Skip to content

High availability VSatellite

High availability (HA) groups of VSatellites improve reliability across multiple TLS Protect Cloud™ services, including Enhanced Discovery, Machines, and CA Connectors. For each new operation, the system randomly selects a healthy VSatellite from the group to perform the task. This ensures that even if one VSatellite becomes unavailable, new operations can still be initiated using another healthy VSatellite. If a VSatellite becomes unhealthy during an operation, the operation will fail—failover does not occur mid-execution.

Note

VSatellite HA provides fault tolerance by using a healthy VSatellite from the group to start operations. If a VSatellite fails mid-operation, the operation does not switch to another VSatellite. However, TLS Protect Cloud™ may retry the operation using a healthy VSatellite.

Features and benefits

  • High availability group selection: Users can assign multiple VSatellites as replicas to a primary VSatellite, forming a group that ensures operations can start as long as at least one VSatellite in the group is healthy.
  • Randomized healthy VSatellite selection: For each new operation, the system randomly chooses a healthy VSatellite from the group, regardless of whether it is the designated primary or a replica. This provides flexible load distribution and reduces the risk of a single point of failure.
  • Configurable in UI: During VSatellite creation, users can specify whether the instance is a primary or a replica and associate replicas with their primary from a dropdown list.
  • Service-level configuration support: Users can select an HA VSatellite group—composed of a primary and one or more replicas—when configuring services such as Enhanced Discovery, CA Connectors, or Machines.
  • Improved reliability: Reduces the risk of failed service operations due to VSatellite outages.
  • Load distribution (future enhancement): Planned functionality to balance operational loads more evenly across healthy members of the VSatellite group.
  • Seamless HA enablement: If a service is already configured with a primary VSatellite, you can later assign replicas to that primary without reconfiguring the service. Once the new replica VSatellite is deployed and has access to the required resources, the service automatically benefits from high availability.

Audience and use cases

This feature is intended for Platform Administrators and PKI Administrators who manage certificate discovery, machine identity enrollment, or CA integration across hybrid or multi-cloud environments. It is especially valuable for organizations that require operational resilience and do not want a single VSatellite outage to prevent new service requests.

Requirements and compatibility

  • A primary VSatellite must exist before creating replicas.
  • A primary VSatellite cannot be deleted if replicas are assigned to it.
  • Services such as Enhanced Discovery, CA Connectors, and Machines must be explicitly configured to use HA VSatellites.
  • All existing VSatellites deployed before this feature was introduced are considered primary VSatellites by default to preserve existing configurations.
  • Only primary VSatellites appear in dropdown lists when configuring Enhanced Discovery, CA Connectors, or Machines.
  • VSatellite HA is supported for most CA connectors, except Microsoft ADCS, which will be supported in a future release.
  • Available for use in the latest version of TLS Protect Cloud™.

Next steps

To get started, Create a high availability VSatellite group.