How to configure OpenDJ replication topology for AWS Multi region replication

This topic contains 4 replies, has 3 voices, and was last updated by  Bill Nelson 1 month ago.

  • Author
    Posts
  • #25954
     someswara.reddy.karem 
    Participant

    Dear FR Experts,

    We have three instances of OpenDJ users and OpenDJ CTS in three availability zones in Single Region. Multi-master replication is enabled among three. We don’t have any dedicated replication server at this point of time.

    Now we want to extend our OpenDJ users and CTS replication topology to AWS multi-region (3 regions, for ex: London, Ireland and Frankfurt).

    Please recommend us the best replication topology and configuration to replicate users and sessions among multi region.

    Looking forward to hear from you. Thanks.

    Regards

    Som

    #25955
     Bill Nelson 
    Participant

    My initial reaction is as follows:

    For Users, use two DS instances and one RS instance per region. Two DS instances provide HA within the region and use of RS instances minimizes cross region replication traffic. If the RS in one region ever goes down, then that region’s DS instances will simply send replication traffic to a peer RS in another region until you can stand up a new RS instance.

    For CTS, unless there is a compelling reason why you MUST maintain sessions cross region, then I would avoid cross region replication for CTS servers altogether. Reason being is that the amount of traffic generated by session creation and subsequent session updates can be quite extensive depending on Users activity. Instead, maintain CTS sessions within the region and keep traffic local within that region. Worse case scenario, someone has to reauthenticate if a region is down and they are redirected to another region. But if an entire region is down, you probably have other things to worry about than forcing Users to reauthenticate.

    #25956
     bmccraw 
    Participant

    I agree with @bill-nelsonidentityfusion-com‘s suggestion. I’ll also add a reminder to use a different replication group-id in each region to keep the DS servers connected to the local region’s RS server.

    #25957
     someswara.reddy.karem 
    Participant

    Thanks all for your prompt response.

    #25960
     Bill Nelson 
    Participant

    I totally agree with @bmccraw. Good catch!

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?