Communication Between the VMs and KeyControl

Each VM needs to know how to communicate with all of the KeyControl nodes in the cluster in case a KeyControl node becomes unreachable or is removed from the cluster. If your KeyControl nodes and your VMs are on the same network and can ping each other directly, you can maintain the list of KeyControl IP addresses on each VM using the hcl updatekc command. For details, see Updating KeyControl IP Addresses on a VM.

If your network configuration includes a firewall between your KeyControl nodes and your VMs, the two entities may not be able to communicate using the KeyControl IP addresses. For example:

VM Firewall

In this case, the KeyControl nodes can communicate directly with each other using the IP addresses 10.238.32.90 and 10.238.32.91. However, the VMs cannot talk directly to the KeyControl nodes through the firewall. They must communicate with any internal servers using Public_IP/port number or a registered domain name.

To create a communication channel between the VMs and KeyControl through the firewall, you can configure:

A KeyControl Mapping. Each Mapping contains a list of KeyControl nodes and their corresponding externally-visible IP addresses or hostnames. You can then create and maintain this Mapping using the KeyControl webGUI and changes are automatically disseminated to the VMs on their next heartbeat. For details, see Creating a KeyControl Mapping.
A Domain Name Server (DNS) that maps the IP addresses of each KeyControl node to a single domain name. Your Policy Agents can then use this domain name when contacting KeyControl. With this method, you need to update the DNS entry for KeyControl whenever a node is added or removed. For details on setting up a DNS server, see your DNS server documentation.