PAM server and third party load balancer in different subnets
Article ID: 187063
CA Privileged Access Manager (PAM)
The PAM documentation indicates that the virtual IP of the cluster (VIP) and the member PAM servers must be in the same subnet. Sometimes, for different reasons, the load balancer can placed in another subnet and we may want to use it. So, is it possible to use an external load balancer with PAM having them in different subnets?
If no third party load balancer is used, PAM manages the balancing by itself redirecting the sessions to the proper cluster node depending on its load. In this case, the VIP must belong to the same subnet the cluster nodes' IP addresses belong. The VIP is initially held by the primary node of the primary site and transferred to the secondary node in case the primary become unavailable. That is why the VIP has to belong to the same subnet the cluster nodes' IP addresses belong to.
If a third party load balancer is used, then you can use a fake VIP in the cluster definition, one which is not available in the network (to avoid unwanted connections) and make the PAM Clients use the external load balancer IP address to connect to the PAM Server cluster. The external load balancer will decide, based on its defined rules, the actual PAM Server each PAM Client connection will be redirected to.