PAM server and third party load balancer in different subnets

book

Article ID: 187063

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

The PAM documentation indicates that the virtual IP of the cluster (VIP) and the member PAM servers must be in the same subnet.
Sometimes, for different reasons, the load balancer can placed in another subnet and we may want to use it.
So, is it possible to use an external load balancer with PAM having them in different subnets?

Environment

Product: Layer 7 Privileged Access Manager.
Version: 3.x

Resolution

Depending on the load balancer being used:

  • If no third party load balancer is used, PAM manages the balancing by itself redirecting the sessions to the proper cluster node depending on its load. In this case, the VIP must belong to the same subnet the cluster nodes' IP addresses belong. The VIP is initially held by the primary node of the primary site and transferred to the secondary node in case the primary become unavailable. That is why the VIP has to belong to the same subnet the cluster nodes' IP addresses belong to.
  • If a third party load balancer is used, then you can use a fake VIP in the cluster definition, one which is not available in the network (to avoid unwanted connections) and make the PAM Clients use the external load balancer IP address to connect to the PAM Server cluster. The external load balancer will decide, based on its defined rules, the actual PAM Server each PAM Client connection will be redirected to.

Additional Information

See also: Add a Cluster Site