This guide walks you through adding your VPK (Virtru Private Keystore) server's public IP or load balancer IP address to your DNS entries as an A record. This process is essential for ensuring your server is publicly accessible and properly configured for SSL certificate validation. The guide covers both single server and high availability (HA) environments.
Assumptions
- A newly created and operational VPK server.
- Access to your DNS management tool (cloud-based or self-hosted).
- Administrator access to server and DNS.
- A CA-signed SSL certificate (wildcard certificates are not supported due to validation issues).
Adding the A Record for a Single VPK Server
If you have a single VPK server, follow these steps:
- Create an A Record in your DNS manager that points to the server public IP address hosting the application.
- Ensure the following:
- The server has a Fully Qualified Domain Name (FQDN) (eg., cks.yourdomain.com).
- The server port 443 is opened for inbound traffic.
- The server is publicly accessible but restricted to Virtru endpoints.
- You have a CA-signed SSL certificate applied to the domain.
- Set a TTL (Time-to-Live) of around 300 seconds for quicker DNS propagation in case of updates.
Example A Record Configuration for a Single VPK Server:
Host Name | Address | Record Type | TTL |
cks | 203.0.113.1 (server public IP address) | A | 300 |
Configuring DNS for High Availability (HA) Environments
If you have multiple servers in a high availability setup, there are two approaches for adding them to your DNS entries:
1. Failover Method
In the failover approach, all of your servers' public IP addresses are added to your DNS entries as A records. Each server can be located in different regions or locations, but they share the same FQDN. If one server goes down, DNS will automatically direct traffic to one of the other functioning servers. This method can be enhanced by using a DNS provider that supports health checks and automatic failover, such as AWS Route 53.
Example A Record Configuration for the Failover Method:
Host Name | Address | Record Type | TTL |
cks | 203.0.113.1 (server public IP address) | A | 300 |
cks | 198.51.100.2 (server public IP address) | A | 300 |
cks | 192.0.2.3 (server public IP address) | A | 300 |
2. Load Balancer Method
In the load balancer approach, multiple servers are placed behind a load balancer, which distributes traffic evenly across all servers. This ensures that the workload is shared and if one server goes down, the load balancer redirects traffic to the remaining servers. Consider using managed load balancers from providers like AWS, Azure, or Google Cloud to simplify management and scaling.
Example A Record Configuration for the Load Balancer Method:
Host Name | Address | Record Type | TTL |
cks | 203.0.113.1 (load balancer IP address) | A | 300 |
- Behind the load balancer, multiple VPK servers handle the workload. The load balancer ensures even distribution of traffic and provides fault tolerance.
Important Notes:
- Ensure a CA-signed SSL certificate is installed on all servers in a HA environment to maintain secure traffic handling. Also consider using SSL certificates with different renewal dates to avoid simultaneous expirations.
- DNS failover may not be instantaneous and relies on TTL settings and DNS cache refresh rates.
- For more efficient and automated failover management, consider using DNS providers with health check features like AWS Route 53.
By following these configurations, you can ensure that your VPK server is properly set up in DNS for either a single server or a high availability environment. Please refer to our deployment scenarios for more information about load balancing.