Cluster Zone Sync
Overview
In API Connectivity Manager, you can apply cluster policies to API Gateways and Developer Portals to further enhance their configuration to meet your requirements. A proxy cluster is a group of instances configured as API Gateways or Developer Portals. Any cluster policy will apply to all instances in a group.
If a proxy cluster is shared between environments, updating cluster policies will effect all the environments.
See the Learn about Policies topic for an overview of the different policy types and available policies.
About the Policy
Use the Cluster Zone Sync policy to enable runtime state sharing between the instances belonging to a proxy cluster. Options configured through this policy affect other policies such as rate limit and OIDC. This policy is applied to all the instances in a proxy cluster. If the proxy cluster is shared between environments, any changes made to this policy will affect all the other environments.
Intended Audience
This guide is meant for Infrastructure Administrators.
Infrastructure Administrators ensure uniform governance across an organization’s infrastructure by setting policies at the infrastructure level, enabling teams to build APIs without interruption while adhering to the organization’s standards.
Workflow for Applying Policy
To apply the policy or make changes to it, here’s what you need to do:
- Create an environment or edit an existing one.
- Check the cluster config settings for the environment to see if the policy has been applied.
- Edit the policy to make changes for each cluster. Save and publish the changes.
Note:
We strongly recommend securing your Zone Sync environment by enabling TLS for your listeners and Zone Sync TLS verification for the policy. To do this, you’ll need to provide server certificates, as well as Zone Sync certificates and CA certs.
When adding a new instance to a cluster with the Zone Sync policy applied, make sure the instance is resolvable by DNS if a DNS server is used, or that the Zone Sync Server list is updated to include the instance if the list is provided manually.
Similarly, when removing an instance from a cluster with the Zone Sync policy applied, be sure to do the necessary clean-up in the DNS resolver or the Zone Sync Server list.
Policy Settings
The following table lists the configurable settings and their default values for the policy.
| Field | Datatype | Possible Values | Description | Required | Default | 
|---|---|---|---|---|---|
| tcpServer.listeners[].transportProtocol | string | [“TCP”] | Stream listener to configure protocol for zone sync stream. | No | “TCP” | 
| tcpServer.listeners[].port | integer | In range 1-65535 | Stream listener to configure port for zone sync stream. | Yes | |
| tcpServer.listeners[].enableTLS | boolean | fase/true | Stream listener to enable TLS for zone sync stream. | No | false | 
| tcpServer.listeners[].ipv6 | boolean | false/true | Stream listener to enable ipv6 for zone sync stream. | No | false | 
| tcpServer.hostnames | array | Configure hostnames | No | [] | |
| tcpServer.tlsCipher | string | Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library | No | ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5 | |
| tcpServer.tlsSessionCache.enable | string | [ “on”, “off”, “none” ] | Specifies session parameters to avoid SSL handshakes for parallel and subsequent connections. | No | “on” | 
| tcpServer.tlsSessionCache.type | string | [ “shared”, “builtin” ] | Specifies session parameters to avoid SSL handshakes for parallel and subsequent connections. | No | “shared” | 
| tcpServer.tlsSessionCache.size | string | ^([0-9]+)(([K|M|G]){1})$ | Maximum size of the Cache. Valid units are: K, M, G for kilobytes, megabytes, and gigabytes, respectively. | No | “10M” | 
| tcpServer.tlsProtocols | array | [“TLSv1.1”, “TLSv1.2”, “TLSv1.3”] | Enables the specified protocols. | No | [ “TLSv1.2” ] | 
| tcpServer.tlsSessionTimeout | string | ^([0-9]+)(([d|h|m|s]){1})$ | Specifies cache timeout. Valid units are: s, m, h and d for seconds, minutes, hours, and days respectively. | No | “5m” | 
| zoneSyncServers[].hostname | array | Defines the address of a cluster node. The address can be specified as a domain name or IP address. A domain name that resolves to several IP addresses defines multiple nodes at once. | Yes | ||
| zoneSyncServers[].port | array | Defines the address of a cluster node. The address can be specified as a domain name or IP address. A domain name that resolves to several IP addresses defines multiple nodes at once. | Yes | ||
| enableZoneSyncTLS | boolean | false | Enables the TLS protocol for connections to another cluster server. When this is enabled certificates need to be provided in the data section of the policy. | No | System assigned | 
