How to do a good job of gateway high availability protection in the big promotion scenario

618 The promotion is in full swing .《618 A big push came , On how to do a good job in preparing for the war 》 This paper introduces the methodology and technical means of all-round guarantee and promotion of high availability , This article continues around the gateway , In depth discussion under the big promotion scenario , How to protect the gateway from high availability , The following points will be introduced one by one ：

1. The importance of gateway for high availability protection

2. MSE Cloud native gateway “ Next generation gateway architecture ”, Great advantage in high availability protection

3. Use MSE High availability protection practice of cloud native gateway （ Video demo ）

The importance of gateway for high availability protection

In the big promotion scene , Why is it important to use gateways for high availability protection ？ In a word , The gateway has the ability to convert various uncertain factors into deterministic factors , And this ability is irreplaceable . From three aspects ：

The first is dealing with The uncertainty of peak flow , It is necessary to change the uncertain flow into definite flow through the flow restriction rules . It is difficult for the business service module to limit the flow by itself . Because there is a premise to realize current limiting protection , The service carrying the burst traffic can still keep normal CPU load . Even if the business service module implements the application layer QPS Current limiting , In the instantaneous high concurrency scenario , It may still be caused by a large number of new connections at the network layer CPU Skyrocketing , The current limit rules are in vain . The business module should focus on the application layer business logic , To cope with the network layer overhead they are not good at through capacity expansion , The cost of resources required is quite high . The gateway, as the service traffic entrance, plays an important role , It must be good at dealing with high concurrent network traffic , And this performance is also an important indicator to measure the gateway capability , The stronger the performance against high concurrency , The lower the cost of resources required , The stronger the ability to change the large flow from uncertainty to certainty .

The second point is to deal with The uncertainty of user behavior , Different promotion scenarios are required , Conduct multi round pressure test drill by simulating user behavior , Discover system bottlenecks and optimization points in advance . The gateway is the traffic entrance for users to access , It is also the final exit of the back-end service response . This determines that the gateway is the only station to simulate user behavior for flow pressure measurement , It also determines that it is a necessary link for observing pressure measurement indicators to evaluate user experience . Edge pressure measurement on the gateway , Watch , Adjust the current limiting configuration , To promote the construction of high availability system , Can achieve twice the result with half the effort .

The third point is to deal with The uncertainty of security attack . The promotion period is usually the time when black ash production is active , Abnormal bill swiping traffic is likely to trigger the current limit rule , This will affect the access of normal users . Gateway based traffic security protection capability , for example WAF And so on , Intercept in advance by identifying abnormal traffic , And will be abnormal IP、cookie Automatically join the blacklist and other means , This part of the flow can be excluded from the current limiting threshold , It can also ensure the security of back-end business logic . This is also an essential part of promoting high availability protection .

MSE Advantages of cloud native gateway

Architecture advantages

MSE The cloud native gateway implements the traffic gateway 、 Microservice gateway 、 Three in one security gateway “ Next generation gateway architecture ”, The comparison with the common multi-layer gateway architecture is as follows ：

• Common multi-layer gateway architecture

In this architecture , use WAF The gateway implements security capabilities ,SLB Achieve load balancing capability ,Ingress The gateway implements the gateway capability of the cluster entrance （ Not K8s The scenario will also deploy a layer Nginx）,Zuul Implement the microservice gateway capability . In the face of sudden traffic , Under such a framework , It is necessary to evaluate the capacity of each layer of gateway , Each layer of gateway is a potential bottleneck , May need to be expanded . The resource cost and operation and maintenance labor cost caused by this are huge . And every additional layer of gateway , There is an additional layer of availability risk .

• MSE Cloud native gateway architecture

Use MSE Cloud native gateway , In the reserved SLB On the basis of load balancing , The cluster gateway is implemented through only one layer of gateway 、WAF gateway 、 Full capabilities of the microservice gateway . Deal with the big promotion scenario , The O & M personnel only need to focus on MSE On the gateway layer , You can manage all the inlet traffic , Achieve high availability protection . This is it. “ Next generation gateway architecture ”, Make everything simple , Only simplicity can be relied upon .

Performance advantages

As shown in the figure below ,MSE The throughput performance of the cloud native gateway is Nginx Ingress Controller Double , For specific performance comparison and analysis, please refer to 《K8s Preliminary judgment of gateway model selection ：Nginx still Envoy？》 One article . In front of the great flood peak discharge , If the performance of the gateway is not good enough , It means that enterprises have to pay more ECS Resource cost , At the same time, we have to worry about whether the gateway itself can carry the traffic , once “ goalkeeper ” Lost , The loss to the business is immeasurable .

Gateway specifications ：16 nucleus 32 G * 4 node

ECS model ：ecs.c7.8xlarge

High availability ,MSE The cloud native gateway has Alibaba Sentinel High availability modules , After years of double 11 traffic test , It provides rich current limiting and protection capabilities , Including flow control rules 、 Concurrency rule 、 Fusing rules , It can fully guarantee the high availability of back-end services ; Besides ,MSE The cloud native gateway also has the capacity of traffic preheating , By means of small flow preheating , It can effectively solve the problem of , Slow resource initialization results in slow response to a large number of requests 、 Request blocking problem , Avoid that the newly expanded node cannot provide normal services , Impact on user experience .

Convenience of pressure measurement , Use alicloud PTS Of MSE Gateway pressure test scenario , You can easily initiate a pressure test on a specified gateway instance . combination MSE Use of current limiting and observable capabilities of cloud native gateways , It can be measured by edge pressure , Watch , Adjust the current limiting configuration , Realize the construction of one-stop high availability protection system .

Security capability ,MSE The cloud native gateway integrates WAF Function outside , It also provides a variety of authentication and security plug-ins in the plug-in market . Users can also use multiple languages （Golang/JS/Rust/C++ etc. ） Write your own Wasm plug-in unit , Implement special traffic authentication and protection logic in your own business scenarios , Intercept the abnormal traffic in advance before matching the flow restriction rules , Avoid affecting normal traffic access .

MSE Cloud native gateway high availability protection practice

Click to watch live playback ：

https://yqh.aliyun.com/live/detail/28697