Network device hard core technology insider firewall and security gateway (10)

Last time when it comes to , Linghuchong developed a new LB equipment , Can install HTTPS certificate , Let users think LB The device itself is real HTTPS The server .

But we actually secretly left a problem ：

LB Equipment and vm Between , Do you still need to encrypt ？

Pictured , stay LB End on device HTTPS after , because LB And VM Both are inside the data center , There is no risk of communication being eavesdropped or tampered , It doesn't need to HTTPS encryption ,LB Just go through HTTP Function therefore , In this case ,LB The equipment HTTPS Termination function , Also known as HTTPS Uninstall function .

Specially , because LB The equipment is made by Special materials Made of special processor , therefore , about HTTPS Encryption and decryption work , It is implemented by dedicated hardware .

And in the absence of LB In the case of equipment , Who encrypts and decrypts ？ Of course, the server CPU Through software .

Obvious , Special LB In the case of equipment , It can not only make each VM The load of tends to be balanced , It can also reduce the cost of each server CPU The computational burden of . therefore , Load balancing devices are also called application delivery engines (Application Delivery Engine).

However , Reality is not as beautiful as imagined .

When servers enter the 10 Gigabit era from the Gigabit era , General LB equipment , Even with hardware SSL Encryption and decryption function , Its throughput is also insurmountable 10Gbps The gap …

therefore , Engineers invented another method ——LB Triangular deployment .

LB The principle of triangle deployment is shown in the figure below ：

In the figure , Every VM Of IP, and LB Upper VIP Is the same IP Address . for fear of IP Address conflict , all VM All keep ARP silent , No response ARP request ( Or configuration FW Intranet interface static ARP, take VIP Of MAC Point to LB The equipment MAC).

come from FW Of HTTP Request in LB On receipt ,LB Modify the purpose of the packet according to the load balancing policy MAC, The switch will according to the purpose MAC Send the data packet to the corresponding VM.

and VM received HTTP After the request , It's OK not to pass LB, Return the data directly to the network exit .

Small traffic requests such as video playback , The field of large traffic response , This networking method is very suitable for .

Careful readers find , In this way, there is no way to unload on load balancing https Of —— Of course , Nor can recognition be achieved https Users inside . Fortunately ,http Long connections can solve this problem , With http After the long connection mechanism , Basically, we can think , Every https Of TCP The connection represents a user . In the case of large-scale public cloud , Based on scalability considerations , Load balancing is generally distributed LB Handle , Such as HA-Proxy and Nginx etc. , Instead of dedicated hardware devices .

The introduction of load balancing is over .

The next issue will bring you a hot topic in the near future —— Telecommuting , Please look at the next breakdown ！