Overview

High Availability (HA)

  • Not required, but strongly recommended.
  • Each LB has it's own (Self) IP for configuration and makes use of a shared Virtual IP (VIP) to handle requests.
  • Monitoring between the pair is handled via a heartbeat connection.
  • Configuration is duplicated from the primary to the secondary.

Load Balancing Web Servers

High Availability Failover

Normal operation

High Availability Failover

Primary down

High Availability Failover

Secondary Promotion

High Availability Failover

Resumption of Normal operation

Fallback Server

If all the Real Servers have failed their health check or have been taken offline in the WebUI, the fallback server will be used for any requests to the virtual service.

Fallback server options:

Layer 4 Load Balancing

  • Works using IP addresses and port numbers
  • Faster than Layer 7 Load Balancing due to lower overhead
  • Ability to use Direct Routing to increase throughput
  • When not using Direct Routing, the connection is NATed through to the back-end server
  • Limited persistence options (Source IP only)
  • Load Balancing is performed by Linux Virtual Server (LVS) technology
# Layer Example
7 Application HTTP, FTP, SSH
6 Presentation JPEG, JSON, XML
5 Session L2TP, SOCKS
4 Transport TCP, UDP
3 Network IP, ICMP
2 Data Link ARP, Ethernet
1 Physical Fibre, 10GBASE-T

Layer 7 Load Balancing

  • It can use application data to make smart decisions
  • SSL Termination/Offload
  • Multiple persistence options: HTTP Cookie, Application Cookie, Source IP....
  • Can use Access Control Lists (ACLs) to direct traffic
  • Can perform HTTP Header manipulation
  • Can perform caching (requires WAF)
  • Load balancing is performed by HAProxy software
# Layer Example
7 Application HTTP, FTP, SSH
6 Presentation JPEG, JSON, XML
5 Session L2TP, SOCKS
4 Transport TCP, UDP
3 Network IP, ICMP
2 Data Link ARP, Ethernet
1 Physical Fibre, 10GBASE-T

Pros and Cons

Layer 4 Load Balancing Layer 7 Load Balancing
Pros Cons Pros Cons
Simpler to implement No smart Load balancing Granular control over load balancing decisions
 Slower than L4 LB when raw throughput is required
Efficient, it doesn't inspect the packet No caching SSL Termination/Offload Two TCP connections
Client <> LB and LB <> Server
One TCP connection Limited persistence options Multiple persistence options
Ability to use Direct Routing Direct Routing requires that you solve the ARP problem Caching (requires WAF)

Web Application Firewall (WAF)

  • Specifically for protecting web applications from malicious internet traffic
  • Not a panacea, should be implemented as part of a defense-in-depth strategy
  • Currently utilizes the OWASP ModSecurity Core Rule Set 3.3.2 (CRS 3)
  • To be most effective, the WAF needs to be tuned to the application it is protecting
  • WAF capabilities are provided at no extra cost on loadbalancer.org appliances

What the OWASP Top 10 covers

  1. Broken access control
  2. Cryptographic failures
  3. Injection
  4. Insecure design
  5. Security misconfiguration
  6. Vulnerable and outdated components
  7. Identification and authentication failures
  8. Software and data integrity failures
  9. Security logging and monitoring failures
  10. Server-side request forgery

Each WAF is associated with a single Virtual Service

Without a WAF

With a WAF

Global Server Load Balancing (GSLB)

  • Load Balancing across a geographically dispersed area.
  • Uses DNS to provide a list of records that are available (based on healthchecks)
  • The loadbalancer.org GSLB implementation is provided at no extra cost
  • For internal multi-site applications use the loadbalancer.org GSLB
  • For internet facing applications NS1 and Route 53 are good options

GSLB High level operation

Questions

URLs

LB1LB2Load balanced appWP Docker ControlLB VM Control

Sources

PDF - Admin Guide - v8PDF - CRS 3.3.2Blog - Why use a WAF?Blog - How to train a WAF?Blog - loadbalancer.org releases a GSLBBlog - Core Rule Set v3OWASP Top Ten