UiPath infrastructure, multi-node Orchestrator with high availability

Introduction

UiPath provides a variety of deployment options for its platform such as single-node, multi-node, high availability, active/passive, and active/active. A multi-node deployment involves distributing the UiPath components across multiple machines, allowing for better performance, scalability, and resilience.

In this post, we are going to take a closer look into this amazing architecture and understand every single piece that is required to have a multi-node high-availability design. Depending on your needs, this approach could be suitable for a user acceptance test environment or even your production instance.

UiPath infrastructure

It's important to note that a multi-node deployment is more complex than a single-node deployment and requires more planning and configuration. However, it offers several benefits, such as improved performance, scalability, and high availability, making it a popular choice for large-scale UiPath deployments.

• Multi node high availability

High availability (HA) provides redundancy and stability for your multi-node Orchestrator deployment by ensuring that multiple Orchestrator and HAA nodes are available. When one node fails, the other nodes can automatically take over the workload, minimizing downtime and ensuring continuous operation.

Additionally, HA deployment also offers horizontal scalability, which means you can add more Orchestrator and HAA nodes as needed to handle increased workload and manage growing robot requirements.

Overall, an HA deployment provides a robust and reliable solution for running a UiPath Orchestrator in a multi-node environment, with automatic failover, redundancy, and scalability to handle varying workloads.

From now on, we are going to look at the high availability architecture and all components required to make this works.

• Microsoft SQL server

First off, let's get started with ‌Microsoft SQL server as a cluster. An SQL server cluster is a deployment architecture that provides high availability and disaster recovery for SQL server databases. It involves multiple servers, called nodes, that work together to provide a single, shared instance of the SQL server database engine.

In an SQL server cluster, all nodes have access to the same shared storage, and they use a special software layer called the cluster service to coordinate their activities. The cluster service monitors the health of the nodes and automatically fails over to another node if one node fails. This failover process is transparent to users, who continue to access the database without interruption. Depending on your company, these clusters can be deployed on the same data center on not. If deployed in different data centers, the overall availability will likely increase.

The overall recommendation is to use the always on availability groups, which provides a way to replicate a set of user databases to secondary replicas, ensuring that they are continuously available, even in the event of a failure.

• Storage server/file server

A file server is a type of server that is specifically designed to store and manage files in a networked environment. It allows multiple users or clients to access and share files, folders, and other data resources across the network.

In our case, this file server will be shared between all the Orchestrator nodes to store the UiPath packages and libraries. That means, we have‌ centralized storage for all our NuGet packages. Adding a cluster with two Windows server nodes as your storage would increase the overall reliability and availability of your environment.

• High availability add-on

The high availability add-on (HAA) is a component of UiPath Orchestrator that provides high-availability and disaster recovery capabilities for Orchestrator installations. This HA add-on is available in a Linux Redis Cluster with three or more nodes. Its responsibility is to make sure all the transactions and their information are synchronized between all the Orchestrator nodes. In the event where one of the UiPath Orchestrator Windows IIS servers goes down, the other two would be to pick all the transactions that were being processed by the missing node and continue their process.

In a set up where we have three Redis HA nodes, there'll be one always communicating with the three Windows IIS servers. Whereas the other two, their Redis nodes would wait in standby mode.

This is how this Redis looks like.

• Windows IIS servers

Now that we have a better understanding about the adjacent components that surround the UiPath Orchestrator, let's take a look into the IIS servers.

Windows internet information services (IIS) is a web server software developed by Microsoft for hosting websites and web applications on Windows operating systems. It provides a platform for serving content over the web, handling HTTP and HTTPS requests, and supporting various web protocols, including FTP, SMTP, and NNTP.

In our design, there will be three of them working in parallel under a load balancer. We are going to discuss load balancers in a moment. For now, we need to understand that the UiPath Orchestrator will be deployed alongside several other applications on each Windows IIS server, and every configuration performed in one of them must be replicated on the other two servers.

Overall, when we run the Orchestrator MSI file, the installation wizard takes care of most things. Yet we still have some pre-and post-installation tasks to do in order to have a running UiPath environment.

• Network load balancer

A network load balancer (NLB) is a type of load balancer that distributes incoming traffic across multiple targets, such as servers or containers, within a network. NLBs typically use a variety of algorithms to distribute traffic, such as round-robin, least connections, and IP hash.

For our solution, the NLB will be on top of our 3 IIS servers, balancing all the network calls from robots and users. It's up to the NLB to decide which node will be selected for each call. In the event where one of these IIS servers goes down, the NLB will be sending all the traffic to the remaining servers. Once the server is up and running again, the NLB will notice that and will resume sending new packages to it.

• How to access the servers?

