Kemp Loadmaster virtual appliance in Azure

Introduction

This post will detail how to deploy a proof of concept for Kemp Loadmaster virtual appliances in Azure. The Kemp Loadmaster is an option for providing advanced load balancing, application delivery control (ADC) and web application firewall (WAF) functionality all from the same device.

We will be deploying on Azure Resource Manager through a resource group template and configuring a high availability pair. The template used will let you set up a proof on concept quickly and test the appliances and will include the following main components:

  • 2 x Kemp Loadmaster Virtual machines
  • 1 x Windows Server 2012 R2 Web Server (IIS configured through DSC)
  • Azure Loadbalancer to enable Kemp HA Pair (Load balanced and NAT rules, and Probe port)

 

Architecture

Enabling programmatic deployment

We are going to deploy the Kemp Loadmaster from the Azure Marketplace gallery using an Azure Resource Manager template. Kemp offer a various different offerings to choose from, for the POC you can choose either the Free or BYOL Trial license. I will be using the BYOL as the Free version was not available within my region for use, there is no issue using the BYOL trial.

marketplace1

To be able to deploy using a ARM Template you need to enable programmatic deployment of the marketplace product. This is because marketplace products can incur a financial cost so it is a safety measure to ensure that you are not accidentally purchasing services. Since we are using either the Free or BYOL trial edition we can enable this for our deployment, to do this you select the product and select the option “Want to deploy programmatically? Get started ->”

marketplace2

On the next screen, this is where you can enable which subscriptions programmatic deployment is enabled for. You have to enable each subscription and also each marketplace item must be enabled separately. Make sure you select the Free or BYOL Trial otherwise you could incur costs.

marketplace3

Deploy the ARM Template

The template can be found at the following link https://github.com/Merlus/azure-arm-templates/tree/master/kemp-loadbalancer-poc, it can be deployed from GitHub or downloaded and ran separately.

The template will deploy the 2 Loadmaster VMs into an availability set and configure the Azure loadbalancer. Separate NAT rules are created so that each Loadmaster can be accessed separately by SSH or WebUI, as well as the probe port to check which Loadmaster is active.

The test Web Server is set up with IIS/Webserver role installed through Azure DSC Extension

Configuring Kemp Loadmaster High-Availability Pair

After the template has finished deploying you need to configure the devices for the first time and enable the trial license.

Browse to each Kemp Loadmaster WebUI by using the Public IP address that is created during the deployment and specifying port 8441 for Loadmaster0 and 8442 for loadmaster1, eg: https://pubip:8441. This will use the NAT rules created to redirect to the specific appliance.

Log in with the username: bal and the password specified during deployment and accept the License Agreement.

kemp1

Next, choose whether to enable automatic license checking.

kemp2

Enable the trial license, if  you haven’t registered for a Kemp ID follow the registration link.

kemp3

Configure the first Load Master as the Master and then Configure the second device as the Slave.

kemp5

This is where the Probe port 8444 is important. If the probe port is not properly configured then the HA Pair will not be able to properly tell which device is the master and  you will see a notification that it is currently “un-checked”.

The sample template used configures the Azure Load Balancer to use the correct health probe, so after you perform the steps above on the Master and Slave then everything should function correctly. You can confirm this by rebooting the Master and you should see the Slave’s status changes to Active.

You can also check the System Logs and see that this is working as expected:

Jun 25 11:10:42 loadmaster1 cloud_check: Slave: Master down. I am the new master now

Jun 25 11:13:15 loadmaster1 cloud_check: Slave: Master up. I am the stand-by unit

If you play around with the Probe and disable it you will notice that each appliance will have a status of  “un-checked” as the probe is not properly configured.

kemp7

Adding a Virtual Service

Now that the Kemp’s are configured in an HA pair you can add the Web Server as a Virtual Service and test that is being served by the Kemp appliances.

kemp8

kemp9

After that you will be able to browse to the test webserver on port 80