| enableZoneSyncCertVerify | boolean | false | Enables the TLS verification for connections to another cluster server. When this is enabled certificates need to be provided in the data section of the policy. | No | System assigned | 
| zoneSyncCertChainVerifyDepth | integer | 1 | Sets the verification depth for another cluster server certificates chain. | No | System assigned | 
| zoneSyncEnableSNI | boolean | false | Enables or disables passing of the server name through TLS Server Name Indication (SNI) when establishing a connection with another cluster server. | No | System assigned | 
| zoneSyncTLSName | string | In range 1–110 | Allows overriding the server name used to verify the certificate of a cluster server and to be passed through SNI when establishing a connection with the cluster server. | No | |
| zoneSyncBuffers.number | integer | 1–128 | Configure size and umber of per-zone buffers used for pushing zone contents. A single buffer must be large enough to hold any entry of each zone being synchronized. | No | 8 | 
| zoneSyncBuffers.size | string | ^[0-9]+[K|M|G]{1}$ | Configure size and umber of per-zone buffers used for pushing zone contents. A single buffer must be large enough to hold any entry of each zone being synchronized. | No | “8k” | 
| zoneSyncConnectionRetryInterval | string | ^[0-9]+[h|m|s]{1}$ | Defines an interval between connection attempts to another cluster node. | No | “1s” | 
| zoneSyncConnectionTimeout | string | ^[0-9]+[h|m|s]{1}$ | Defines a timeout for establishing a connection with another cluster node. | No | “5s” | 
| zoneSyncInterval | string | ^[0-9]+[h|m|s]{1}$ | Defines an interval for polling updates in a shared memory zone. | No | “1s” | 
| zoneSyncTimeout | string | ^[0-9]+[h|m|s]{1}$ | Sets the timeout between two successive read or write operations on connection to another cluster node. | No | “1s” | 
Adding Cluster Zone Sync Policy
See Also:
You can use tools such as
curlor Postman to interact with the API Connectivity Manager REST API. The API URL follows the formathttps://<NMS_FQDN>/api/acm/<API_VERSION>and must include authentication information with each call. For more information about authentication options, please refer to the API Overview.
To create an Cluster Zone Sync policy using the REST API, send an HTTP PUT request to the Add-Endpoint-Name-Here endpoint.
| Method | Endpoint | 
|---|---|
| PUT | /infrastructure/workspaces/{infraWorkspaceName}/proxy-clusters/{clusterName} | 
JSON request - Cluster Zone Sync with minimum configuration
{
  "cluster-zone-sync": [
    {
      "action": {
        "tcpServer": {
          "listeners": [
            {
              "port": 12345
            }
          ]
        },
        "zoneSyncServers": [
          {
            "name": "nginx-cluster-instance-1.com",
            "port": 12345
          },
          {
            "name": "nginx-cluster-instance-2.com",
            "port": 12345
          }
        ]
      }
    }
  ]
}JSON request - Cluster Zone Sync with DNS Resolver
{
  "cluster-zone-sync": [
    {
      "action": {
        "tcpServer": {
          "listeners": [
            {
              "port": 12345
            }
          ],
        },
        "resolver": {
          "enableIPv6": false,
          "valid": "30s",
          "timeout": "5s",
          "servers": [
            {
              "hostname": "192.0.2.0"
            }
          ]
        },
        "zoneSyncServers": [
          {
            "name": "nginx-cluster.com",
            "port": 12345
          }
        ]
      }
    }
  ]
}JSON request - Cluster Zone Sync with DNS Resolver and TCP Server TLS enabled
{
  "cluster-zone-sync": [
    {
      "action": {
        "tcpServer": {
          "listeners": [
            {
              "port": 12345,
              "tlsEnabled": true
            }
          ],
        },
        "resolver": {
          "enableIPv6": false,
          "valid": "30s",
          "timeout": "5s",
          "servers": [
            {
              "hostname": "192.0.2.0"
            }
          ]
        },
        "zoneSyncServers": [
          {
            "name": "nginx-cluster.com",
            "port": 12345
          }
        ]
      },
      "data": {
        "serverCerts": [
          {
            "key": "<server-key>",
            "cert": "<server-cert>"
          }
        ]
      }
    }
  ]
}JSON request - Cluster Zone Sync with secure TLS between nodes in a cluster
{
  "cluster-zone-sync": [
    {
      "action": {
        "tcpServer": {
          "listeners": [
            {
              "port": 12345,
              "tlsEnabled": true
            }
          ],
        },
        "resolver": {
          "enableIPv6": false,
          "valid": "30s",
          "timeout": "5s",
          "servers": [
            {
              "hostname": "192.0.2.0"
            }
          ]
        },
        "enableZoneSyncTLS": true,
        "zoneSyncServers": [
          {
