Recommended Network Settings for ScaleArc VMs in Hyper-V
|All releases||How To||ALL||VM Configuration|
This KB will introduce VM network configuration recommendcations for ScaleArc VMs in Hyper-V.
Three parameters are important for network configuration of a Hyper-V ScaleArc VM. These are Static versus Dynamic MAC address, whether the VM is in the Static or Dynamic IP address pool, and routing/forwarding update application and propagation.
Due to the nature of ScaleArc, both the IP and MAC are required to be static, and the virtual switch(es) ScaleArc VMs are connected to must both apply and propagate routing/forwarding changes.
In addition, virtual switches have a security setting that prevents routing/forwarding table updates from virtual guest systems. This setting may be the default in some versions of Hyper-V. This setting must be turned off; ScaleArc requires the ability to send gratuitous ARP notifications ("GARPs") which update routing/forwarding tables both in Hyper-V and in network hardware in order to implement High Availability (HA) failover; for this to work correctly, this must be allowed to occur to prevent outages.
Configuring Hyper-V: VMM vs. Hyper-V Manager
ScaleArc's testing indicates that the default settings chosen by Hyper-V Manager in 2012 R2 work when new virtual machines are created. However, we were not able to test all versions, and if problems indicating network communications trouble, such as:
- failure of the HA Secondary to take over when a switchover happens either due to a failure or due to manual switchover in the UI, followed by inability to ping the virtual IP address(es) of the cluster(s)
- inability to reliably determine the IP address(es) of the database server(s) for a cluster from their hostnames, particularly when log examination gives messages indicating temporary DNS resolution failures
- failure of attempted connections to the UI, clusters, and/or SSH connections after a VM restart
then ScaleArc recommends installing the Microsoft Sever Center product, which provides Virtual Machine Manager (VMM) for Hyper-V, which allows these parameters to be checked and adjusted.
Note carefully: the parameters discussed in this document can only be changed with VMM. Hyper-V Manager does not provide the capability to check or adjust these parameters. PowerShell may allow modification and checking of these parameters; however ScaleArc has not verified or tested this, so if you use PowerShell proceed only after consulting Microsoft documentation and at your own risk.
Static IP Address
ScaleArc acts to clients as if it were a database server, and the expectation for a server by a client is that it will exist at a well-known, that is static, IP address. It is therefore not recommended to use either DHCP or the Dynamic IP Address pool in Hyper-V for a ScaleArc server. ScaleArc appliances use static address configuration in the Linux operating system, and in the most reliable configuration use Linux HA, which responds to outages on millisecond timescales to ensure a minimum of downtime in case of an outage. Because even a handful of milliseconds of outage time can result in many lost queries and consequent errors at application servers, there is no time to wait for DHCP address assignment or DNS updates (the latter of which can take seconds to minutes to complete and propagate). Therefore these technologies are inappropriate for use with ScaleArc servers. In addition, due to the nature and expectations of the Dynamic IP Address pool in Hyper-V, a ScaleArc system assigned to this pool can be excluded from talking on the network for an extended period after a reboot, due to the implementation at the virtual switch level in Hyper-V.
Since the nature of these settings has historically changed over versions of Hyper-V and VMM, please see the appropriate Microsoft documentation for instructions on how to change this setting, and choose the setting, for your Hyper-V environment. This is a VM-level configuration item present in the Hardware Configuration->Network dialog or its equivalent for the VM. To avoid complex and risky procedures, be sure to choose the Static IP Address pool for all ScaleArc VMs during VM initial creation. This is not an on-the-fly configuration item, and may not even be able to be modified if the VM is stopped in some versions of Hyper-V and VMM.
