Q. I want to use Advanced Threat Analytics in my environment but my virtualized DCs move being hosts in my Hyper-V cluster, how should I deploy my ATA gateways?
A. The ATA gateways must be deployed on the same hosts as the DCs to enable the port mirroring of the source VM (the DC) to the target VM (the gateway) and the mirroring only works for VMs connected to the same virtual switch which means the same host. This means if you have a 4 node cluster and 2 DCs that may move between the nodes how do you ensure a gateway is always on the same node as the DC?
Failover cluster has anti-affinity which distributes VMs in the group among different nodes but not an affinity capability that could keep VMs together on the same node, for example a DC and a GW. One option is to set the same preferred only for DC-GW pairs but this is not guaranteed.
The only guaranteed method is to deploy an ATA gateway to every node in the cluster and configure each gateway with all the DCs that run in that cluster. Each gateway is configured with its own preferred owner (or perhaps even possible) and then also place the ATA gateways in an anti-affinity group to ensure their distribution. This means no matter which node a DC is placed on there is a gateway on that node to capture its traffic. Would love to see other suggestions in the comments. Alternatively limit the nodes to which the DCs can run on and deploy gateways on those nodes.
If you are using another switch such as the Cisco Nexus 1000V that has the ability to send the traffic to different nodes in the cluster.