Server Load Balancing - caitlinmallen/TechWiki GitHub Wiki
Server Load Balancing
Load-Balancing Concepts
- Distribution of workload across multiple computing resources
- Can load-balance many resources including:
- Network links
- Computers/servers
- CPUs
- Disk Drives
Why Load-Balance?
- Efficiency
- Performance
- Maximize Throughput
- Improve performance
- Availability
- Minimize overload of single resource
- Increase availability by being redundant
- Elasticity
- Grow services based on demand
- Security
- Resource isolation and protection
- Supports zoning efforts
Network vs Server/Service Load Balancing
- Network Load-Balancing
- Balance traffic across network links
- Handled with routing and other protocols
- Provides redundancy
- Provides link selection based on criteria
- Server/Service Load Balancing (SLB)
- Provides single service using multiple servers on the back-end
- Highly customizable and widely-used
- Provides all the reasons to load-balance
Layer 3 SLB
- What operates at layer 3?
- Layer 3 SLB only uses the IP address of different servers
- DNS Roundrobin is an example of layer 3 LB
- Multiple A records for the same hostname
- Queries yield different answers so different servers are contacted
- Nslookup a website and they’ll have a different answer than a partner due to round robin
Layer 4 SLB
- What operates at Layer 4?
- Layer 4 SLB usually uses dedicated load-balancer systems
- Load-Balancers host virtual IPs (Front-ends) with IP and port that end users use to access a server
- Load balancer brokers the connection
Layer 7 Load-Balancing
- Layer 7 Load-Balancing do full-packet inspection
- Why?
- Make decisions based on URLs or headers
- Content and other metadata
SLB and Security
- Zoning
- Load-balancers allow backend servers to be protected behind firewalls and private VLANs
- End users don't directly connect to the server and pass through a load-balancer
- Reduces exposed attack surface
- DoS and other protections
- Advanced Load-Balancers can offer protections against resource exhaustion and DoS techniques
- Layer 7 allows for integration with web application firewalls (WAF)
SLB and TLS/SSL
- SSL/TLS offload
- Many load-balancers provide offload
- LB device handles the cryptographic functions and then communicates to the backend servers without encryption
- Why use it:
- SSL/TLS can be processor intensive
- Allows servers to focus on their primary services
- LBs can have optimized hardware modules to handle encryption quickly
- Minimal risk if links between LB and servers are physically secured
SLB Service Monitoring
- Load Balancers can also monitor servers and services to make sure they are still running
- Will remove a downed server/service from the pool
- This is called a health check and includes:
- Simple IP, TCP, or UDP connectivity
- Particular protocol responses
- Presence of a certain resource
Common Load-Balancing Issues
- Access Logging
- Does a backend server know the IP of a client source?
- No - Source IP is changed to that of the load balancer
- Creates troubleshooting issues esp when dealing with IR to locate sources of issues or actions
- Options to remediate this is
- HTTP: Create X-Forwarded-For header that adds original source IP to the request
- Other protocols: Extensive logging needed
- Session Persistence
- Some applications require server to store information for the user
- If user is directed to other servers that info is lost
- Session persistence
- Directing a client’s requests to the same backend server for the duation of a session
- Types:
- Simple AKA sticky persistence based on IPs
- Cookie: Uses HTTP cookie set by the LB
- SSL: Uses SSL session IP
SLB Software and Devices
- F5 and NetScaler are the two most popular vendors
- Make hardware appliances used in data centers
- Also have virtual appliances for a hypervisor
- NGINX and HAProxy are open-source LBs
- Also very popular and used by the most active internet sites
- Software-based -> Run on high performance servers