When WSO2 products are deployed in a clustered mode on Amazon EC2 instances, it is recommended to use the AWS clustering mode. As a best practice, it is recommended to add all nodes in a single cluster to the same AWS security group.
...
- Enable clustering for this server.
<clustering class="org.wso2.carbon.core.clustering.hazelcast.HazelcastClusteringAgent" enable="true">
- Set the membership scheme to
aws
to enable the AWS registration method.<parameter name="membershipScheme">aws</parameter>
- Specify the port used to communicate cluster messages. This must be any port number between 5701 and 5800.
<parameter name="localMemberPort">5701</parameter>
Specify the IP of the instance in the
<
localMemberHost>
element. This must be set to the IP address bound to the network interface used to communicate with other members in the group. Here's an example:<parameter name="localMemberHost">127.0.0.1</parameter>
Define the following AWS specific configurations. These are the AWS access key, secret key, security group, region (with or without the zone), tag key, and tag value. The AWS credentials and security group depend on your configurations in the Amazon EC2 instance. The
tagKey
andtagValue
are optional and the rest of the following parameters are mandatory. Theregion
defaults tous-east-1
.Code Block language xml <parameter name="accessKey">xxxxxxxxxx</parameter> <parameter name="secretKey">yyyyyyyyyy</parameter> <parameter name="securityGroup">a_group_name</parameter> // <parameter name="regioniamRole">us>ec2-describe-easttest-1<role</parameter> // Make sure you do not add <parameter name="region">us-east-1</parameter> // Make sure you do not add any zone values (e.g., a) to the region parameter. <parameter name="tagKey">a_tag_key</parameter> <parameter name="tagValue">a_tag_value</parameter> // If you are adding tags, they should be attached to the AWS instances.
Start the server as per theTip Tip: In order to provide specific permissions to create an access key and secret key for only this AWS clustering attempt, use the following custom policy block. Attach this to the user account that will operate AWS clustering in WSO2 products. The access key and secret key can only be used to list EC2 instance details in the AWS account. This can be used as an AWS policy for the IAM role as well.
Code Block { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeInstances" ], "Resource": [ "*" ] } ] }
You can use the following link as a reference on how to add the custom IAM policy: http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_managed-policies.html
For AWS clustering to work properly, you must set a specific tag key with a tag value for all EC2 instances that belong in the same cluster.
Tip title IAM Role You can use IAM Role instead of IAM user access keys in the AWS clustering scheme. The necessary policies can be associated with the IAM Role and assumed by the EC2 instance running the EI application. This means you can use the iamRole without accessKey and securityKey parameters.
Start the server as per the instructions in the Setting up a Cluster topic. If the cluster is set up successfully, you should not see any errors when the server starts up, and also see the following log message.
Code Block [2015-06-23 09:26:41,674] INFO - HazelcastClusteringAgent Using aws based membership management scheme
When new members join the cluster, you should see messages similar to the following.
Code Block [2015-06-23 09:27:08,044] INFO - AWSBasedMembershipScheme Member joined [5327e2f9-8260-4612-9083-5e5c5d8ad567]: /10.0.0.172:5701
When members leave the cluster, you should see messages similar to the following.
Code Block [2015-06-23 09:28:34,364] INFO - AWSBasedMembershipScheme Member left [b2a30083-1cf1-46e1-87d3-19c472bb2007]: /10.0.0.245:5701
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
|
All nodes having the same set of cluster configuration parameters will belong to the same cluster. Hazelcast calls the AWS APIs and gets a set of nodes that satisfy the specified parameters (region
, securityGroup
, tagKey
, tagValue
).
...
Note |
---|
Note: The WSO2 server needs to access the AWS endpoint ec2.<region>.amazonaws.com. For example, ec2.us-east-1.amazonaws.com. Therefore, if you need a proxy to connect to the Internet, set the proxy values in Be sure to use https.proxyHost instead of http.proxyHost . When you set the proxy parameters in wso2server.sh , each and every http/s call goes through the proxy. To avoid this, set the -Dhttp.nonProxyHosts as follows:-Dhttp.nonProxyHosts="localhost|127.0.0.1|.*.local |
Note |
---|
Note: You might have to import the Amazon endpoint certificates to the client truststore of the WSO2 servers. |