Skip to main content

Configure load balancer endpoints

Contributors netapp-perveilerk netapp-lhalbert

Load balancer endpoints determine the ports and network protocols S3 clients can use when connecting to the StorageGRID load balancer on Gateway and Admin Nodes. You can also use endpoints to access the Grid Manager, Tenant Manager, or both.

Tip Swift details have been removed from this version of the doc site. See Configure S3 and Swift client connections.
Before you begin
  • You are signed in to the Grid Manager using a supported web browser.

  • You have the Root access permission.

  • You have reviewed the considerations for load balancing.

  • If you previously remapped a port you intend to use for the load balancer endpoint, you have removed the port remap.

  • You have created any high availability (HA) groups you plan to use. HA groups are recommended, but not required. See Manage high availability groups.

  • If the load balancer endpoint will be used by S3 tenants for S3 Select, it must not use the IP addresses or FQDNs of any bare-metal nodes. Only services appliances and VMware-based software nodes are allowed for the load balancer endpoints used for S3 Select.

  • You have configured any VLAN interfaces you plan to use. See Configure VLAN interfaces.

  • If you are creating an HTTPS endpoint (recommended), you have the information for the server certificate.

    Note Changes to an endpoint certificate can take up to 15 minutes to be applied to all nodes.
    • To upload a certificate, you need the server certificate, the certificate private key, and optionally, a CA bundle.

    • To generate a certificate, you need all of the domain names and IP addresses that S3 clients will use to access the endpoint. You must also know the subject (Distinguished Name).

    • If you want to use the StorageGRID S3 API certificate (which can also be used for connections directly to Storage Nodes), you have already replaced the default certificate with a custom certificate signed by an external certificate authority. See Configure S3 API certificates.

Create a load balancer endpoint

Each S3 client load balancer endpoint specifies a port, a client type (S3), and a network protocol (HTTP or HTTPS). Management interface load balancer endpoints specifies a port, interface type, and untrusted Client Network.

Access the wizard

Steps
  1. Select CONFIGURATION > Network > Load balancer endpoints.

  2. To create an endpoint for an S3 or Swift client, select the S3 or Swift client tab.

  3. To create an endpoint for access to the Grid Manager, Tenant Manager, or both, select the Management interface tab.

  4. Select Create.

Enter endpoint details

Steps
  1. Select the appropriate instructions to enter details for the type of endpoint you want to create.

S3 or Swift client
Field Description

Name

A descriptive name for the endpoint, which will appear in the table on the Load balancer endpoints page.

Port

The StorageGRID port you want to use for load balancing. This field defaults to 10433 for the first endpoint you create, but you can enter any unused external port from 1 to 65535.

If you enter 80 or 8443, the endpoint is configured only on Gateway Nodes, unless you have freed up port 8443. Then you can use port 8443 as an S3 endpoint, and the port will be configured on both Gateway and Admin Nodes.

Client type

The type of client application that will use this endpoint, either S3 or Swift.

Network protocol

The network protocol that clients will use when connecting to this endpoint.

  • Select HTTPS for secure, TLS encrypted communication (recommended). You must attach a security certificate before you can save the endpoint.

  • Select HTTP for less secure, unencrypted communication. Use HTTP only for a non-production grid.

Management interface
Field Description

Name

A descriptive name for the endpoint, which will appear in the table on the Load balancer endpoints page.

Port

The StorageGRID port you want to use to access the Grid Manager, Tenant Manager, or both.

  • Grid Manager: 8443

  • Tenant Manager: 9443

  • Both Grid Manager and Tenant Manager: 443

Note: You can use these preset ports or other available ports.

Interface type

Select the radio button for the StorageGRID interface you will access using this endpoint.

Untrusted Client Network

Select Yes if this endpoint should be accessible to untrusted Client Networks. Otherwise, select No.

When you select Yes, the port is open on all untrusted Client Networks.

Note: You can only configure a port to be open or closed to untrusted Client Networks when you are creating the load balancer endpoint.

  1. Select Continue.

Select a binding mode

Steps
  1. Select a binding mode for the endpoint to control how the endpoint is accessed using any IP address or using specific IP addresses and network interfaces.

    Some binding modes are available for either client endpoints or management interface endpoints. All modes for both endpoint types are listed here.

    Mode Description

    Global (default for client endpoints)

    Clients can access the endpoint using the IP address of any Gateway Node or Admin Node, the virtual IP (VIP) address of any HA group on any network, or a corresponding FQDN.

    Use the Global setting unless you need to restrict the accessibility of this endpoint.

    Virtual IPs of HA groups

    Clients must use a virtual IP address (or corresponding FQDN) of an HA group to access this endpoint.