Should you inadvertently configure a ScaleArc VM in the Dynamic pool, instructions for changing the VM to use the Static pool instead can be accomplished without restarting the ScaleArc by following these instructions on the Hyper-V Virtual Machine Manager (VMM) system using Windows PowerShell: https://charbelnemnom.com/2016/03/how-to-switch-a-vm-from-dynamic-ip-to-static-ip-pool-in-virtual-machine-manager-vmm-scvmm-sysctr-hyperv/
NOTE: This is an external site with content not managed by ScaleArc. We have tested these instructions and they worked as of the date of publication of this article, but we cannot guarantee either that the content will not change, or that Hyper-V or the VMM functionality will not change in future releases by Microsoft. Proceed at your own risk and only after appropriate validation of the content.
Static MAC Address
ScaleArc uses Linux HA technology to provide a pair of ScaleArc systems, a Primary which handles the traffic, and a Secondary which is poised to take over on millisecond timescales to prevent extended outages should there be a problem, like a network or hardware failure on the hypervisor. In order for this technology to work correctly, the MAC address of both ScaleArc systems in the HA pair must remain static to meet the expectations of modern routers, switches, and other network hardware. HA uses gratuitous ARP notification ("GARP") and a virtual IP address (VIP) which is "owned" by whichever system is Primary. When a failure occurs, as the Secondary transitions (i.e. is "promoted") to Primary, it informs the network hardware that the MAC address associated with this VIP has changed to the MAC address of the transitioning Secondary. The network hardware and virtual switch(es) then route(s) all future packets addressed to that IP address to the newly promoted Primary. Note carefully that Hyper-V's virtual switch technology responds to these notifications just like network hardware is expected to, as long as it is properly configured.
This is a VM-level configuration item which can be changed on-the-fly on a running VM; the parameter is only used at startup, and there is no need to restart the VM for it to take effect at the next VM restart. It is part of the Hardware Configuration for all VMs on Hyper-V that ScaleArc has checked, and our best information indicates that it is present on all versions of Hyper-V. For instructions on changing it, please see the Microsoft documentation for your version of Hyper-V since there have been UI changes in various versions of Hyper-V that preclude us giving detailed instructions.
Virtual Switch Configuration
ScaleArc uses the Linux operating system and Linux HA technology, both of which notify network hardware of their MAC address(es) and the associated IP address(es) using gratuitous ARP notification ("GARP"). The OS does this at network configuration time during bootstrap startup, and HA does it when a triggering event occurs compromising the ability of the HA Primary to continue to process traffic. In both cases, it is essential that the Hyper-V virtual switch allow the routing/forwarding update, and propagate it to higher-level network hardware as needed to ensure that packets to the IP address(es) of the ScaleArc system are routed/forwarded correctly.
Microsoft Hyper-V in some versions by default may provide a secure environment that protects the virtual switches from misbehavior of VMs, and specifically from a type of attack by a malicious program running on a VM that uses a DoS or MIM attack called "ARP cache poisoning" or "ARP spoofing." In order to prevent this, by default some versions of Hyper-V set a security configuration parameter on all virtual switches that prevents ARP updates. Due to historical variations in versions of Hyper-V, some versions have this setting, and some do not, and some set it by default and some do not. We therefore cannot give specific instructions, but the item is a virtual-switch-level (not VM-level) setting in Virtual Machine Manager (VMM). In addition, some versions of Hyper-V have configuration to permit or deny routing/forwarding updates to higher-level network hardware, and if present, these settings must permit these updates. Please consult the Microsoft documentation for your version of Hyper-V and VMM for instructions on how to check whether these settings are present, and to set them properly.
Because of ScaleArc's position between web sites and databases, ScaleArc does not recommend that our product be run in an insecure hypervisor environment alongside unsecured systems, and as a result we recommend that these security settings be turned off and the virtual switch(es) the ScaleArc VM is connected to permit these updates and propagate them correctly, as recommended in the IETF STDs and applicable RFCs. Since this is the case there should be no need to prevent these routing/forwarding updates.
If you are experiencing issues with ScaleArc or with any of its features, please contact ScaleArc Support. We are available 24x7 by phone at 855 800 7225 or +1 408 412 7315. For general support inquiries, you can also e-mail us at email@example.com.
2901 Tasman Drive Santa Clara, CA 95054 | Email: firstname.lastname@example.org