Got it
Huawei Enterprise Support Community
Community Forums Security
Server load balancing - 4

Server load balancing - 4

Latest reply: Nov 17, 2021 06:26:38 451 2 2 0 0
View the author 1#

Overview

Principle of operation

Balancing algorithms

Configuration

Real Server Group

Start your load balancing configuration with a group of real servers. To do this, go to the web interface at Policy/Server Load Balancing/Real Server Group. And click the Add button on top.

When configuring with the command line, you will first need to enable the server load balancer module (you do not need to do this in the web interface):

<USG>system-view
[USG]slb enable
slb
group [group-id] REAL_SERVERS_GROUP_NAME

 

1


Values meaning:

Name will further participate in the configuration. Better to make it meaningful and understandable.

Load Balancing Algorithm – choose the one that you like. Subsequently, it can be changed to any other. When changing between algorithms without taking into account server weights and with weights, the values of the weights will be lost. They will need to be entered again.

metric { roundrobin | weight-roundrobin | least-connection | weight-least-connection }

Health check – checking the availability of servers. If the server stops responding to the requests while checking its availability, then it will be excluded from balancing until it becomes available for verification again. Several protocols are available for verification, sending a request through which implies a mandatory response: TCP, HTTP, HTTPS, DNS, RADIUS, ICMP. Depending on the configuration of the virtual server (which protocol is selected at virtual server), certain sets of protocols are available to check the availability of real servers:

  • SSL – DNS, HTTPS, ICMP, TCP.

  • HTTP – HTTP, ICMP.

  • HTTPS – HTTP, HTTPS, ICMP.

  • TCP – DNS, HTTP, HTTPS, ICMP, TCP.

  • UDP – DNS, ICMP, RADIUS.

  • ESP – TCP, HTTP, HTTPS, DNS, ICMP, RADIUS.

  • ANY – anything.

CLI configuration:

DNS, RADIUS, TCP:

health-check type { dns | radius | tcp } [ tx-interval interval-value | times times-value | port port-number ]

HTTP/HTTPS:

health-check type { http | https } [ req-url req-url-value | ept-code ept-code-value | tx-interval interval-value | times times-value | port port-number ]

ICMP:

health-check type icmp [ tx-interval interval-value | times times-value ]

If the server does not respond the number of times you specified (with attempts after the time you specified), then it is considered down. But attempts to check its availability didn’t stop. Thus, it will return to balancing itself after it starts accepting requests again.

The web server response code is used to check HTTP/HTTPS. By default, it is 200, but you can customize it yourself. Any other response will be considered as server failure.

Please note that you can configure the port that will be used for checks. If it is not specified, then the port from the configuration of each specific real server will be used, if they also have nothing specified in the configuration, then the port from the configuration of the virtual server will be used.

Source NAT enables translation of client addresses to the address of the firewall pool or the address of the firewall interface that sends packets to the real servers. That is, if you enable this setting, real servers will receive packets on behalf of the firewall, and the firewall will have to respond. And if not enabled, then real servers will receive packets on behalf of real clients. This can affect the size of the real server routing table.

Action for a Busy Real Server indicates what to do if the number of sessions at the server has already reached the maximum limit (specified in its configuration), and it was honored to accept a new session. There are three options: choose another server (by default), force the overloaded server to accept this new session, delete the new session and give this overloaded server a candy.

source-nat { address-group address-group-name | interface-address }

Next, you need to make a list of real servers that belong to the group. All these servers will participate in balancing. The following configuration fields are available for each server:

  • IP address. This is the address to which the firewall will send the client traffic.

  • Port. If a port is specified, then this particular port will be used, otherwise - the virtual server port. This setting is needed in case you need to translate ports.

  • Description. Guess what is it.

  • Weight value. This setting is only available in balancing algorithms with weight indication. The weight cannot be more than 8192.

  • Weight as a percentage. This field calculates the firewall based on the available server list.

  • Maximum connections. When the server reaches this number, the server will be considered overloaded.