Now that we know what hardware items we’ll have, we need to decide how we are going to access them. For this topic, we may have several different options, and I’ll describe what I believe to be the most efficient and still reliable way. Since these are servers, we can’t simply use our own user accounts to install things. That could lead the team and the company into problems. If whoever installed the UiPath Orchestrator leaves the workforce, for instance.

For the UiPath Orchestrator installation, we are going to use what's known as non-people NPID (ID), or service accounts. A non-people identity (NPID) is a type of identity that's used for authenticating non-human entities in a Windows-based environment. It's essentially a digital identity that can be used to represent any non-human entity, such as an application, a service, or a device, that needs to access resources within a Windows domain or network.

The requirements on the Windows server are very straightforward. This service account needs to be an administrator and also should be able to run jobs as s batch job. This is required to keep the Orchestrator website running all the time. However, on the database side, you’ll need to grant dbcreator and dbowner privileges to it. That's required for the installation process so then the service account can create the UiPath database and also become the owner of that for future maintenance. This service account doesn't need to have access to the actual server, for RPD, for instance. That'd be something that the DBAs should have.

• DNS and certificate

Domain name system (DNS) is used to translate human-readable domain names, such as www.uipath.com, into machine-readable IP addresses, such as 172.217.6.68. DNS enables users to access websites and other network resources using domain names that are easy to remember, rather than having to remember the numerical IP addresses associated with them. When a user types in a domain name in their web browser, their computer sends a DNS request to a DNS server, which responds with the corresponding IP address, allowing the computer to connect to the desired resource. DNS is a critical component of the internet infrastructure, and without it, accessing websites and other network resources would be much more difficult and cumbersome.

For our solution, we should have a new DNS entry with a meaningful name such as https://mydevorchestrator.com. The default configurations for this DNS will vary from company to company. For example, many major organizations won't allow servers to access the internet. That means the process of creating this DNS entry will vary from place to place.

Another key component in our solution is the Windows certificate. Windows certificates are digital documents that are used to authenticate and encrypt communications between computers, users, and web servers on the Windows platform. Certificates are issued by a trusted third party, known as a Certificate Authority (CA), which verifies the identity of the certificate holder and signs the certificate to indicate that it is valid. Certificates are used in various scenarios, including securing website connections with HTTPS, authenticating users logging into a Windows domain, and securing communications between network devices. Windows certificates play a critical role in securing network communications on the Windows platform, helping to protect against cyber threats, and ensuring the integrity and confidentiality of sensitive data.

Similar to the DNS entry, we should install a certificate on our Orchestrator Windows IIS server that points to our website name https://mydevorchestrator.com. With that in place, we guarantee that the all communication between the users and the Orchestrator is secure and encrypted.

Since we have multiple Windows IIS servers, either of them, the DNS and the certificate should be configured to "see" all of them. That means the DNS will have the three IIS node host names on it, and the Certificate must be installed on all IIS servers as well.

• Firewalls

A firewall is a network security device that monitors and filters incoming and outgoing network traffic based on pre-defined security rules. It acts as a barrier between an internal network and external networks, such as the internet, and can prevent unauthorized access to or from a network. Firewalls can be implemented in hardware, software, or a combination of both, and can provide a range of security features, including packet filtering, application-level filtering, and intrusion detection and prevention. They can also be configured to allow or block traffic based on a variety of criteria, including source or destination IP address, port number, and protocol type. Firewalls are a critical component of network security, helping to protect against cyber threats and ensuring the confidentiality, integrity, and availability of sensitive data.

Since our solution has several servers communicating to each other, there'll be several firewall rules. Here's a list with the minimum required.

The way the firewall group is set up may vary from place to place. Users’ devices could be allowed to connect based on their subnet or active directory groups, for instance. You should discuss that with your network team for more details.

Conclusion

All things considered, UiPath offers a range of deployment options for its platform, including single-node, multi-node, high availability, active/passive, and active/active. Multi-node deployment, in particular, offers improved performance, scalability, and high availability, making it a popular choice for large-scale UiPath deployments. While this architecture is more complex than a single-node deployment, it provides several benefits that can be crucial for business-critical applications. With careful planning and configuration, a multi-node deployment can be a highly effective solution for organizations looking to scale their UiPath deployment to meet growing demands.

High availability (HA) deployment is a critical component of a multi-node Orchestrator environment, offering redundancy and stability to ensure that the application remains operational in the event of node failures. With HA deployment, multiple Orchestrator and HAA nodes are available to take over the workload, minimizing downtime and ensuring continuous operation. In addition, horizontal scalability enables organizations to add more nodes to handle increasing workload demands and support growing robot requirements. HA deployment is a robust solution for running a UiPath Orchestrator in a multi-node environment, providing automatic failover, redundancy, and scalability to handle varying workloads.