Resiliency - Architecture

A minimum MOVEit DMZ Resilient architecture consists of at least two MOVEit DMZ nodes, a load balancing device and a NAS device. However, even in a two-node configuration there are different ways to arrange things depending on your performance goals. This document describes the various architectures supported by MOVEit DMZ and discusses the advantages and disadvantages of each approach.

The three types of networks used in the diagrams below are explained below:

DMZ Network - An Internet-accessible network connected to an Internet-facing firewall. To conserve space, this network is not labeled on the diagrams; instead it is represented by the line from the firewall to the Load Balancer.
Application Network - A private network connected to a Load Balancer and MOVEit DMZ application nodes. Application traffic such as HTTPS, FTP and SSH passes over this network. (If a NIC-based or software-based load balancer such as Windows 2003 Network Load Balancing services is used, the application network will probably be connected to a firewall instead of a hardware load balancing device.)
Cluster Network (a.k.a. "Backbone" Network) - A private network connected to all MOVEit DMZ nodes and the NAS. Cluster traffic such as database queries, file writes, registry updates and status checks passes over this network.

The typical role of each component in these architectures is briefly covered below:

Primary Node - Primary database node. Accepts application updates and pushes changes to secondary node. Usually processes application traffic unless there are three or more MOVEit DMZ nodes in the cluster. The Primary node is node #1 by default, but can be node #2 after a failover
Secondary Node - Secondary database node. Accepts changes posted by the primary node. Usually processes application traffic unless there are four or more MOVEit DMZ nodes in the cluster. The Secondary node is node #2 by default, but can be node #1 after a failover.
Node #3+ - Optional additional application node; no role in database replication. Always processes application traffic.

Two MOVEit DMZ Nodes

When two MOVEit DMZ nodes are deployed in a resilient cluster, the focus is usually failover rather than load balancing. Nonetheless, it is usually easiest to configure the load balancer to send traffic to each machine equally, as long as connections from each unique remote IP address are always directed to the same physical machine.

ResilLayout2Nodes.gif (12187 bytes)

Advantage: Easiest configuration to maintain.
Advantage: Filesystem has been off-loaded to NAS and is not accessible from the Internet.
Disadvantage: Application sessions are not truly load-balanced. (One node has higher database load.)
Disadvantage: Database remains on Internet-accessible nodes.
Disadvantage: Loss of either node could cause lead to a loss in performance.

Even though the usual focus is failover when implementing this architecture, an additional performance benefit often results from running the database and the application on two separate servers during normal production. If this configuration is desired and a higher level of up-front configuration is not an issue, then then load balancer should be configured so that all incoming APPLICATION connections go to the SECONDARY node unless the secondary node is down. In this configuration, the PRIMARY node primary handles database queries and updates until the SECONDARY node goes down; at this point the PRIMARY node will also handle application traffic.

Three MOVEit DMZ Nodes

With the introduction of a third, application-only MOVEit DMZ node, the focus of the system begins to shift to offloading and true load balancing. A Load Balancer in this architecture should hand off sessions on a round-robin basis to the SECONDARY node and NODE #3.

ResilLayout3Nodes.gif (11127 bytes)

Advantage: Filesystem has been off-loaded to NAS and is not accessible from the Internet.
Advantage: Application sessions are truly load-balanced.
Disadvantage: Database remains on Internet-accessible nodes.
Disadvantage: Requires a third MOVEit DMZ license, takes longer to upgrade than two nodes.

Four MOVEit DMZ Nodes

With the introduction of a fourth MOVEit DMZ node, it is possible to drop one or two MOVEit DMZ nodes back to serve as dedicated database (and configuration) nodes. A Load Balancer in this architecture should hand off sessions on a round-robin basis to NODE #3 and NODE #4. Note that web, FTP or SSH services are not disabled on the PRIMARY or SECONDARY nodes in this configuration because these services do not consume significant resources unless they are working with active sessions.

ResilLayout4Nodes.gif (12263 bytes)

Advantage: Filesystem has been off-loaded to NAS and is not accessible from the Internet.
Advantage: Application sessions are truly load-balanced.
Advantage: Database is no longer kept on Internet-accessible nodes.
Disadvantage: Requires a third and fourth MOVEit DMZ license, takes longer to upgrade than three nodes.

Five MOVEit DMZ Nodes

This architecture is similar to the four-node architecture, but with one extra application node (and an additional MOVEit DMZ license).

ResilLayout5Nodes.gif (13225 bytes)

Six MOVEit DMZ Nodes

This architecture is similar to the four-node architecture, but with two extra application nodes (and two additional MOVEit DMZ licenses).

ResilLayout6Nodes.gif (13695 bytes)

Variations

One of the issues with the two, three and four node architectures depicted above is a possible loss of application performance if one of the two available application nodes goes down. To mitigate this loss, you may be able to configure your load balancer to also include the PRIMARY and/or SECONDARY nodes in the "application hunt" if one or more of the application nodes is already down.