Notes13:1ServerLoadBalancing - echadbourne/NET-330 GitHub Wiki

Load-Balancing Concepts

Distribution of workload across multiple computing resources

Can load-balance many resources including

  • Network links
  • Computers/servers
  • cpus
  • disk drives

Why load balance?

Efficiency

  • Optimize resource use

Performance

  • Maximized throughput
  • Improve performance

Availability

  • Minimize overload of single resource
  • Increase availability through redundancy

Elasticity

  • Grow services based on demand

Security

  • Resource isolation and protection
  • Supports "zoning" efforts

Network vs Server/Service load balancing

Network load-balancing

  • Balance traffic across network links
  • Handled with routing and other protocols
  • Provides redundancy
  • Provides link selection based on criteria (bandwidth, load, cost)

Server/service load balancing (SLB)

  • Providing a single service using multiple servers on the back-end
  • Highly customizable and widely used in modern enterprises
  • Performance, security, elasticity, redundancy all popular reasons

Layer 3 - SLB

What operates at layer 3?

  • IP addresses

Layer 3 SLB only uses the IP addresses of different servers

DNS RoundRobin is an example of Layer 3 SLB

  • Multiple A records for same hostname
  • Queries yield different answers so different servers are contacted
  • Do an nslookup on google.com - you will likely get different IP's than your neighbor

{CFC8AC73-45C6-4494-8583-117A2F6E74B5}

Layer 4 SLB

What operates at Layer 4?

  • TCP and UDP ports

Layer 4 SLB usually uses dedicated load-balancer systems

Load-Balancers host "virtual ips" (aka front-ends) with the IP and port that end users use to access a server

The load-balancer then brokers the connection with a server in the backend or pool

{A365D13A-B836-4162-9E81-5B5A889D8E59}

Layer 7 Load-Balancing

Layer 7 load-balancer do full packet inspection

Why?

  • Make decisions based on urls and/or
  • headers
  • content and other tags/metadata

{7D1071C0-AC16-490C-B309-79F144832A88}

One of the primary load balancing methods used in DoS protection

SLB and Security

Zoning

  • Load balancers allow backend servers to be protected behind firewalls on private VLANs
  • End users dont connect directly to server - but have to pass through the load balancer
  • Reduces exposed attack surface on the backend servers

DoS and other protections

  • Advanced Load-Balancers can offer protections against resource exhaustion of servers and other DoS techniques
  • Layer 7 inspection allows for integration with application firewalls (ex filter out/block bad web requests)

SLB and TLS/SSL

SSL/TLS offload

  • Many load balancers provide SSL/TLS "offload"
  • The LB device handles the cryptographic functions and then communicates to the backend servers without encryption

The device will have dedicates chips for key exchange and session establishing

Why?

  • SSL/TLS can be processor intensive
  • Allows server to focus on their primary services
  • LB's can have optemized hardware modules to handle encryption quickly
  • Minimal risk of the links between LB and servers are physically secured

{021B57B5-1035-41E0-B17D-F3800E2C1207}

SLB - Service Monitoring

  • Load-Balancers can also monitor servers/services to make sure they are still running
  • If a server/service goes down, it will be removed from the pool

This monitoring (aka Health Checks) can include:

  • Simple Ip, TCP, or UDP connectivity
  • Particular protocol response (SMTP, HTTP, FTP...)
  • Presence of a certain resource (web page) or successful completion of a transaction
    • ensures service is not just up - but working correctly

Common load-balancing issues

Access Logging:

  • Does a backend server know the IP address of the client/source?
    • No - the source ip is changed to that of the load balancer
    • So - created issues for troubleshooting, incident response when we need to identify the true source of a particular action
  • Options include:
    • For HTTP - Create the X-Forwarded-For header that adds the original source IP to the request
    • For other protocols - need extensive logging on the Load Balancer that correlates with the backend server logs

{66BBCDA7-F5D7-42B6-900D-B132CA148B3C}

Load Balancer issues: Session persistence

Some applications require server to store information for the user (think shopping cart). If a user is directed to other servers, that information would be lost, so:

  • Session persistence
    • directing a client's requests to the same backend server for the duration of a "session"
  • Types:
    • Simple (aka "address affinity" or "sticky") persistence based on IP addresses
    • Cookie: uses and HTTP cookie set by LB and stored on client
    • SSL: Uses SSL session IP (when SSL is passing through the LB)

SLB Software and Devices

F5 and NetScaler are two of the most popular vendors

  • Make hardware appliances used in many Data Centers
  • Also have "virtual appliances" which perform the same function as the hardware appliance but run on an organization's hypervisor (ex Vmware ESX)

NGINX and HAProxy are open source software LB's

  • Also very popular and used by many of the most active internet sites
  • Software-based - they run on high performance server-hardware