Networking and Connectivity Requirements
Load Balancer
A layer seven load balancer, also commonly referred to as an application load balancer, is required for running the Kinetic Platform.
Sticky Sessions / Persistence
The Kinetic Platform leverages sticky sessions to route users to the same server. When configuring the load balancer, sticky sessions need to be enabled with a session cookie name of INGRESSCOOKIE. If the sticky sessions are not configured, users will be prompted to enter their credentials as requests are transferred between application servers.
Target Configuration
End users connect to the Kinetic Platform from a web browser. In order to secure this connection, the load balancer is responsible for accepting HTTPS requests and routing them to the Kinetic Platform cluster nodes.
The load balancer can be configured to terminate HTTPS and internally route to an unencrypted HTTP port, or it can be configured as a reverse proxy when end-to-end encryption is desired. When being used as a reverse proxy, the load balancer should be configured to decrypt the traffic, apply any applicable layer 7 actions (such as introspecting the INGRESSCOOKIE), and then re-encrypt the traffic before routing it to the encrypted HTTPS port.
Note: Because the Kinetic Platform requires persistent sessions, it is not possible to support SSL/HTTPS passthrough configurations.
The load balancer target pool should contain the IP addresses of all the nodes in the cluster. Each node in the cluster contains an ingress listening on ports 30080 for HTTP traffic, 30443 for HTTPS traffic, and 10248 for HTTP health checks. The load balancer's target HTTP health check should point to HTTP\:10248/healthz.
Note: When using cloud providers such as AWS, this could either be configured using a pool of Elastic IPs or by configuring a load balancer to point to a target group.
End-to-End SSL Target Configuration
| Load Balancer Port | Instance Port | Instance Protocol | Internal Usage |
|---|---|---|---|
| 80 | 30080 | HTTP | Redirect to 443 when using SSL |
| 443 | 30443 | HTTPS | HTTPS ingress node port for the cluster. |
SSL Termination Target Configuration
| Load Balancer Port | Instance Port | Instance Protocol | Internal Usage |
|---|---|---|---|
| 80 | 30080 | HTTP | Redirect to 443 when using SSL |
| 443 | 30080 | HTTP | HTTP ingress node port for the cluster. |
Header Manipulation
In order to preserve the source IP address of the request for use in security policies and for log file accuracy, the load balancer must be configured to set the following headers:
Note: Most layer 7 load balancers (including AWS ALBs) set these headers by default.
DNS Configuration
The Kinetic Platform provides the ability to support multiple tenants (which we call "Spaces"). The configuration and management of the system is exposed as the root domain, and the environment for each tenant is exposed as a subdomain based upon their tenant identifier (what we call "slugs"). For example, if the Kinetic Platform is exposed via kinetic.mydomain.com, then tenants would be exposed via tenant1.kinetic.mydomain.com, tenant2.kinetic.mydomain.com, and so on.
Configure the following within your domain registration system:
- A record MYDOMAIN.COM mapped to the IP address of the load balancer
- A record *.MYDOMAIN.COM mapped to the IP address of the load balancer
Note: When using cloud providers such as AWS, we recommend using the DNS registration option supplied by the provider (for example, Route 53 for AWS).
A domain name (for example, kinetic.mydomain.com) will be required during the Kinetic Platform install as part of this prerequisite.
Updated about 14 hours ago