Adding a Node on Azure

Overview

This procedure is for adding a worker node to an existing TOS Aurora cluster on the Azure platform. If you have not yet installed TOS Aurora, start with Clean Install. For all other installation paths such as upgrade or other platforms, see the menu for the appropriate procedure.

Read and understand Prerequisites before you start.

Prerequisites

General Requirements

  • This procedure must be performed by an experienced Linux administrator with knowledge of network configuration.

  • If you have made a previous unsuccessful attempt to install TOS Aurora, you must uninstall and reboot before reinstalling (see Uninstalling TOS)

  • IP tables version 1.8.5 and above. IP tables must be reserved exclusively for TOS Aurora and cannot be used for any other purpose. During installation, any existing IP tables configurations will be flushed and replaced.

  • Your servers must have sufficient CPUs, disk storage and main memory for TOS Aurora to work effectively. The resources required can be categorized by system size.

    To evaluate the size of system you need, see Sizing Calculation for a Clean Install.

  • Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. If you want to change the host name of the node, do so before running the tos install command.

    If you need assistance, consult with your sales engineer or Tufin support.

  • Tufin Orchestration Suite should be treated as high-risk security resource, similar to how you would treat any LDAP product (for example, Active Directory). Therefore, you should only install Tufin Orchestration Suite in an appropriately secured network and physical location, and only authorized users should be granted access to TOS products and the operating system on the server.

  • If you are using NFS, your backup server needs to be running NFS 4.

  • Large deployments are not supported on Azure.

  • Secure boot must be disabled.

  • You need to configure a separate partition for /opt,, and the boot disk needs at least 300 GB of available storage. The /opt partition will contain your data, which will increase over time. Most of your available disk space should be allocated to this partition and the minimum is determined by the load model parameter (small, medium, large) provided by your account team. Minimum sizes for all partitions:

    Minimum Partition Sizes

    Boot disk

    /opt/

    (Small)*

    /opt/

    (Medium)*

    /opt/

    (Large)*
    Central cluster / remote cluster primary data node / HA data nodes 300 GB 80 GB 170 GB 370 GB
    Worker node (central and remote clusters) 150 GB 70 GB 70 GB 70 GB

    *Small, medium and large refer to the load model parameter provided by your account team.

    We recommend allocating /opt partition all remaining disk space after you have partitioned the boot disk and etcd.

    There is a step in this procedure that will cause the system to reboot, with access only from the Azure Serial Console until the machine is rebooted for the second time. Before starting, make sure you have access to the Azure Serial Console.

Procedure

Complete the steps below in sequence.

For additional help, refer to the Microsoft Azure official documentation - Create a Linux virtual machine in the Azure portal

  1. Log in to your Azure portal.

  2. Navigate to Marketplace and create a VM.

  3. Under the Basics tab, enter/select the following information:

    • Subscription - your Azure subscription name

    • Resource Group - your Azure resource group name

    • Virtual Machine Name - a name of your choice to identify the VM e.g. myVirtualMachine-0

    • Region - select from the list

    • Image - select one of the following from the list:

      • Red Hat Enterprise Linux 8.10

      • Rocky Linux 8.10

      The image must include Logical Volume Management (LVM), which is required to enlarge the volumes.

    • Size - select CPUs and memory as advised by your account team

    • Authentication type - select SSH public key

    • User name - enter azureuser

    • SSH public key source - select generate new key pair

    • Key pair name - use the default name provided

  4. Under the Disks tab, enter/select the following information

    • OS disk type - select Premium SSD
    • Encryption - default

  5. Select Create and attach a new disk.

  6. Enter the disk details:

    • Enter a Name of your choice.

    • Set Host caching to Read/write.

    • Select a storage type Take into consideration that TOS requires 7,500 IOPS and the throughput expected will average 250MB/s with bursts of up to 700MB/s.

    • Set Storage Size GiB to the disk space sizing requirement given to you by your account team.

  7. Save the disk defintions.

  8. If you want a public IP:

    • Select the Networking tab
    • Under Public IP, click Create new.
    • Enter a name.
    • Select SKU - Standard.

  9. Under the Tags tab, create two tags, replacing <your name> and <your environment name> with names of your choice:

    • owner: <your name>
    • env: <your environment name>
  10. Click Review and Create
  11. Click Create. The generate new key pair prompt appears.
  12. Generate a new key pair. Click Download private key and create resource. The private key will be downloaded to your PC as a file with suffix .pem. It will be needed to log into the VM console.

  13. Navigate to the directory on your PC that contains the .pem file just downloaded (<pem_key_name>) and change its permissions to prevent other users from running it.

    If your PC is running on a Linux-like operating system:

    [<ADMIN> ~]# chmod 400 <pem_key_name>
    chmod 400 <pem_key_name>

  14. You can now log in to the VM console whenever required.

    Log in to the Azure VM console where <pem_key_name> is the name of the .pem file downloaded previously from the Azure portal, <azureuser> is the name of your Azure user on the VM and <IP> is its private or public IP. The private and optional public IPs can be seen on the Networking tab.

    [<ADMIN> ~]# ssh -i <pem_key_name> <azureuser>@<IP>
    ssh -i <pem_key_name> <azureuser>@<IP>
  15. In the portal, select the newly created VM and then select the Networking tab.

