NGINX Controller Tech Specs

Overview

This guide lists the technical recommendations for NGINX Controller v3 and NGINX Controller Agent. Review this guide before installing or updating NGINX Controller or NGINX Controller Agent.

Supported Distributions

NGINX Controller, the NGINX Controller Agent, and NGINX Controller App Security support the following distributions and architectures:

Distribution Version Architecture(s) NGINX Controller
(Control Plane)
Controller Agent
(Data Plane)
Notes
Amazon Linux 2 x86_64 v3.0+
Amazon Linux 2017.09+ x86_64 v3.0+
CentOS 6.0 (6.5+) i386
x86_64
v3.0+ • This distribution does not support AVRD.
CentOS 7.0 (7.4+) x86_64 v3.0+ v3.0+
(App Security supported)
• NGINX Controller App Security requires NGINX Controller 3.12 or later.
Debian 8 i386
x86_64
v3.0+ • This distribution does not support AVRD.
Debian 9 i386
x86_64
v3.0+ v3.0+
(App Security supported)
• NGINX Controller App Security requires NGINX Controller 3.12 or later.
• Only the NGINX Controller Agent supports the i386 architecture. NGINX Controller and NGINX Controller App Security support x86_64.
Red Hat Enterprise Linux 6.0 (6.5+) i386
x86_64
v3.0+
Red Hat Enterprise Linux 7.0 (7.4+) x86_64 v3.5+ v3.5+
(App Security supported)
• NGINX Controller App Security requires NGINX Controller 3.12 or later.
• SELinux may interfere with NGINX Controller installation and operation. If you do enable SELinux, it must use permissive mode. Use of enforcing mode is not supported.
Ubuntu 16.04 LTS i386
x86_64
v3.0+ v3.0+ • Only the NGINX Controller Agent supports the i386 architecture. NGINX Controller and NGINX Controller App Security support x86_64.
Ubuntu 18.04 LTS x86_64 v3.0+ v3.0+
Ubuntu 20.04 LTS x86_64 v3.12+

Analytics, Visibility, and Reporting Daemon (AVRD)

NGINX Controller v3.1 and later use an Analytics, Visibility, and Reporting daemon (AVRD) to aggregate and report app-centric metrics, which you can use to track and check the health of your apps. To learn more about these metrics, see the NGINX Metrics Catalog topic.

Supported Deployment Environments

You can deploy NGINX Controller v3 into the following environments:

  • Bare metal
  • Public cloud: Amazon Web Services, Google Cloud Platform, Microsoft Azure
  • Virtual Machine

NGINX Plus Instances

NGINX Controller, using the Controller Agent, can monitor and manage up to 100 NGINX Plus instances. When using Controller App Security, NGINX Controller can monitor and manage up to 30 NGINX Plus instances with NGINX App Protect installed.

NGINX Controller supports the following NGINX Plus versions:

NGINX Plus NGINX Controller
R23 v3.12+
R22 v3.5+
R21 v3.3+
R20 v3.0+
R19 v3.0+
Note:
NGINX Controller App Security is supported on NGINX Plus R22.

NGINX App Protect

The App Security add-on for the NGINX Controller Application Delivery module requires NGINX App Protect version 2.1.1 and NGINX Plus R22.

  • CentOS/Red Hat Enterprise Linux: app-protect-22+3.243.1-1.el7.ngx.x86_64
  • Debian: app-protect=22+3.243.1-1~stretch

Supported Browsers

NGINX Controller works best with the newest and the last prior version of these browsers with JavaScript, cookies, and SSL enabled:

Hardware Specifications

The following minimum hardware specifications are required for each node running NGINX Controller:

  • RAM: 8 GB RAM
  • CPU: 8-Core CPU @ 2.40 GHz or similar
  • Disk space: 80 GB free disk space

The NGINX Controller Agent consumes as little memory and CPU as possible. CPU usage should be under 10%, and RSS memory consumption should be just a few dozen MBs. If you notice the NGINX Controller Agent consuming resources at a higher rate, you should contact NGINX Support for assistance.

NGINX Controller Database Requirements

Local or External Storage

When installing NGINX Controller v3, you can choose the type of volume that’s used to store the analytics database. The types of volumes that are supported are:

Local Storage

When using local storage for the analytics database, we recommend the following specs:

  • 100 IOPS
  • 130 GB free disk space (that’s the standard recommendation of 80 GB + 50 GB for the local analytics database)
  • 230 GB of free disk space is recommended if NGINX Controller App Security is enabled. This includes the standard recommendation of 80 GB and an additional 150 GB for the local analytics database.
Tip:
To conserve IO and/or disk space, you can use a separate disk for the local storage directory /opt/nginx-controller/clickhouse_data.

NFS

To use NFS for external storage for the analytics database, consider the following:

  • Make certain that the NFS version used by the server is supported by the client system where you’re installing NGINX Controller.
  • If you’re using NFS v4 file locking or Network Lock Manager (NLM) on the NFS server, make sure that the client system that’s running your NGINX Controller has access to the mount point.
  • Install the nfs-common (on Ubuntu/Debian) or nfs-utils (on CentOS/RedHat) package on all hosts on which NGINX Controller will be installed.
  • The no_root_squash option must be set for the mount point on the NFS server. If this is not allowed, the owner of the path used for the analytics database must be set to 101:101 and owner of the path for config database must be set to 70:70.

