Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 4. Deploy AWS Aurora in multiple availability zones
This topic describes how to deploy an Aurora regional deployment of a PostgreSQL instance across multiple availability zones to tolerate one or more availability zone failures in a given AWS region.
This deployment is intended to be used with the setup described in the Concepts for active-passive deployments chapter. Use this deployment with the other building blocks outlined in the Building blocks active-passive deployments chapter.
We provide these blueprints to show a minimal functionally complete example with a good baseline performance for regular installations. You would still need to adapt it to your environment and your organization’s standards and security best practices.
4.1. Architecture
Aurora database clusters consist of multiple Aurora database instances, with one instance designated as the primary writer and all others as backup readers. To ensure high availability in the event of availability zone failures, Aurora allows database instances to be deployed across multiple zones in a single AWS region. In the event of a failure on the availability zone that is hosting the Primary database instance, Aurora automatically heals itself and promotes a reader instance from a non-failed availability zone to be the new writer instance.
Figure 4.1. Aurora Multiple Availability Zone Deployment
See the AWS Aurora documentation for more details on the semantics provided by Aurora databases.
This documentation follows AWS best practices and creates a private Aurora database that is not exposed to the Internet. To access the database from a ROSA cluster, establish a peering connection between the database and the ROSA cluster.
4.2. Procedure
The following procedure contains two sections:
- Creation of an Aurora Multi-AZ database cluster with the name "keycloak-aurora" in eu-west-1.
- Creation of a peering connection between the ROSA cluster(s) and the Aurora VPC to allow applications deployed on the ROSA clusters to establish connections with the database.
4.2.1. Create Aurora database Cluster
- Create a VPC for the Aurora cluster - Command: - aws ec2 create-vpc \ --cidr-block 192.168.0.0/16 \ --tag-specifications "ResourceType=vpc, Tags=[{Key=AuroraCluster,Value=keycloak-aurora}]" \ --region eu-west-1- aws ec2 create-vpc \ --cidr-block 192.168.0.0/16 \ --tag-specifications "ResourceType=vpc, Tags=[{Key=AuroraCluster,Value=keycloak-aurora}]" \- 1 - --region eu-west-1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- We add an optional tag with the name of the Aurora cluster so that we can easily retrieve the VPC.
 - Output: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a subnet for each availability zone that Aurora will be deployed to, using the - VpcIdof the newly created VPC.Note- The cidr-block range specified for each of the availability zones must not overlap. - Zone A - Command: - aws ec2 create-subnet \ --availability-zone "eu-west-1a" \ --vpc-id vpc-0b40bd7c59dbe4277 \ --cidr-block 192.168.0.0/19 \ --region eu-west-1 - aws ec2 create-subnet \ --availability-zone "eu-west-1a" \ --vpc-id vpc-0b40bd7c59dbe4277 \ --cidr-block 192.168.0.0/19 \ --region eu-west-1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Output: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Zone B - Command: - aws ec2 create-subnet \ --availability-zone "eu-west-1b" \ --vpc-id vpc-0b40bd7c59dbe4277 \ --cidr-block 192.168.32.0/19 \ --region eu-west-1 - aws ec2 create-subnet \ --availability-zone "eu-west-1b" \ --vpc-id vpc-0b40bd7c59dbe4277 \ --cidr-block 192.168.32.0/19 \ --region eu-west-1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Output: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Obtain the ID of the Aurora VPC route-table - Command: - aws ec2 describe-route-tables \ --filters Name=vpc-id,Values=vpc-0b40bd7c59dbe4277 \ --region eu-west-1 - aws ec2 describe-route-tables \ --filters Name=vpc-id,Values=vpc-0b40bd7c59dbe4277 \ --region eu-west-1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Output: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Associate the Aurora VPC route-table each availability zone’s subnet - Zone A - Command: - aws ec2 associate-route-table \ --route-table-id rtb-04a644ad3cd7de351 \ --subnet-id subnet-0d491a1a798aa878d \ --region eu-west-1 - aws ec2 associate-route-table \ --route-table-id rtb-04a644ad3cd7de351 \ --subnet-id subnet-0d491a1a798aa878d \ --region eu-west-1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Zone B - Command: - aws ec2 associate-route-table \ --route-table-id rtb-04a644ad3cd7de351 \ --subnet-id subnet-057181b1e3728530e \ --region eu-west-1 - aws ec2 associate-route-table \ --route-table-id rtb-04a644ad3cd7de351 \ --subnet-id subnet-057181b1e3728530e \ --region eu-west-1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Create Aurora Subnet Group - Command: - aws rds create-db-subnet-group \ --db-subnet-group-name keycloak-aurora-subnet-group \ --db-subnet-group-description "Aurora DB Subnet Group" \ --subnet-ids subnet-0d491a1a798aa878d subnet-057181b1e3728530e \ --region eu-west-1 - aws rds create-db-subnet-group \ --db-subnet-group-name keycloak-aurora-subnet-group \ --db-subnet-group-description "Aurora DB Subnet Group" \ --subnet-ids subnet-0d491a1a798aa878d subnet-057181b1e3728530e \ --region eu-west-1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create Aurora Security Group - Command: - aws ec2 create-security-group \ --group-name keycloak-aurora-security-group \ --description "Aurora DB Security Group" \ --vpc-id vpc-0b40bd7c59dbe4277 \ --region eu-west-1 - aws ec2 create-security-group \ --group-name keycloak-aurora-security-group \ --description "Aurora DB Security Group" \ --vpc-id vpc-0b40bd7c59dbe4277 \ --region eu-west-1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Output: - { "GroupId": "sg-0d746cc8ad8d2e63b" }- { "GroupId": "sg-0d746cc8ad8d2e63b" }- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the Aurora DB Cluster - Command: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- You should replace the - --master-usernameand- --master-user-passwordvalues. The values specified here must be used when configuring the Red Hat build of Keycloak database credentials.