High availability is a technique to ensure system uptime and to minimize or prevent data loss in the event of a machine failure. ArcGIS Server, like other ArcGIS Enterprise components, can be deployed in a highly available configuration with a third-party network load balancer.
Active-passive architecture works to clone a single-machine site and place two or more independent instances of it behind a load balancer. While all the sites behind the load balancer are running and ready to service requests, the load balancer will only hand over requests to one of the sites, designated as the primary site. If the load balancer detects that the primary site is unavailable, incoming requests are then redirected to a failover or standby site.
The failover process is handled completely outside of ArcGIS Server and can be typically configured to be triggered when the ArcGIS Server machine is completely unavailable (network or hardware failure), or in some cases, when a specific service or operation is failing.
You can request license files from My Esri for your standby or failover sites at no additional cost.
While several machines are used to host ArcGIS Server in this deployment pattern, this configuration cannot be technically described as a multiple-machine site, because each of the sites behind the load balancer are independent of each other. Each site is composed of a single ArcGIS Server machine and has its own local configuration store and server directories.
The active-passive failover configuration allows you to build a redundant ArcGIS Server tier without incurring additional licensing fees. Standby servers can be licensed at no additional cost. However, each independent server site must be managed separately; the sites have their own local configuration store and server directories. This can potentially add significant administration and management overhead if the site's services or data change frequently. In addition, any active requests in the primary site are lost when switching over to the standby site during failover.
ArcGIS Server machine, server directories, and configuration store
Apply the same considerations here as described in the single-machine deployment. Each ArcGIS Server will have its own local server directories and configuration store. This ensures maximum performance and keeps interdependencies to a minimum.
If using file-based data sources in your GIS services, it is recommended that these be stored locally on every ArcGIS Server machine instead of network shares to maximize the performance of your services. In some cases, such as when handling large amounts of imagery, sharing your files over the network may be the only practical choice. If using files in shared resources over the network, it is very important that you choose a storage device configured for high availability.
If using databases, you can dedicate a database to each of your sites: one database for your primary site and a separate one for your standby site. To keep the databases in sync, you can leverage database replication, or if needed, geodatabase replication techniques. Alternatively, you can leverage other high-availability techniques from your database provider.
Reverse proxy server
In this configuration, a third-party load balancer is required. At a minimum, this component will be used to handle the load across the sites and failover when necessary. Typically, the load balancer will also fulfill the role of the reverse proxy server. In some scenarios, you already may have a reverse proxy server configured independently from the load balancer.
If your network load balancer supports a health check function, you can use the ArcGIS Server site's Health Check endpoint in the REST API to determine if the site is available to receive requests. This is useful to quickly determine if there's a software or hardware failure in the site.
The use of ArcGIS Web Adaptor is optional and typically only necessary for this scenario if you would like to leverage web-tier authentication. You can choose to configure it on the same machine as your ArcGIS Server, or on a dedicated machine. In either case, if using ArcGIS Web Adaptor, you must configure a separate ArcGIS Web Adaptor for every site.
Considerations for active-passive configurations
The following should be kept in mind when planning an ArcGIS Server site with a highly available active-active configuration.
Unlike a true multiple-machine site, this configuration requires that all of the sites behind the load balancer host exactly the same content and that they follow the same security model. You are responsible for ensuring that all the sites look exactly the same to the load balancer.
There are multiple techniques that can help you keep ArcGIS Server services in sync across the primary and failover sites:
- Scripting: ArcGIS Server includes a REST API to script administrative tasks, such as publishing services and changing their
security settings. You can create your own scripts to apply changes
to all the ArcGIS Server machines involved in your deployment consistently.
Scripting is especially useful when you need to make small
adjustments, such as changing the security of a service or
Do not use a script to create the initial site. Manually create the first site on a virtual machine image, and script creation of additional sites from this base image. Creating all machines from the same virtual machine image ensures that all machines use the same encryption key.
- Virtualization: If you operate in a virtual environment, virtual machine templates can be created and used to launch new sites. Each template will have a copy of the data needed for GIS services (unless a database is used). The template will also have all services published and configured. If changes are necessary, such as adding or updating existing services, a new template can be created to later launch new virtual machines that would replace the existing pool of ArcGIS Server machines in use under the load balancer. Virtual machine templates can also be used to quickly recover stale ArcGIS Server machines.
The recommended procedure to apply changes to your sites in this deployment pattern is as follows:
- Administrative changes will first be made against a site that is in standby mode. For example, you will add a new service and change the security of another in a site that is not actively handling requests. This ensures that there will be absolutely no impact to applications using your primary site.
- Manually configure your load balancer to hand over all requests to the standby site on which the changes have been made.
- Apply the same changes to the idle site.
- Revert the load balancer so requests are directed back to the original primary site and leave the standby site in standby mode.
Changes to your site in the procedure described above can be applied manually through ArcGIS Server Manager, scripts, or virtual images.
Asynchronous geoprocessing and long-running tasks
When the load balancer switches to the standby site, any active requests in the primary site are lost. For example, if a long-running request such as a geoprocessing task is running when the failover occurs, the task will need to be reinitiated in the standby site by the client application.
Using token-based security
If using token-based authentication, also referred to as server-tier authentication, it is important that all sites in this configuration use exactly the same shared token key. Otherwise, tokens generated in the primary site will not work when used in the standby site. To duplicate the shared token keys across multiple sites, you can edit token settings in Manager.