High availability VSatellite
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
High availability VSatellite
High availability (HA) groups of VSatellites improve reliability across multiple Next-Gen Trust Security services, including Enhanced Discovery, Machines, and CA Connectors. For each new operation, the system randomly selects a healthy VSatellite from the group to perform the task. This ensures that even if one VSatellite becomes unavailable, new operations can still be initiated using another healthy VSatellite. If a VSatellite becomes unhealthy during an operation, the operation will fail—failover does not occur mid-execution.
Note: VSatellite HA provides fault tolerance by using a healthy VSatellite from the group to start operations. If a VSatellite fails mid-operation, the operation does not switch to another VSatellite. However, Next-Gen Trust Security may retry the operation using a healthy VSatellite.
Features and benefits
- High availability group selection: Users can assign multiple VSatellites as replicas to a primary VSatellite, forming a group that ensures operations can start as long as at least one VSatellite in the group is healthy.
- Randomized healthy VSatellite selection and load distribution: For each new operation, the system randomly selects a healthy VSatellite from the group—whether it is the primary or a replica. This random selection provides basic load distribution and improves reliability by avoiding dependence on a single VSatellite.
- Configurable in UI: During VSatellite creation, users can specify whether the instance is a primary or a replica and associate replicas with their primary from a dropdown list.
- Service-level configuration support: Users can select an HA VSatellite group—composed of a primary and one or more replicas—when configuring services such as Enhanced Discovery, CA Connectors, or Machines.
- Improved reliability: Reduces the risk of failed service operations due to VSatellite outages.
- Seamless HA enablement: If a service is already configured with a primary VSatellite, you can later assign replicas to that primary without reconfiguring the service. Once the new replica VSatellite is deployed and has access to the required resources, the service automatically benefits from high availability.
Audience and use cases
This feature is intended for Platform Administrators and PKI Administrators who manage certificate discovery, machine identity enrollment, or CA integration across hybrid or multi-cloud environments. It is especially valuable for organizations that require operational resilience and do not want a single VSatellite outage to prevent new service requests.
Requirements and compatibility
- A primary VSatellite must exist before creating replicas.
- A primary VSatellite cannot be deleted if replicas are assigned to it.
- Services such as Enhanced Discovery, CA Connectors, and Machines must be explicitly configured to use HA VSatellites.
- All existing VSatellites deployed before this feature was introduced are considered primary VSatellites by default to preserve existing configurations.
- Only primary VSatellites appear in dropdown lists when configuring Enhanced Discovery, CA Connectors, or Machines.
- VSatellite HA is supported for most CA connectors, except Microsoft ADCS, which will be supported in a future release.
- Available for use in the latest version of Next-Gen Trust Security.
Next steps
To get started, Create a high availability VSatellite group.