            "name": "nginx-cluster.com",
            "port": 12345
          }
        ]
      },
      "data": {
        "serverCerts": [
          {
            "key": "<server-key>",
            "cert": "<server-cert>"
          }
        ],
        "zoneSyncCerts": [
          {
            "key": "<server-key>",
            "cert": "<server-cert>"
          }
        ],
        "zoneSyncTrustedCACert": "<ca-cert>"
      }
    }
  ]
}JSON request - Cluster Zone Sync with all options specified
{
  "cluster-zone-sync": [
    {
      "action": {
        "tcpServer": {
          "listeners": [
            {
              "port": 12345,
              "tlsEnabled": true
            }
          ],
          "hostnames": ["10.0.0.9"],
          "tlsProtocols": ["TLSv1.1", "TLSv1.2", "TLSv1.3"],
          "tlsCipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
          "tlsSessionCache": {
            "enable": "none"
          },
          "tlsSessionTimeOut": "15m"
        },
        "resolver": {
          "enableIPv6": false,
          "valid": "30s",
          "timeout": "5s",
          "servers": [
            {
              "hostname": "192.0.2.0"
            }
          ]
        },
        "enableZoneSyncTLS": true,
        "enableZoneSyncCertVerify": true,
        "zoneSyncCertChainVerifyDepth": 2,
        "zoneSyncEnableSNI": true,
        "zoneSyncTLSServerName": "custom-sni-host.com",
        "zoneSyncServers": [
          {
            "name": "nginx-cluster.com",
            "port": 12345
          }
        ],
        "syncBuffers": {
          "number": 10,
          "size": "8k"
        },
        "connectionRetryInterval": "8s",
        "connectionTimeout": "10m",
        "timeout": "5s",
        "interval": "1s"
      },
      "data": {
        "serverCerts": [
          {
            "key": "<server-key>",
            "cert": "<server-cert>"
          }
        ],
        "zoneSyncCerts": [
          {
            "key": "<server-key>",
            "cert": "<server-cert>"
          }
        ],
        "zoneSyncTrustedCACert": "<ca-cert>"
      }
    }
  ]
}To create a Cluster Zone Sync policy using the web interface:
- 
In a web browser, go to the FQDN for your F5 NGINX Management Suite host and log in. Then, from the Launchpad menu, select API Connectivity Manager. 
- 
On the left menu, select Infrastructure. 
- 
Choose the workspace that contains your cluster’s environment from the list of workspaces. 
- 
In the Environments section, select the environment name for your cluster. 
- 
In the list of clusters, locate the cluster you want to add the policy to. On the Actions menu (represented by an ellipsis, ...), select Edit Cluster Config.
- 
On the left menu, select Cluster Policies. 
- 
Locate the Cluster Zone Sync policy in the list of policies. On the Actions menu (represented by an ellipsis, ...), select Add Policy.
- 
On the Cluster Zone Sync form, complete the necessary fields: - TLS Server Settings - Port: Specify port for zone sync stream server.
- Zone Sync Settings - hostname: Enter the address of a cluster node. The address can be specified as a domain name or IP address. A domain name that resolves to several IP addresses defines multiple nodes at once.
 
- 
Select Add to apply the policy to the cluster. 
- 
Select Save and Submit to deploy the configuration. 
Verify the Policy
Confirm that the policy has been set up and configured correctly by taking these steps:
- Verify OIDC KeyValue Zone Sync is synchronized between instances within a cluster.
- Verify no OIDC session issues are presented when using multiple instances in a cluster.
- Verify applied rate limit for a proxy in a cluster is synchronized between instances within a cluster.
Troubleshooting
For help resolving common issues when setting up and configuring the policy, follow the steps in this section. If you cannot find a solution to your specific issue, reach out to NGINX Customer Support for assistance.
Issue 1
When the runtime state is not syncing between the instances in a desired proxy cluster.
Resolution/Workaround:
- Ensure the tcp listener port of each instance is accessible within the desired proxy cluster.
- By default the tcp listener port is open for all, but if you’ve provided tcp hostnames, then ensure the desired hostnames are resolvable.
Issue 2
If you see errors in the NGINX logs related to TLS when TLS is enabled (enableZoneSyncTLS is set to true) and zone sync servers are IP addresses, try the following workarounds:
Resolution/Workaround:
- Ensure that you override the default server name (zoneSyncTLSName) used to verify the certificate of the desired cluster server to match the Subject Alternative Name of the cert provided.
- If you are using DNS for zone sync servers, make sure you use the correct certificate that matches the hostname provided under zone sync server option (zoneSyncServers[].hostname).