question

Babar Q. avatar image
Babar Q. asked ·

Dynatrace Proposed Design Assistance Required

Dear All,

We need your expert advises to design a robust setup for the Dynatrace e.g. we have multiple network zones of PCI/Non-PCI for the web servers /application servers /database servers and few of them are heavily used and some of them are comparatively less.

Our idea is to deploy 2 x Private Security Gateways (to get the advantage of load balancer / failover) in the heavily used zones and 1 x Private Security Gateways in others.

So in the same zone we do not need to open the port # 9999 from OneAgent to the Private Security Gateways and we can open only a port # 8443 from OneAgent to the Dynatrace Cluster.

In case one of the Private Security Gateway goes down in the heavily used zones then the agents should connect to the next available Private Security Gateway and if both are not available then it should connect directly to the Dynatrace Servers Cluster and the same should apply on the less utilized zones.

Please have a glance on the below diagram and also let us know that how the private security gateway is talking to the Dynatrace Servers Cluster and on which TCP/IP port.

Note: A correction in the diagram that Zone A will have 2 x Private Security Gateways and Zone B will have 2 x Private Security Gateways.

Regards,

Babar

configurationDynatrace Managedoneagentactivegate
proposed-design.jpg (103.4 KiB)
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

1 Answer

Patrick H. avatar image
Patrick H. answered ·

The Private Security Gateways will talk to the Dynatrace Managed Cluster on Port 8443.

So if they are in the same network as the agents, and the agents can talk to the cluster anyway you are all set.

9 comments Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Hello @Patrick H.

Please correct my understanding about the following:

  • Private Security Gateways and OneAgent talk to the Dynatrace Managed Cluster on Port 8443
  • If Private Security Gateway is available in the same network zone then initially OneAgent will try to connect to the SGW and in case of absence will connect to the Dynatrace Managed Cluster

Regards,

Babar

0 Likes 0 · ·

Correct, though I'm not 100% sure it will always prioritize the SGW. I'm sure someone can clear this up though.

0 Likes 0 · ·

Hello @Patrick H.

Thank you for your comments. Maybe someone else can share with us a real time experience.

Regards,

Babar

0 Likes 0 · ·

Real time experience - Yes - for agents, connecting to private gateway has the highest priority. If no private gateway is reachable, the agent tries to connect to any of public gateways (if you have them in the environment). Connecting directly to cluster has the lowest priority.

Actually, if you look carefully at the endpoint list (serverAddress in ruxitagentproc.conf) it is sorted with the priorities above. Private > Public -> Cluster.

Agents do not check network hops (my experience) nor calculate subnets. Maybe they check network RTT to prioritize some private gateways before others.

0 Likes 0 · ·

Hello @Julius L.

Currently, we are planning to setup the Dynatrace environment, therefore, maybe can ask some silly questions.

Below statement is about the dnsEntryPoint of the security gateway. We do have Public Security Gateways in our designed environment, so how the agent will connect to the Public Security Gateway in case Private Security Gateway is not available and according to the sequence Private > Public -> Cluster.

Define the entry point for the Security Gateway (for example, http://sg1.mydomain.com:9876). Via this URL, the Security Gateway is accessed by Dynatrace OneAgent. If not set, an auto-detected endpoint will be used. This entry can be used if the Security Gateway is accessed via, for example, an external IP address or load balancer.

Regards,

Babar

0 Likes 0 · ·

AFAIK, if the dnsEntryPoint is specified during installation or afterwards in the gateway config, only this entry gets propagated to the endpoint list. So the agent will only try to connect to the address and port (and IPs) specified by the dnsEntryPoint.

0 Likes 0 · ·

Hello @Julius L.

So by defulat the same entry point will be used for the Public Security Gateway as per the sequence Private > Public -> Cluster?

Regards,

Babar

0 Likes 0 · ·

I can't try it now in my lab, but I this dnsEntryPoint works that way with private SGW. I expect this behaves equally for public SGW.

0 Likes 0 · ·

Hello @Julius L.

Did you get a chance to work in the lab?

Regards,

Babar

0 Likes 0 · ·

Space Topics

mobile monitoring dotnet synthetic monitoring reports iis chat kubernetes servicenow amazon web services mysql mainframe rest api errors cassandra dashboard oneagent sdk cmc application monitoring openkit smartscape request attributes monitoring developer community user tagging log monitoring services ufo syntheticadvisory activegate ip addresses auto-detection high five award oracle hyperion webserver uem usql iib test automation license web performance monitoring ios news migration management zones index ibm mq web services custom event alerts notifications sso host monitoring knowledge sharing reports browser monitors java hybris sap vmware maintenance window user action naming javascript appmon ai synthetic classic availability tipstricks automation extensions session replay diagnostic tools permissions davis assistant faq documentation problem detection http monitors server easytravel apdex aws-quickstart network docker tags and metadata cloud foundry google cloud platform synthetic monitoring process groups account usability dynatrace saas gui paas openshift key user actions administration user actions postgresql synthetic locations oneagent security Dynatrace Managed user management custom python technologies mongodb openstack user session monitoring continuous delivery citrix configuration alerting NGINX action naming linux nam installation masking error reporting database mission control jmeter recorder apache mobileapp RUM php threshold azure purepath davis scripting agent aix nodejs android