Set up PSM high availability

Privilege Cloud can be configured to recognize multiple instances of PSMs, to meet the requirements of high availability and load balancing implementations, as well as distributed network architecture.

Load balancing offers you enhanced availability, improved performance, and optimal usage of hardware resources.

The load balancing architecture relies on an external tool that reflects multiple PSM servers as a single IP or DNS address. PSM load balancing supports off-the-shelf load balancers.

PSM provides a service to determine the PSM service availability (health) and reports it, upon request, to the load balancer.

This section describes how to configure the PSM capabilities in a load-balanced environment.

Load balancing recommendations

The following recommendations are for big or small implementations, whether deployed on cloud or on premise.

To learn more, see Example for configuring a load balancer.

Recommendation

Description

Application load balancing

We recommend using an application-aware load balancing platform, deployed as a reverse proxy, for both big and small implementations.

Deploy either a hardware or a virtual appliance that best addresses capacity, feature set and support options. Hardware options usually offer the greatest scalability, while virtual appliances offer added deployment flexibility.

Health monitoring

Configure the load balancer to combine RDS and PSM application-level monitoring.

For PSM, configure HTTP health check by integrating with the Deploy PSM Health Check, and configure TCP monitoring for RDS service health check, as recommended by Microsoft, to achieve complete active application-level monitoring.

SSL configuration

Enable SSL passthrough, to protect the communication line between the load balancer and the PSM nodes. For limited cases where the security of the communication line is not a concern, you can use SSL acceleration/termination.

Routing algorithm

Set load balancing method to least connections so the load, on average, is balanced equally between the nodes within the PSM pool.

Load balancer high availability

We recommend to setup high availability of the load balancer itself.

DNS load balancing

We recommend using DNS load balancing for both big and small implementations.

 

Live monitoring of other sessions is required to be routed to specific PSM hosts where the target live session resides, bypassing the normal routing algorithm.

Configure PSM to work with load balancing

This section describes how to configure PSM to work with load balancing.

 

The same version of PSM must be installed on all Connector servers in an environment with load balanced PSMs.

PSM in a load balancing environment

This section describes how to configure CyberArk components to support PSM deployment in a load balanced environment.

Before you begin, make sure that the PSM servers have a virtual IP/DNS address.

Set up PSM in a load balancing environment:

  1. Install the first PSM on the first Connector server, then install the second PSM on the second and any additional Connector servers.

    For details on installing PSM, see Deploy the Privilege Cloud Connector.

  2. Contact CyberArk support and work with them on finalize this process. Before doing this, make sure to provide the following details:

    • PSM farm name. A short name that describe the purpose of the Connector farm. For example, connectorgroup-segment-1.
    • Cluster address. The virtual IP address of the cluster. For example, 10.10.10.1.