In this section:
Overview
Route53 is a scalable Domain Name System (DNS) service managed by Amazon Web Services (AWS). One option available under Route53 is the ability to blacklist an IP in the DNS. Another is directly monitoring the SBC endpoint. The SBC can use Route53:
- As a DNS for both internal and external nodes
- To monitor the EC2 instance for reachability or health, and to update DNS records accordingly
The testing environment used the following setup:
Test setup
- The UAC and UAS can be present in same or different availability zones but within the same VPC
- If the UAC and UAS are present in different availability zones than the SBC, then 'route' needs to be added in both i.e. SIP machine as well as the SBC, and the corresponding security groups must be properly configured with corresponding entries.
- In the Test setup figure, two High-Availability Front Ends (HFEs) are created in two different availability zones. Also, the UAC and UAS can be present in same or different availability zones but within the same VPC.
- When the calls are made from UAC to UAS using the DNS fqdn, the UAC queries the DNS for resolving the same and the DNS returns primary entry for the record (here, HFE-1).
- The calls go through the first setup: UAC → HFE-1 → SBC-1 → UAS
- When the HFE-1 goes down, the corresponding health check that was created for this node fails. The active calls will be failing at this point.
- If new calls are started with the same DNS fqdn, the DNS returns the secondary node's IP for the UAC (this occurs after health check is updated as 'unhealthy,' here after 50 seconds)
- Now the calls go through the second setup: UAC → HFE-2 → SBC-2 → UAS
Configuration
Create a Hosted Zone:
a. Navigate to Services→Networking & Content Delivery→Route53.
b. Select Hosted zones from the left-side panel. A DNS name (example: "sonusnet.com") should be given. For Public hosted zones, the DNS name should be registered.
Hosted zonesCreate Record sets in the Hosted Zone. There are NS and SOA records created by default, these can be ignored if not used.
a. Create a new record set.
c. Each Record set can be given a prefix such as "test.sonusnet.com."
d. Type A or AAAA.
e. Configure TTL (minimum of 3s).
f. Add the IP address that maps to this name. (Corresponding address is returned by the DNS when the record is used for generating DNS response.)
g. Select a routing policy (in this example, Failover – Primary and Secondary instance support with failure detection). Create two record sets with same name, one in primary mode of failover and other in secondary mode of failover. With primary, you must associate a health check (otherwise you cannot create a primary record set) because, on detection of this health check failure, the DNS returns the secondary value's data for this record set.
For primary, associate the HFE-1's eth0 IP. For secondary, associate HFE-2's eth0 IP.
Create Record Set - primary entryCreate Record Set - secondary entry
For the primary node, selection of a Health Check is mandatory, while in the secondary node it is optional.
Health Check
Route 53 health checks let you track the health status of your resources, such as web servers or mail servers, and take action when an outage occurs. Route53 health check can monitor the EC2 instance for the reachablity or health in multiple ways.
- Directly monitor the endpoint using TCP/HTTP.
- Check other health check parameters
- Cloud Watch Alarms
- Supports advanced checks using HTTPS and response analysis
Note that Health Check probes public IP addresses only.
Route53 can also monitor non-AWS endpoints for health (for a fee).
Creating a Health Check by Directly Monitoring the Endpoint Using TCP/HTTP
Monitoring can be setup using a simple HTTP port for the IP address of the instance. Health Checks can be done using HTTP/TCP. Detailed steps are as follows:
Select a Create health check option:
Create health check- Configure the health check:
- Enter a name for the health check.
- Select what to monitor (here, the HFE endpoint).
- Select a protocol (TCP/HTTP) and give the Elastic IP details of the machine (here, the HFE-1's eth1 IP).
Configure Health Check
- In Advanced configuration, change Request interval to 10 seconds, change Failure threshold to 2, and the health checker regions can be customized.
Request Interval specifies the time after which the next check for health is done.
Failure threshold specifies how many times a request is sent to the endpoint from the regions before a failure is confirmed.
Health checker regions specify the regions from where the requests to the endpoints to monitor its health are sent .
