How to Best Configure Alteryx Server for Load Balancers

If you read my introduction post on configuring load balancers over on the Information Lab Blog, I discussed the basic process for configuring Alteryx Server to use a load balancer. That only covered a setup with no SSL configured and the built in Authentication.

The reality is that you shouldn’t really be using your Alteryx Server without SSL configured. It is also likely a lot of servers wont be installed with the built-in authentication. This is especially true if you have a public facing server, in these situations you have probably configured an alternative authentication type, possibly using SAML.

Photo by Nastya Dulhiier on Unsplash

So we are going to cover off how to configure SSL for the three Authentication types:

  1. Built-In Authentication
  2. Windows Authentication
  3. SAML authentication

Within each of those contexts we will look at what changes are needed for enabling SSL.

Alteryx Built-In Authentication

No SSL

This is the most basic load balancer configuration. I described it on the Information Lab post but the key part it you need to add a <CanonicalBaseAddress> node to the <Gallery> Node

...
  <Gallery>
    ...
    <BaseAddress>http://hostname.domain.com/gallery</BaseAddress>
    <CanonicalBaseAddress>http://alteryx.domain.com/gallery</CanonicalBaseAddress>
    ...
  </Gallery>
...

SSL termination at the LB

Having SSL terminate at the load balancer is the simplest way of adding SSL to your server/LB configuration. This means that all communication from the public internet is encrypted while the communication between the load balancer and the alteryx server (inside the secure environment) is unencrypted.

The only difference when configuring SSL to the load balancer and the no SSL option (already shown) is that the CanonicalBaseAddress is looking for https (rather than http)

...
  <Gallery>
    ...
    <BaseAddress>http://hostname.domain.com/gallery</BaseAddress>
    <CanonicalBaseAddress>https://alteryx.domain.com/gallery</CanonicalBaseAddress>
    ...
  </Gallery>
...

SSL through to the end node

The final configuration for the built in authentication is to have SSL end to end. In this case not only the communication from the internet to the LB is encrypted, the communication between the LB and the server is also encrypted.

In this case each gallery node needs to have the certificate installed onto that node (see Configure Gallery SSL/TLS | Alteryx Help for how), this certificate needs to be the same as the base address you are going to use for your server and, just like with the other examples with built in auth, the base address should be the host name (or FQDN) for the gallery node.

Once you have this configured you can then make the same changes to the RuntimeSettings.xml as you have before with the final change this time being to update the base address to https.

...
  <Gallery>
    ...
    <BaseAddress>https://hostname.domain.com/gallery</BaseAddress>
    <CanonicalBaseAddress>https://alteryx.domain.com/gallery</CanonicalBaseAddress>
    ...
  </Gallery>
...

Windows Authentication (with or without Kerberos)

When looking at windows authentication the process for configuring the Load Balancer is the same as with built in Authentication. One limitation is that you can’t have SSL terminating at the load balancer, it has to go all the way to the gallery nodes. This means each gallery node needs its own certificate installed, and both the BaseAddress and the CanonicalBaseAddress need to be set for https

The final configuration ends up being exactly the same as for the built in Authentication (see below). Set the base address to the hostname/FQDN

No SSL

...
  <Gallery>
    ...
    <BaseAddress>http://hostname.windowsdomain.com/gallery</BaseAddress>
    <CanonicalBaseAddress>http://alteryx.windowsdomain.com/gallery</CanonicalBaseAddress>
    ...
  </Gallery>
...

SSL Enabled

...
  <Gallery>
    ...
    <BaseAddress>https://hostname.windowsdomain.com/gallery</BaseAddress>
    <CanonicalBaseAddress>https://alteryx.windowsdomain.com/gallery</CanonicalBaseAddress>
    ...
  </Gallery>
...
Photo by Jordan Harrison on Unsplash

SAML Authentication

The final authentication type is SAML. SAML is a way to offload the authentication using an open standards for identity providers (like OneLogin, Azure Active Directory or Google Authentication) to communicate the login back to the Service provider, in this case the Alteryx server.

The biggest change for SAML is that the base address of the server needs to be the same as the URL that you are trying to gain access to. So if you are trying to access your server at alteryx.domain.com/gallery then the base address needs to also be alteryx.domain.com/gallery.

The problem in this situation is that the Alteryx server host won’t be able to resolve the address when starting the Alteryx service so the Alteryx service will shutdown after a short timeout (you might see the gallery page open when you first start but the service will soon get shutdown again). To get around this you need to edit the windows hosts file (found in C:\Windows\System32\drivers\etc) to forward the alteryx.domain.com address (your base address) to the loopback adapter (either 127.0.0.1 or localhost)

For SAML Authentication you don’t need to make any changes to the RuntimeSettings.xml. You would set the base URL to your load balancer alias. The only change would be adding the line in the hosts file that looks like:

Localhost             alteryx.domain.com

Or

127.0.0.1             alteryx.domain.com

     

Final notes

So we now have the pieces required to enable a load balancer with and without SSL. I didn’t cover how to install the certificate but that is mentioned in the Alteryx documentation to enable SSL/TLS (Configure Gallery SSL/TLS | Alteryx Help). If there is any interest I will put together a post in future on ways to automate this, please comment below if you are interested.

Something to make note of is in the situation where SSL terminates at the load balancer, users will not be able to use the Gallery API through the load balancer. If this is a requirement for your use case, you must have SSL go through to the Gallery nodes.