    Endpoints with this binding mode can all use the same port number, as long as the HA groups you select for the endpoints don't overlap.

    Node interfaces

    Clients must use the IP addresses (or corresponding FQDNs) of selected node interfaces to access this endpoint.

    Node type (client endpoints only)

    Based on the type of node you select, clients must use either the IP address (or corresponding FQDN) of any Admin Node or the IP address (or corresponding FQDN) of any Gateway Node to access this endpoint.

    All Admin Nodes (default for management interface endpoints)

    Clients must use the IP address (or corresponding FQDN) of any Admin Node to access this endpoint.

    If more than one endpoint uses the same port, StorageGRID uses this priority order to decide which endpoint to use: Virtual IPs of HA groups > Node interfaces > Node type > Global.

    If you are creating management interface endpoints, only Admin Nodes are allowed.

  2. If you selected Virtual IPs of HA groups, select one or more HA groups.

    If you are creating management interface endpoints, select VIPs associated only with Admin Nodes.

  3. If you selected Node interfaces, select one or more node interfaces for each Admin Node or Gateway Node that you want to associate with this endpoint.

  4. If you selected Node type, select either Admin Nodes, which includes both the primary Admin Node and any non-primary Admin Nodes, or Gateway Nodes.

Control tenant access

Note A management interface endpoint can control tenant access only when the endpoint has the interface type of Tenant Manager.
Steps
  1. For the Tenant access step, select one of the following:

    Field Description

    Allow all tenants (default)

    All tenant accounts can use this endpoint to access their buckets.

    You must select this option if you have not yet created any tenant accounts. After you add tenant accounts, you can edit the load balancer endpoint to allow or block specific accounts.

    Allow selected tenants

    Only the selected tenant accounts can use this endpoint to access their buckets.

    Block selected tenants

    The selected tenant accounts can't use this endpoint to access their buckets. All other tenants can use this endpoint.

  2. If you are creating an HTTP endpoint, you don't need to attach a certificate. Select Create to add the new load balancer endpoint. Then, go to After you finish. Otherwise, select Continue to attach the certificate.

Attach certificate

Steps
  1. If you are creating an HTTPS endpoint, select the type of security certificate you want to attach to the endpoint.

    The certificate secures the connections between S3 clients and the Load Balancer service on Admin Node or Gateway Nodes.

    • Upload certificate. Select this option if you have custom certificates to upload.

    • Generate certificate. Select this option if you have the values needed to generate a custom certificate.

    • Use StorageGRID S3 certificate. Select this option if you want to use the global S3 API certificate, which can also be used for connections directly to Storage Nodes.

      You can't select this option unless you have replaced the default S3 API certificate, which is signed by the grid CA, with a custom certificate signed by an external certificate authority. See Configure S3 API certificates.

    • Use management interface certificate. Select this option if you want to use the global management interface certificate, which can also be used for direct connections to Admin Nodes.

  2. If you aren't using the StorageGRID S3 certificate, upload or generate the certificate.

    Upload certificate
    1. Select Upload certificate.

    2. Upload the required server certificate files:

      • Server certificate: The custom server certificate file in PEM encoding.

      • Certificate private key: The custom server certificate private key file (.key).

        Note EC private keys must be 224 bits or larger. RSA private keys must be 2048 bits or larger.
      • CA bundle: A single optional file containing the certificates from each intermediate issuing certificate authority (CA). The file should contain each of the PEM-encoded CA certificate files, concatenated in certificate chain order.

    3. Expand Certificate details to see the metadata for each certificate you uploaded. If you uploaded an optional CA bundle, each certificate displays on its own tab.

      • Select Download certificate to save the certificate file or select Download CA bundle to save the certificate bundle.

        Specify the certificate file name and download location. Save the file with the extension .pem.

        For example: storagegrid_certificate.pem

      • Select Copy certificate PEM or Copy CA bundle PEM to copy the certificate contents for pasting elsewhere.

    4. Select Create.
      The load balancer endpoint is created. The custom certificate is used for all subsequent new connections between S3 clients or the management interface and the endpoint.

    Generate certificate
    1. Select Generate certificate.

    2. Specify the certificate information:

      Field Description

      Domain name

      One or more fully qualified domain names to include in the certificate. Use an * as a wildcard to represent multiple domain names.

      IP

      One or more IP addresses to include in the certificate.

      Subject (optional)

      X.509 subject or distinguished name (DN) of the certificate owner.

      If no value is entered in this field, the generated certificate uses the first domain name or IP address as the subject common name (CN).

      Days valid

      Number of days after creation that the certificate expires.

      Add key usage extensions

      If selected (default and recommended), key usage and extended key usage extensions are added to the generated certificate.

      These extensions define the purpose of the key contained in the certificate.

      Note: Leave this checkbox selected unless you experience connection problems with older clients when certificates include these extensions.

    3. Select Generate.

    4. Select Certificate details to see the metadata for the generated certificate.

      • Select Download certificate to save the certificate file.

        Specify the certificate file name and download location. Save the file with the extension .pem.

        For example: storagegrid_certificate.pem

      • Select Copy certificate PEM to copy the certificate contents for pasting elsewhere.

    5. Select Create.

      The load balancer endpoint is created. The custom certificate is used for all subsequent new connections between S3 clients or the management interface and this endpoint.

After you finish

Steps
  1. If you use a DNS, ensure that the DNS includes a record to associate the StorageGRID fully qualified domain name (FQDN) to each IP address that clients will use to make connections.

    The IP address you enter in the DNS record depends on whether you are using an HA group of load-balancing nodes:

    • If you have configured an HA group, clients will connect to the virtual IP addresses of that HA group.

    • If you aren't using an HA group, clients will connect to the StorageGRID Load Balancer service using the IP address of a Gateway Node or Admin Node.

      You must also ensure that the DNS record references all required endpoint domain names, including any wildcard names.

  2. Provide S3 clients with the information needed to connect to the endpoint:

    • Port number

    • Fully qualified domain name or IP address

    • Any required certificate details

View and edit load balancer endpoints

You can view details for existing load balancer endpoints, including the certificate metadata for a secured endpoint. You can change certain settings for an endpoint.

  • To view basic information for all load balancer endpoints, review the tables on the Load balancer endpoints page.

  • To view all details about a specific endpoint, including certificate metadata, select the endpoint's name in the table. The information shown varies depending on the endpoint type and how it's configured.

    Load balancer endpoint details
  • To edit an endpoint, use the Actions menu on the Load balancer endpoints page.

    Note If you lose access to Grid Manager while editing the port of a management interface endpoint, update the URL and port to regain access.
    Tip After editing an endpoint, you might need to wait up to 15 minutes for your changes to be applied to all nodes.
    Task Actions menu Details page

    Edit endpoint name

    1. Select the checkbox for the endpoint.

    2. Select Actions > Edit endpoint name.

    3. Enter the new name.

    4. Select Save.

    1. Select the endpoint name to display the details.

    2. Select the edit icon Edit icon.

    3. Enter the new name.

    4. Select Save.

    Edit endpoint port

    1. Select the checkbox for the endpoint.

    2. Select Actions > Edit endpoint port

    3. Enter a valid port number.

    4. Select Save.

    n/a

    Edit endpoint binding mode

    1. Select the checkbox for the endpoint.

    2. Select Actions > Edit endpoint binding mode.

    3. Update the binding mode as required.

    4. Select Save changes.

    1. Select the endpoint name to display the details.

    2. Select Edit binding mode.

    3. Update the binding mode as required.

    4. Select Save changes.

    Edit endpoint certificate

    1. Select the checkbox for the endpoint.

    2. Select Actions > Edit endpoint certificate.

    3. Upload or generate a new custom certificate or begin using the global S3 certificate, as required.

    4. Select Save changes.

    1. Select the endpoint name to display the details.

    2. Select the Certificate tab.

    3. Select Edit certificate.

    4. Upload or generate a new custom certificate or begin using the global S3 certificate, as required.

    5. Select Save changes.

    Edit tenant access

    1. Select the checkbox for the endpoint.

    2. Select Actions > Edit tenant access.

    3. Choose a different access option, select or remove tenants from the list, or do both.

    4. Select Save changes.

    1. Select the endpoint name to display the details.

    2. Select the Tenant access tab.

    3. Select Edit tenant access.

    4. Choose a different access option, select or remove tenants from the list, or do both.

    5. Select Save changes.

Remove load balancer endpoints

You can remove one or more endpoints using the Actions menu, or you can remove a single endpoint from the details page.

Caution To prevent client disruptions, update any affected S3 client applications before you remove a load balancer endpoint. Update each client to connect using a port assigned to another load balancer endpoint. Be sure to update any required certificate information as well.
Note If you lose access to Grid Manager while removing a management interface endpoint, update the URL.
  • To remove one or more endpoints:

    1. From the Load balancer page, select the checkbox for each endpoint you want to remove.

    2. Select Actions > Remove.

    3. Select OK.

  • To remove one endpoint from the details page:

    1. From the Load balancer page. select the endpoint name.

    2. Select Remove on the details page.

    3. Select OK.