Aria Automation Cloud Automation vRealize Automation Ecosystem

Create maintenance page for vRealize Automation

In my previous post I’ve showed you how to configure some of the most common ADCs in order to offload the SSL sessions for vRA. Now I am going to show you how you can use some of the benefits that come with SSL termination.
One of this benefits is the ability to serve content directly from the ADC based on some logic. The goal of this post is to help you configure “Outage page” and “Maintenance page” for your vRA environment. You can use only one of the pages or both together. I am going to cover the configuration of F5 BIGIP and Citrix NetScaler.

Maintenance page – this page will be assigned manually during maintenance activities and will inform the users that planned maintenance is being performed. It also allows you to exclude IP ranges from the redirect rule.

Outage page – this page will be always assigned and in case all of the vRA appliances are down it will show a page informing the users that vRA is not available

 

As a general precaution test this procedure in your lab and deploy it in production at your own risk.

 

Citrix NetScaler

 

Create Responder Actions

 

First we need to create our Responder Actions so the LB can serve HTML pages

Head to NetScaler > AppExpert > Responder > Responder Actions

 

For our Outage page
Add new action with the following parameters:

Name: outage_page_action
Type: Respond with HTML page
HTML page: [Import your html page here, see below for example]
Response status code: 503

 

For our Maintenance page
Add new action with the following parameters:

Name: maintenance_page_action
Type: Respond with HTML page
HTML page: [Import your html page here, see below for example]
Response status code: 503

 

Example: Outage HTML page with refresh every 10 seconds

 

<!doctype html>
<title>Something went wrong</title>
<meta http-equiv="refresh" content="10">
<style>
  body { text-align: center; padding: 150px; }
  h1 { font-size: 50px; }
  body { font: 20px Helvetica, sans-serif; color: #333; }
  article { display: block; text-align: left; width: 650px; margin: 0 auto; }
  a { color: #dc8100; text-decoration: none; }
  a:hover { color: #333; text-decoration: none; }
</style>
<article>
    <h1>Something went wrong</h1>
    <div>
        <p>Sorry for the inconvenience but vRA is not accessible at the moment.
           Please report this error to  [email protected].</p>
        <p>The Team</p>
    </div>

Example: Maintenance HTML page with refresh every 10 seconds

 

<!doctype html>
<title>Site maintenance</title>
<meta http-equiv="refresh" content="10">
<style>
  body { text-align: center; padding: 150px; }
  h1 { font-size: 50px; }
  body { font: 20px Helvetica, sans-serif; color: #333; }
  article { display: block; text-align: left; width: 650px; margin: 0 auto; }
  a { color: #dc8100; text-decoration: none; }
  a:hover { color: #333; text-decoration: none; }
</style>
<article>
<h1>We will be back soon!</h1>
    <div>
        <p>Sorry for the inconvenience but we are performing some maintenance at the moment.
           If you need to you can always contact us at [email protected], otherwise we will be back online shortly!</p>
        <p>The Team</p>
    </div>

 

Create Responder Policies

 

After we have our actions in place we need to create policies using them

Head to NetScaler > AppExpert > Responder > Responder Policies

 

For our Outage page

Add new Responder Policy with the following attributes:

Name: outage_page_action_policy
Action: outage_page_action
Expression: TRUE

 

For our Maintenance page

During planned maintenance we need to show the maintenance page to our end users, but we also need to make sure that the vRA systems can communicate with each other.
That is why we need to create an expression which contains all the IP addresses of our vRA components – IaaS Managers, IaaS Web, vRA appliances and others. Those addresses will not be redirected to the maintenance page.
You can also add the IP addresses or subnets from which the vRA admins are connecting to vRA, that way they can test and debug during maintenance.

Add new Responder Policy with the following attributes:

Name: maintenance_page_action_policy
Action: maintenance_page_action
Expression: CLIENT.IP.SRC.IN_SUBNET(10.23.90.0/24).NOT||CLIENT.IP.SRC.IN_SUBNET(10.23.89.0/24).NOT

Alternatively if you want to list specific IP addresses you can use CLIENT.IP.SRC.NE(10.23.89.101)||CLIENT.IP.SRC.NE(10.23.90.223) and so on.

 

Create dummy Service

 

(Required only for the Outage page)

 

We need to create dummy Service and ensure that it will always be up.
You can assign any back-end IP to it since you will never be redirected to that IP.
Just make sure you are not assigning IP that you might disable later on.

Head to NetScaler > Traffic Management > Load Balancing > Services
Add
new service with the following attributes:

Name: outage_page_srv
IP address: 1.1.1.1 (or anything else, this one is not vital)
Protocol: SSL
Port: 443
Health monitoring: Off

 

Create dummy Virtual Server

 

(Required only for the Outage page)

 

Now we need to create dummy Virtual Server.
You do need an IP address for this one as it won`t be directly addressable.

Head to NetScaler > Traffic Management > Load Balancing > Virtual Servers
Add
new virtual server with the following attributes:

Name: outage_page_vs
Protocol: SSL
IP address type: Non addressable
Service binding: outage_page_srv
Server certificates: Select your vRA certificate+key pair
Add Policy: Responder
Add Policy type: Request
Policy name: outage_page_action_policy

 

Here is the mapping:

maint_page_vs

 

Assign the Outage page VS to the vRA virtual appliances VS

 

(Required only for the Outage page)

 

Now we need to assign the Outage page VS as a backup for our vRA virtual appliances VS.
That way when the vRA virtual appliances are down the user will see our outage page.

Head to NetScaler > Traffic Management > Load Balancing > Virtual Servers
Edit
your vRA VA VS – vs_vra-va-00_443 (I used that name in my previous post, yours might differ)

Click on the + Protection button from the left panel and enter the following info:

Backup virtual server: outage_page_vs

 

During maintenance: Assign the Maintenance page policy to the vRA virtual appliances VS

 

To redirect our users to the maintenance page during planned activities we need to assign the maintenance policy to our vRA VA VS.

