question

Tom P. avatar image
Tom P. asked ·

Security Gateway Load Balancing

We have a 2 node managed cluster and have 2 Security Gateways; we currently have only 20 agents and adding more agents daily. We're not observing any network connections or indication of communication to second SG, (Both SG's are up and healthy in home screen.)
We'd like to understand the pattern for load balancing & confirm fail over before we really need it.
Docs: https://help.dynatrace.com/data-security/security-... show load balancing and mention that agents automatically detect SG, but we'd like documentation and understanding specific to SG-> Cluster LB & Failover.

Dynatrace Managedactivegatedocumentation
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Helmut S. avatar image
Helmut S. answered ·

Load balancing works on a random basis. Every few minutes the agents choose one SG out of all available ones. So you should see an about even distribution of the load on both SGs. One possibility would be that your second SG is not reachable from the agent perspective. Then only the first one would be used.

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Helmut S. avatar image
Helmut S. answered ·

Not sure what you mean. You say that you are not seeing any "communication to second SG" but you are not talking about traffic sent from the agent. So you mean communication between server nodes and SG? If yes, this would also be rather dependent on the traffic sent from the agents. If the agents would not send any data to the SG (in case the agents just cannot connect to it) you would see very little communication between server and SG as well (about one http request about every 10s).

If both SG get agent data the SGs themself also balance the load on a random basis to the server nodes.

Are you sure that both SGs are reachable from the agents? Are both on the same subnet? No firewall in between....

Maybe one word to "agent counts". Unlike Collectors in AppMon the SG does not really know about connected agents (it has no memory about agents). Is really more like a simple proxy for them, which can be changed any time.

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Tom P. avatar image
Tom P. answered ·

Thanks @Helmut. Both SG's were configured similarly and appear healthy in Managed Deployment Status; I've been using Dynatrace (AppMon) for ~4 years, and easily observed that the collectors migrate agents based on events per second etc., but my question here is not about agent LB, it is about ensuring SG communication -> Cluster load balancing, especially since there are currently no metrics showing agent counts, measures, latency,etc. SG's show on line in Deployment status, but we don't really see any appreciable load nor communication to second SG, so that was (is) our concern.

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Space Topics