Requirements for Configuring Alteryx Server with a Load Balancer (or Reverse Proxy)

This article covers the various configurations for Gallery behind a load balancer/reverse proxy. The configuration will depend on what authentication mechanism you are setting up, as well as if SSL is used.

**Please note that all Base Addresses when referred to are appending /gallery to the hostname/FQDN:

All Web API Addresses when referred to are appending /webapi to the hostname/FQDN:

Web API Address and Canonical Web API Address are only available from Server 2021.4 onwards.

**Please note some load balancers use health probes (sometimes call health checks) to validate gallery responses and can often fail or show a 307 temporary redirect error. If this happens try specifying the following: 

• /gallery/api/status/ping/ 

Key for flowcharts

• Green = SSL/TLS
• Purple = no SSL/TLS

Built-in Authentication

SSL/TLS - End to End

• Set the Base Address and Web API Address on the Gallery nodes to the hostname/FQDN of the machine (https)
• Set the Canonical Base Address and Canonical Web API Address in RuntimeSettings.xml to the load balancer alias (https) by adding corresponding XML tags "<CanonicalBaseAddress></CanonicalBaseAddress>, <WebApiCanonicalBaseAddress></WebApiCanonicalBaseAddress>"
  • From Server 2022.2 onwards, the Canonical Base Address and Canonical Web API Address can be configured in Alteryx System Settings > Server UI > General, along with the Base Address and Web API Address
• Certificates must be installed on the load balancer, and all Gallery nodes

image.png

SSL/TLS - Terminating at the Load Balancer* (only available for Built-in Auth)

In this case the connections between the load balancer and the Gallery nodes communicate over http.

*When SSL terminates at the load balancer, users will not be able to use the Gallery API through the load balancer. If this is a requirement for your use case, you must have SSL go through to the Gallery nodes.

• Set the Base Address and Web API Address on the Gallery nodes to the hostname/FQDN of the machine
• Set the Canonical Base Address and Canonical Web API Address in RuntimeSettings.xml to the load balancer alias (https) by adding corresponding XML tags "<CanonicalBaseAddress></CanonicalBaseAddress>, <WebApiCanonicalBaseAddress></WebApiCanonicalBaseAddress>"
  • From Server 2022.2 onwards, the Canonical Base Address and Canonical Web API Address can be configured in Alteryx System Settings > Server UI > General, along with the Base Address and Web API Address
• Certificate must be installed on the load balancer

image.png

No SSL/TLS

• Set the Base Address and Web API Address on the Gallery nodes to the hostname/FQDN of the machine  
• Set the Canonical Base Address and Canonical Web API Address in RuntimeSettings.xml to the load balancer alias by adding corresponding XML tags "<CanonicalBaseAddress></CanonicalBaseAddress>, <WebApiCanonicalBaseAddress></WebApiCanonicalBaseAddress>"
  • From Server 2022.2 onwards, the Canonical Base Address and Canonical Web API Address can be configured in Alteryx System Settings > Server UI > General, along with the Base Address and Web API Address

image.png

Windows Authentication

Please note that for Windows Authentication a classic or network load balancer must be used. Application load balancers will not work with Windows Authentication.
 

SSL/TLS - End to End

• Set the Base Address and Web API Address on the Gallery nodes to the hostname/FQDN of the machine (https)  
• Set the Canonical Base Address and Canonical Web API Address in RuntimeSettings.xml to the load balancer alias (https) by adding corresponding XML tags "<CanonicalBaseAddress></CanonicalBaseAddress>, <WebApiCanonicalBaseAddress></WebApiCanonicalBaseAddress>"
  • From Server 2022.2 onwards, the Canonical Base Address and Canonical Web API Address can be configured in Alteryx System Settings > Server UI > General, along with the Base Address and Web API Address
• Certificates must be installed on the load balancer and all Gallery nodes

image.png

No SSL/TLS

• Set the Base Address and Web API Address on the Gallery nodes to the hostname/FQDN of the machine
• Set the Canonical Base Address and Canonical Web API Address in RuntimeSettings.xml to the load balancer alias by adding corresponding XML tags "<CanonicalBaseAddress></CanonicalBaseAddress>, <WebApiCanonicalBaseAddress></WebApiCanonicalBaseAddress>"
  • From Server 2022.2 onwards, the Canonical Base Address and Canonical Web API Address can be configured in Alteryx System Settings > Server UI > General, along with the Base Address and Web API Address

image.png

SAML Authentication

SSL/TLS - End to End

• Set the Base Address on the Gallery nodes (as well as in your IDP) to the FQDN/DNS alias of the load balancer
• Set the Web API Address on the Gallery nodes to the FQDN/DNS alias of the load balancer
• Certificates must be installed on the load balancer and all Gallery nodes  
• Edit the hosts file to route the FQDN of the load balancer to the loopback adapter:  

127.0.0.1    alias.domain.tld

image.png

No SSL/TLS

• Set the Base Address on the Gallery nodes (as well as in your IDP) to the FQDN/DNS alias of the load balancer
• Set the Web API Address on the Gallery nodes to the FQDN/DNS alias of the load balancer
• Edit the hosts file to route the FQDN of the load balancer to the loopback adapter:

  127.0.0.1 alias.domain.tld

image.png

Additional Resources
 

• Install or Upgrade Server | Alteryx Help