- Output: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create Aurora DB instances - Create Zone A Writer instance - Command: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create Zone B Reader instance - Command: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Wait for all Writer and Reader instances to be ready - Command: - aws rds wait db-instance-available --db-instance-identifier keycloak-aurora-instance-1 --region eu-west-1 aws rds wait db-instance-available --db-instance-identifier keycloak-aurora-instance-2 --region eu-west-1 - aws rds wait db-instance-available --db-instance-identifier keycloak-aurora-instance-1 --region eu-west-1 aws rds wait db-instance-available --db-instance-identifier keycloak-aurora-instance-2 --region eu-west-1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Obtain the Writer endpoint URL for use by Keycloak - Command: - aws rds describe-db-clusters \ --db-cluster-identifier keycloak-aurora \ --query 'DBClusters[*].Endpoint' \ --region eu-west-1 \ --output text - aws rds describe-db-clusters \ --db-cluster-identifier keycloak-aurora \ --query 'DBClusters[*].Endpoint' \ --region eu-west-1 \ --output text- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Output: - [ "keycloak-aurora.cluster-clhthfqe0h8p.eu-west-1.rds.amazonaws.com" ]- [ "keycloak-aurora.cluster-clhthfqe0h8p.eu-west-1.rds.amazonaws.com" ]- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.2.2. Establish Peering Connections with ROSA clusters
Perform these steps once for each ROSA cluster that contains a Red Hat build of Keycloak deployment.
- Retrieve the Aurora VPC - Command: - aws ec2 describe-vpcs \ --filters "Name=tag:AuroraCluster,Values=keycloak-aurora" \ --query 'Vpcs[*].VpcId' \ --region eu-west-1 \ --output text - aws ec2 describe-vpcs \ --filters "Name=tag:AuroraCluster,Values=keycloak-aurora" \ --query 'Vpcs[*].VpcId' \ --region eu-west-1 \ --output text- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Output: - vpc-0b40bd7c59dbe4277 - vpc-0b40bd7c59dbe4277- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Retrieve the ROSA cluster VPC - 
									Login to the ROSA cluster using oc
- Retrieve the ROSA VPC - Command: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Output: - vpc-0b721449398429559 - vpc-0b721449398429559- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- 
									Login to the ROSA cluster using 
- Create Peering Connection - Command: - aws ec2 create-vpc-peering-connection \ --vpc-id vpc-0b721449398429559 \ --peer-vpc-id vpc-0b40bd7c59dbe4277 \ --peer-region eu-west-1 \ --region eu-west-1 - aws ec2 create-vpc-peering-connection \ --vpc-id vpc-0b721449398429559 \- 1 - --peer-vpc-id vpc-0b40bd7c59dbe4277 \- 2 - --peer-region eu-west-1 \ --region eu-west-1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Output: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Wait for Peering connection to exist - Command: - aws ec2 wait vpc-peering-connection-exists --vpc-peering-connection-ids pcx-0cb23d66dea3dca9f - aws ec2 wait vpc-peering-connection-exists --vpc-peering-connection-ids pcx-0cb23d66dea3dca9f- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Accept the peering connection - Command: - aws ec2 accept-vpc-peering-connection \ --vpc-peering-connection-id pcx-0cb23d66dea3dca9f \ --region eu-west-1 - aws ec2 accept-vpc-peering-connection \ --vpc-peering-connection-id pcx-0cb23d66dea3dca9f \ --region eu-west-1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Output: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Update ROSA cluster VPC route-table - Command: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Update the Aurora Security Group - Command: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The "machine_cidr" of the ROSA cluster
 - Output: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.3. Verifying the connection
				The simplest way to verify that a connection is possible between a ROSA cluster and an Aurora DB cluster is to deploy psql on the Openshift cluster and attempt to connect to the writer endpoint.
			
				The following command creates a pod in the default namespace and establishes a psql connection with the Aurora cluster if possible. Upon exiting the pod shell, the pod is deleted.
			
4.4. Deploying Red Hat build of Keycloak
				Now that an Aurora database has been established and linked with all of your ROSA clusters, the next step is to deploy Red Hat build of Keycloak as described in the Deploy Red Hat build of Keycloak for HA with the Red Hat build of Keycloak Operator chapter with the JDBC url configured to use the Aurora database writer endpoint. To do this, create a Keycloak CR with the following adjustments:
			
- 
						Update spec.db.urlto bejdbc:aws-wrapper:postgresql://$HOST:5432/keycloakwhere$HOSTis the Aurora writer endpoint URL.
- 
						Ensure that the Secrets referenced by spec.db.usernameSecretandspec.db.passwordSecretcontain usernames and passwords defined when creating Aurora.