AWS EBS

(Optional) To install NGINX Controller on AWS EC2 instances that use EBS volumes for the analytics and/or config database, and to allow creating ELBs automatically, configure an IAM role similar to the following example.

Important:
If you plan to run NGINX Controller on AWS EC2 instances, we recommend using NFS shares for the external volumes. Using EBS shares for multi-node clusters is not recommended because of the EBS Availability Zone limitations; for example, the requirement to have EC2 instances and EBS volumes in the same Availability Zone.

Adapt the policy to meet your needs.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeLaunchConfigurations",
        "autoscaling:DescribeTags",
        "ec2:DescribeInstances",
        "ec2:DescribeRegions",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeVolumes",
        "ec2:CreateSecurityGroup",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:ModifyInstanceAttribute",
        "ec2:ModifyVolume",
        "ec2:AttachVolume",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateRoute",
        "ec2:DeleteRoute",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteVolume",
        "ec2:DetachVolume",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:DescribeVpcs",
        "elasticloadbalancing:AddTags",
        "elasticloadbalancing:AttachLoadBalancerToSubnets",
        "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
        "elasticloadbalancing:CreateLoadBalancer",
        "elasticloadbalancing:CreateLoadBalancerPolicy",
        "elasticloadbalancing:CreateLoadBalancerListeners",
        "elasticloadbalancing:ConfigureHealthCheck",
        "elasticloadbalancing:DeleteLoadBalancer",
        "elasticloadbalancing:DeleteLoadBalancerListeners",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeLoadBalancerAttributes",
        "elasticloadbalancing:DetachLoadBalancerFromSubnets",
        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
        "elasticloadbalancing:ModifyLoadBalancerAttributes",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
        "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
        "elasticloadbalancing:AddTags",
        "elasticloadbalancing:CreateListener",
        "elasticloadbalancing:CreateTargetGroup",
        "elasticloadbalancing:DeleteListener",
        "elasticloadbalancing:DeleteTargetGroup",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeLoadBalancerPolicies",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetHealth",
        "elasticloadbalancing:ModifyListener",
        "elasticloadbalancing:ModifyTargetGroup",
        "elasticloadbalancing:RegisterTargets",
        "elasticloadbalancing:DeregisterTargets",
        "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
        "iam:CreateServiceLinkedRole",
        "kms:DescribeKey"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Supported PostgreSQL Versions

NGINX Controller supports the following versions of PostgreSQL:

  • PostgreSQL 12.3 – works with NGINX Controller 3.9 and later.
  • PostgreSQL 9.5 – works with NGINX Controller 3.0 and later.

For a system monitoring 100 NGINX Plus instances, we recommend at least 32 GB of database storage. Database storage requirements can vary, depending on the number of NGINX Plus instances, components, published API specs, and the churn rate for configuration changes. For monitor-only implementations, the database storage needs are small; for API Management (APIM) and/or App Delivery Controller (ADC) implementations in production, the storage needs are greater.

Important:
If you use PostgreSQL 12, we recommend disabling Just-in-Time (JIT) compilation to improve NGINX Controller’s performance. To disable JIT, edit the postgresql.conf file and set jit=off.

Firewall/IP Settings

Configure NGINX Controller with the following firewall settings:

  • DB: Port 5432 TCP – incoming to DB from NGINX Controller host
  • NGINX Controller: Port 443 TCP – incoming from where you are accessing from a browser, for example, an internal network, and NGINX Plus instances
  • NGINX Controller: Port 8443 TCP – incoming from NGINX Plus instances
Note:

If you have a firewall running on the NGINX Controller host, enable NAT (masquerade) and open the following ports. These ports are used for internal traffic only and don’t need to be open to the outside.

  • NGINX Controller: 6443 TCP, 2379 TCP, 2380 TCP – incoming requests to the Kubernetes master node; used for the Kubernetes API server and etcd
  • NGINX Controller: 10250 TCP – incoming requests to the Kubernetes worker node; used for the Kubelet API

For more information about these ports, see the Kubernetes guide Installing kubeadm.

Supported Python Versions

NGINX Controller and the NGINX Controller Agent versions 3.6 and earlier require Python 2.6 or 2.7. Python is not needed for NGINX Controller or the NGINX Controller Agent versions 3.7 and later.

Open-Source Licenses

The list of open-source packages and their licenses used by NGINX Controller can be found in the downloaded file that is part of the NGINX Controller package. On your NGINX Controller host, see controller-installer/files/license-controller.md.

In addition, see the AskF5 KB article Third-party software for NGINX Controller controller-datacollection-components for third-party software packages that may be used by or distributed with controller-datacollection-components. This information is not included in the license-controller.md that’s mentioned above.


This documentation applies to the following versions of NGINX Controller Documentation:
3.0, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11 and 3.12.