Re: [keycloak-user] Best Practice AWS+ECS implementation

Hello Jonathan, On Thu, 2018-09-06 at 23:58 +0000, Carrasco, Jonathan J (173F) wrote: Before we move on to the LB topic: please remember that AWS (incl. ECS) doesn't allow for IP multicast between the nodes/containers, and IP multicast is what Keycloak clustering relies upon (at least in default configuration). In more detail, you'll have to configure alternate node discovery mechanism for JGroups, like JDBC_PING or S3_PING. See the doc for more details, especially the "Troubleshooting AWS specifics" section at the end: https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-in-aws... Or google for "Keycloak AWS", there have been a lot of postings on this ML on that topic. In addition to nginx, I'd also recommend that you take a look at HAProxy: http://www.haproxy.org/ Nginx is a web server first and foremost, and reverse proxying / load balancing are kinda secondary functions for Nginx. On the other hand, haproxy implements a lot of LB-specific stuff, like e.g throttling based on HTTP headers, which might be topical (depends on your architecture of course). This is pretty reasonable. The main points here are: - you can have something more powerful and feature-rich than ALB; - you can take full control of it. For example, Keycloak recommends using sticky sessions for performance purposes: https://www.keycloak.org/docs/4.4/server_installation/#sticky-sessions This is absolutely doable with nginx/HAproxy, but I'm not sure if it is possible with ALB. Could you please elaborate on what do you mean by "credential collector"? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro