Testing IIS7 cluster nodes before bringing online

Question

We are starting a migration to a IIS cluster for load balancing, failover support, as well as zero-downtime upgrades.

We are currently testing this configuration with a pair of Windows 2008 R2 virtual machines. Our current approach has both VM's configured with the same IP address and bindings on IIS. In other words - 192.168.100.88 is bound by both VM's, and both VM's show that address in their IP configuration.

Each server also has an IP not bound by the load balancer.

So, my question is, how do you test a node before you bring it online? For example, we take one node down to do an upgrade. We want to test it before it's back server content to the customer. Previously, when we were manually switching between different hosts via our firewall/network configuration, each IIS server had a different set of IP addresses, and we would just change our hosts file and clear our dns cache. Test the offline mode. Then bring it online.

However... with the load balancing configuration, both servers are technically bound to the same ip address (which I have no idea how that works). So how do I point my browser specifically to the node that isn't enabled in the balancer?

The only thought that comes to mind is having a 2nd set of IP addresses for each website, and bind those (in addition to the load balanced IP) in IIS. Internal testing would use the 2nd set of IPs, as they aren't exposed via the firewall to external customers.

The only problem with this (other than the extra overhead of the additional IPs) is some of the websites are https. And IIS7 can only bind an SSL certificate to a single IP address.

So how do you test nodes that are not currently live with the cluster (disabled via the Network Load Balancer Manager)

Answer 1

NLB uses port rules to determine routes to nodes. We set our NLB cluster up to route off-standard ports in addition to standard ports for web services (http/s) and set up NLB to always route one off-standard port to one node, then another off-standard port to another node.

In IIS for each node, we added a host header file entry for that node's off-standard port. The result allows you to go to a specific URL (http://mysite.com:81), and the port designation guarantees that the traffic will flow to the node you want to check based on NLB's port rules.

If you're concerned about security, then don't open up those non-standard ports on your firewall / NAT rules, and then you'll only be able to test nodes from your internal network.

The result allows you to use the same IP address for testing as for production, but relies on the PORT to designate which node you want to view the website on. This saves IP's and allows you to bypass the SSL cert requirement that the site be bound to a single IP.

As for disabling nodes, instead of disabling the entire node, disable just the ports you use for production (80, 443). The load balancer will still route traffic that comes in on the off-standard ports, allowing you to test that node while at the same time guaranteeing that your production traffic is safely routed to the other node. Simply re-enable the production ports when you're satisfied that the node is live and functioning properly.

Example Port Rules in NLB:

80 - 50/50 split to both nodes (http) 443 - 50/50 split to both nodes (https)

81 - always goes to node 1 (http) 451 - always goes to node 1 (https)

82 - always goes to node 2 (http) 452 - always goes to node 2 (https)

Example URL's for accessing nodes:

http://mysite.com:81 - Node 1 http http://mysite.com:82 - Node 2 http https://mysite.com:451 - Node 1 https https://mysite.com:452 - Node 2 https