  16. Select Add inbound port rule and create a rule with the properties below:

    • SourceAny
    • Source port ranges: *
    • Destination: Any
    • Destination port ranges: 31443, 31617, 31514, 31099, 31843, 30161, 30514, 31161 - see Ports and Services to see why
    • Protocol: Any
    • Action: Allow
    • Priority: 310
    • Name: TOS_Aurora or other name of your choice
    • Description: TOS_Aurora or other description of your choice

For additional help, refer to the MicrosoftAzure official documentation - Azure Load Balancer portal settings

  1. In your Azure portal, navigate to Load Balancers.
  2. Select the load balancer created previously (when the VM for the primary data node was set up).
  3. Navigate to backend pools.
  4. Select the backend pool created previously (when the VM for the primary data node was set up).
  5. Add the new VM to the list of virtual machines in the backend pool.
  6. Save.

If not done already, set up partitions according to the Prerequisites.

  1. If you are not currently logged in as user root, do so now.

    [<ADMIN> ~]$ su -
    su -

  2. If you want to change the host name or IP of the machine, do so now. Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. To change the host name, use the command below, replacing <mynode> with your preferred name.

    [<ADMIN> ~]# hostnamectl set-hostname <mynode>
    hostnamectl set-hostname <mynode>

  3. Modify the environment path to run TOS CLI commands without specifying the full path (/usr/local/bin/tos). 

    [<ADMIN> ~]# echo 'export PATH="${PATH}:/usr/local/bin"' | sudo tee -a /root/.bashrc > /dev/null
    echo 'export PATH="${PATH}:/usr/local/bin"' | sudo tee -a /root/.bashrc > /dev/null

  4. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony.

  5. Configure the server timezone.

    [<ADMIN> ~]# timedatectl set-timezone <timezone>
    timedatectl set-timezone <timezone>

    where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague. List the time-zone formats that can be used in the command.

    [<ADMIN> ~]# timedatectl list-timezones
    timedatectl list-timezones

  6. Upgrade the kernel:

    [<ADMIN> ~]# dnf upgrade
    dnf upgrade

  7. Disable SELinux:

    • If file /etc/selinux/config exists, edit and change the value of SELINUX to disabled:

      SELINUX=disabled
    • If the file doesn't exist or SELINUX is already set to disabled, do nothing.
  8. Reboot the machine and log in.

  9. Install Wireguard. This is needed to encrypt communication between nodes (machines) within the cluster. 

    10. [<ADMIN> ~]# sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
    sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
    [<ADMIN> ~]# sudo yum install kmod-wireguard wireguard-tools
    sudo yum install kmod-wireguard wireguard-tools
  10. Reboot the machine and log in.

  11. Install tmux and rsync:

    [<ADMIN> ~]# dnf install -y rsync tmux
    dnf install -y rsync tmux

  12. Disable the firewall:

    [<ADMIN> ~]# systemctl stop firewalld
    systemctl stop firewalld
    [<ADMIN> ~]# systemctl disable firewalld
    systemctl disable firewalld

  13. Create the TOS Aurora load module configuration file /etc/modules-load.d/tufin.conf. Example using vi:

    [<ADMIN> ~]# vi /etc/modules-load.d/tufin.conf
    vi /etc/modules-load.d/tufin.conf

  14. Specify the modules to be loaded by adding the following lines to the configuration file created in the previous step. The modules will then be loaded automatically on boot.

    br_netfilter
    wireguard
    overlay
    ebtables
    ebtable_filter
    br_netfilter wireguard overlay ebtables ebtable_filter

  15. Load the above modules now:

    [<ADMIN> ~]# cat /etc/modules-load.d/tufin.conf |xargs modprobe -a 
    cat /etc/modules-load.d/tufin.conf |xargs modprobe -a

    Look carefully at the output to confirm all modules loaded correctly; an error message will be issued for any modules that failed to load.

  16. Check that Wireguard has loaded correctly. 

    [<ADMIN> ~]# lsmod |grep wireguard
    lsmod |grep wireguard

    The output will appear something like this:

    wireguard              201106  0
ip6_udp_tunnel         12755  1 wireguard
udp_tunnel             14423  1 wireguard

    If Wireguard is not listed in the output, contact support.

  17. Create the TOS Aurora kernel configuration file /etc/sysctl.d/tufin.conf. Example using vi:

    [<ADMIN> ~]# vi /etc/sysctl.d/tufin.conf
    vi /etc/sysctl.d/tufin.conf

  18. Specify the kernel settings to be made by adding the following lines to the configuration file created in the previous step. The settings will then be applied on boot. 

    net.bridge.bridge-nf-call-iptables = 1
    fs.inotify.max_user_watches = 1048576
    fs.inotify.max_user_instances = 10000
    net.ipv4.ip_forward = 1
    net.bridge.bridge-nf-call-iptables = 1 fs.inotify.max_user_watches = 1048576 fs.inotify.max_user_instances = 10000 net.ipv4.ip_forward = 1

  19. Apply the above kernel settings now:

    [<ADMIN> ~]# sysctl --system
    sysctl --system
For maximum security, we recommend only installing official security updates and security patches for your Linux distribution, as well as the RPMs specifically mentioned in this section.

  1. Log in to the primary data node.

  2. On the primary data node:

    [<ADMIN> ~]$ sudo tos cluster node add --role=worker
    sudo tos cluster node add --role=worker

    On completion, a new command string is displayed, which you will need to run on the new node within 30 minutes. If the allocated time expires, you will need to repeat the current step.

  3. Copy the command string to the clipboard.

  4. Log in to the new node.

  5. On the new node, paste the command string copied previously and run it. If the allocated time has expired, you will need to start from the beginning.
  6. Verify that the node was added by running sudo tos cluster node list on the primary data node.