing the following steps.
Login to the DSG CLI Manager.
Navigate to Tools > Clustering > Trusted Appliances Cluster.
On the Cluster Services screen, navigate to Node Management : Add/Remove Cluster Nodes/Information, highlight OK and press Enter.
On the Node Management screen, navigate to Update Cluster Information, highlight OK and press Enter.
On the Update Cluster Information screen, navigate to Labels, and remove the following label.
dsg_onpremise
Adding a label to a tunnel for selective tunnel loading
As part of enabling selective tunnel reloading, the advanced settings for a tunnel configuration must be modified such that only the specific tunnel is reloaded when the matching label is found configured for a DSG node in a cluster.
Ensure that the following prerequisites are met:
The DSG nodes where the labels are defined must be in the same TAC.
The TAC must be healthy.
For more information about checking cluster health, refer to the section Monitoring tab.
Ensure that the label defined for the DSG node is same as defined in the tunnel configuration.
For more information about settings the label in the DSG node, refer to the section Adding a Label to a DSG Node for Selective Tunnel Loading.
To add a label to a Tunnel for selective tunnel reloading:
Login to the DSG Web UI.
Click Transport > Tunnels.
Click to edit the tunnel.
Under Advanced Settings, add the following key-value pair.
{"label":"dsg_onpremise"}
For example, if the NFS tunnel must be reloaded only for the on-premise DSG node in a cluster, then ensure that the label parameter is set to the same label, such as dsg_onpremise, set for the on-premise DSG.
For more information about adding a label for a DSG node in a cluster, refer to the section Adding a Label to a DSG Node for Selective Tunnel Loading.