Head to NetScaler > Traffic Management > Load Balancing > Virtual Servers
Edit
your vRA VA VS – vs_vra-va-00_443 (I used that name in my previous post, yours might differ)

Click on the +Policies button from the left panel and enter the following:

Policy: Responder
Type: Request
Policy name: maintenance_page_action_policy

Note that the best practice during maintenance is to disable all related ADC monitors. If those are not disabled the ADC will serve the Outage page instead.
After your planned activities are over, follow the same procedure and remove the Policy from the Virtual Server.

 

F5 BIGIP LTM

 

Create Data Group

 

(Required only for the Maintenance page)

 

During planned maintenance we need to show the maintenance page to our end users, but we also need to make sure that the vRA systems can communicate with each other.
That is why we need to create a data group which contains all the IP addresses of our vRA components – IaaS Managers, IaaS Web, vRA appliances and others. Those addresses will not be redirected to the maintenance page.
You can also add the IP addresses or subnets from which the vRA admins are connecting to vRA, that way they can test and debug during maintenance.

Go to Local Traffic  >  iRules : Data Group List

Create a Data Group with name vRA_addresses (important we use this exact name later on in our iRule, if you want to use different name change it there as well) and populate it with the IP addresses of every vRA component.

 

Create iRules

 

First we need to create new iRule for the outage page which will be shown in case of unexpected failure.
Note the HTML is embedded in the iRule so feel free to modify it.

Go to Local Traffic  >  iRules : iRule List 

 

Create an iRule with name outage_page_irule_automatic

Paste the following in Definition:

when RULE_INIT {
    # sets the timer to return client to host URL
    set static::stime 10
}

when CLIENT_ACCEPTED {
    set default_pool [LB::server pool]
}




when HTTP_REQUEST {
   # If the default pool is down, redirect to the maintenance page
   if { [active_members $default_pool] < 1 } {
         # Send an HTTP 503 response with a Javascript meta-refresh pointing to the host using a refresh time
         HTTP::respond 503 content \
"<!doctype html><title>Something went wrong</title> \
<meta http-equiv='REFRESH' content=$static::stime;url=[HTTP::uri]> \
<style>  \
body { text-align: center; padding: 150px; }  \
h1 { font-size: 50px; } 
body { font: 20px Helvetica, sans-serif; color: #333; }  \
article { display: block; text-align: left; width: 650px; margin: 0 auto; }  \
a { color: #dc8100; text-decoration: none; }\
  a:hover { color: #333; text-decoration: none; }\
</style>\

<article>\
    <h1>Something went wrong</h1> \
    <div> \
        <p>Sorry for the inconvenience but vRA is not accessible at the moment. \
           Please report this error to  [email protected].</p> \
        <p>The Team</p> \
    </div>" "Content-Type" "text/html"
      return
   }
}

 

 

Now let’s create the iRule which you will assign during planned maintenance

 

Create an iRule with name maintenance_page_irule_manual

 

when HTTP_REQUEST {
    # Do not show to the vRA components
 if { ! [class match [IP::client_addr] equals vRA_addresses] } {
   # Always show the maintenance page
    HTTP::respond 503 content \
"<!doctype html><title>Site Maintenance</title> \
<meta http-equiv='REFRESH' content=$static::stime;url=[HTTP::uri]> \
<style>  \
body { text-align: center; padding: 150px; }  \
h1 { font-size: 50px; } 
body { font: 20px Helvetica, sans-serif; color: #333; }  \
article { display: block; text-align: left; width: 650px; margin: 0 auto; }  \
a { color: #dc8100; text-decoration: none; }\
  a:hover { color: #333; text-decoration: none; }\
</style>\
<article>\
    <h1>We will be back soon!</h1> \
    <div> \
        <p>Sorry for the inconvenience but we are performing some maintenance at the moment. \
           If you need to you can always contact us at [email protected], otherwise we will be back online shortly!</p> \
        <p>The Team</p> \
    </div>" "Content-Type" "text/html"
      return
}
}

 

 

Bind the automatic outage page to our vRA virtual appliances VS

 

(Required only for the Outage page)

 

Now we need to edit our vRA appliances VS, assign HTTP profile to it and bind the iRule.

Go to Local Traffic  >  Virtual Servers : Virtual Server List and find your vRA appliances VS.
(In my previous post I have named it vs_vra-va-00_443 yours however may differ)

Click Edit and set the following attributes:

HTTP Profile Client: http
HTTP Profile Server: (Use Client Profile)

Click Update

Now click on the Resources tab and in the iRules section choose iRule outage_page_irule_automatic

Click Update again

 

Here how the mapping should look like:

maint_page_map_f5

 

During maintenance: Bind the planned maintenance page to our vRA virtual appliances VS

 

During planned maintenance, we need to change the iRule so we can make sure that the maintenance page is displayed to our end users, but the vRA components can still communicate.

Go to Local Traffic  >  Virtual Servers : Virtual Server List and find your vRA appliances VS.
(In my previous post I have named it vs_vra-va-00_443 yours however may differ.)

Click Edit and go to Resources find iRule outage_page_irule_automatic  and change it with maintenance_page_irule_manual.
Click Update and you are ready.

Note that the best practice during maintenance is to disable all related ADC monitors. If those are not disabled the ADC will serve the Outage page instead.
After your planned activities are over, follow the same procedure and assign the outage_page_irule_automatic iRule.

 

 

If you are interested in more articles like this one stay tuned on VMware Blogs.

Take a vRealize Automation 7 Hands-On lab!