Advanced configuration
- Click Next to open the Create health check dialog, and then click Create health check:
Create health check
After few minutes the health check must be successful in order for the route53 failover to work as expected. (The HFE eth1 IP provided in health check is tried for reachability from different regions selected). Also, the same health check must be selected for the primary record set created in failover mode in the Route53 configuration for record set.
Health checkersNote- With TCP protocol and port "22", there is no need to make any changes in the HFE except for updating the regions' IP in corresponding security group.
- With TCP protocol and port "80", you must install "httpd" service on primary HFE (node where the health check is created)
- With HTTP protocol and port "80", you must install "httpd" service on primary HFE and also, few changes in conf files that is mentioned in the next section.
Configurations on HFE (Node where the Route53 health check reaches)
Install 'httpd' service on the node.
'httpd' service Installation[root@ip-172-31-20-153 ~]# yum install httpd -y Loaded plugins: priorities, update-motd, upgrade-helper Resolving Dependencies --> Running transaction check ---> Package httpd.x86_64 0:2.2.34-1.16.amzn1 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================================================= Package Arch Version Repository Size ========================================================================================================================================= Installing: httpd x86_64 2.2.34-1.16.amzn1 amzn-updates 1.2 M Transaction Summary ========================================================================================================================================== Install 1 Package Total download size: 1.2 M Installed size: 3.1 M Downloading packages: httpd-2.2.34-1.16.amzn1.x86_64.rpm | 1.2 MB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : httpd-2.2.34-1.16.amzn1.x86_64 1/1 Verifying : httpd-2.2.34-1.16.amzn1.x86_64 1/1 Installed: httpd.x86_64 0:2.2.34-1.16.amzn1 Complete! [root@ip-172-31-20-153 ~]#
The entries for the health check regions needs to be added in SECURITY GROUP corresponding to the HFE.
In this example, let us say 3 regions then the security group looks like :Bind the HFE eth1's IP for HTTP (IP interface for which the health check has been configured) and allow HTTP by doing the following on HFE-1:
Update the private IP of eth1 in /etc/httpd/conf/httpd.conf with port 80 and comment the part where just the port is allowed.
Initial conf file :
Before updating the conf file[root@ip-172-31-10-70 ~]# grep "Listen" /etc/httpd/conf/httpd.conf # Listen: Allows you to bind Apache to specific IP addresses and/or # Change this to Listen on specific IP addresses as shown below to #Listen 12.34.56.78:80 Listen 80
Updated conf file:
After updating the conf file
[root@ip-172-31-10-70 ~]# grep "Listen" /etc/httpd/conf/httpd.conf # Listen: Allows you to bind Apache to specific IP addresses and/or # Change this to Listen on specific IP addresses as shown below to Listen 172.31.10.210:80 #Listen 80
Replace the line which has "Options -Indexes" with :
Options Indexes SymLinksIfOwnerMatch FollowSymLinks
in the files
/etc/httpd/conf.d/welcome.conf
Finding file names which has 'Options Indexes' or 'Options -Indexes'[root@ip-172-31-10-70 httpd]# sed -i 's/Options -Indexes/Options Indexes SymLinksIfOwnerMatch FollowSymLinks/g' /etc/httpd/conf.d/welcome.conf
Stop and start the httpd service
'start' and 'stop' of HTTPD service[root@ip-172-31-10-70 ~]# service httpd stop Stopping httpd: [ OK ] [root@ip-172-31-10-70 ~]# service httpd start Starting httpd: [ OK ] [root@ip-172-31-10-70 ~]#
- IPs that needs to be added for the corresponding security group on the HFE for the healthCheck regions are taken from : https://ip-ranges.amazonaws.com/ip-ranges.json
- Having threshold as '2' and 'request interval' as '10s' with 3 different regions, the total downtime is "50s"(10s for the instance to completely stop, (10*2)+10=30s i.e.(request interval*threshold)+extra time for all regions = 30s for the connection to fail,10s for the healthCheck to fail and update Route53)
Related Links
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-configuring.html
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-configuring-options.html
- The UAC and UAS can be present in same or different availability zones but within the same VPC
- If the UAC and UAS are present in different availability zones than the SBC, then 'route' needs to be added in both i.e. SIP machine as well as the SBC, and the corresponding security groups must be properly configured with corresponding entries.