  • Status. You can configure the server and disable it from balancing. And then turn it on again.

rserver  [ start-rserver-id [ to end-rserver-id ] ] rip rip-address [ max-connections max-connections-value | port port-number | status { inactive | health-check } | weight weight-value | description description-text ]

By default, status will be "health-check" and weight will be "1". Note that you can add servers in bulk via the command line, unlike the web interface.

In the list of real servers, you can see their statistics and basic settings. Pay attention to the presence of statistics for the last 5 minutes.

RSG


CLI configuration:

display slb group [ group-name ]
 
display slb group FTP_Server_Group
 2021-01-13 11:32:23.641 +03:00
 Group Information(Total 1)
 ------------------------------------------------------------------------------------------------------------
   Group Name               : FTP_Server_Group
   Group ID                 : 0
   Metric                   : weight-source-ip-hash
   Source-nat Type          : NA
   Health Check Type        : icmp
   Real Server Number       : 4 
     RserverID  IP Address       Weight  Max-connection  Status           
     0          192.168.100.1    4       -               Admin-Health-Check
     1          192.168.100.2    3       -               Admin-Health-Check
     2          192.168.100.3    2       -               Admin-Health-Check
     3          192.168.100.4    1       -               Admin-Health-Check
 ------------------------------------------------------------------------------------------------------------


Virtual server configuration

To configure virtual server – go to the section Policy/Server Load Balancing/Virtual Service. Then click Add at the top.

VS

 

Configuration parameters:

  • Name.

  • Server protocol: ANY, TCP, UDP, HTTP, HTTPS, SSL, ESP.

  • SSL Offload Profile (if we need to convert HTTPS to the HTTP).

  • Addresses of the virtual server (you can assign addresses, for example, from several IP networks).

  • Port of the virtual server (if it is not assigned, then traffic will be sent to real servers only from this port, if the port is not assigned, then from all ports; for the ANY and ESP protocols, the port cannot be assigned).

  • Sticky session profile. For the profile, the sticky session expiration time is assigned, after which new user sessions stop sticking to the previous ones, and the method for determining the same client. Depending on the virtual server protocol, the client, all sessions of which will be sent to the same real server, can be determined in the following ways:

    • By client IP address - available for all protocols.

    • By session ID - SSL only.

    • By cookie - only HTTP and HTTPS.

  • HTTP Scheduling Policy - For HTTP and HTTPS only. If we configure this policy (a separate window, a separate section of the HTTP Scheduling Policy settings), then we can specify a group of real servers for client requests based on the values of the HTTP headers - URL, Referer, Host and Cookie. That is, we can define a different group of real servers, for example, for different URLs. You can assign up to 8 policies for each virtual server. They are applied from top to bottom. If one policy match, no further analysis is performed. It is important to understand that the policy itself contains a group of real servers to which this traffic will be sent. But if none of these policies is suitable, then the traffic will go to the group of real servers that is configured in this virtual server. These policies can only be used in two cases:

    • The virtual server uses the HTTP protocol.

    • The virtual server uses the HTTPS protocol and the SSL Offloading function is configured. If HTTPS is transmitted unchanged, then the firewall will not be able to parse the HTTP headers encrypted in it.

  • A group of real servers to which the traffic received on this virtual server will be sent.

  • Fallback Host for HTTP and HTTPS protocols. Server address to which client requests will be sent if there are no real servers available.

  • Keep Client IP Address. Adds the X-Forwarded-For HTTP header with the client's address so that the server can learn it even when using SNAT. Since this field refers to the HTTP protocol, this setting can only be used in two cases:

    • The virtual server uses the HTTP protocol.

    • The virtual server uses the HTTPS protocol and the SSL Offloading function is configured. If HTTPS is transmitted unchanged, then the firewall will not be able to parse the HTTP headers encrypted in it.

  • Maximum Concurrent Sessions count.

 

CLI configuring:

slb
vserver [ vserver-id ] vserver-name
protocol { any | http | https | ssl | tcp | udp }

If we need to configure SSL offloading then:

ssl-profile [ ssl-profile-id ] ssl-profile-name

Very Important Parameter to configure IP address of the virtual server:

vip [ start-vip-id [ to end-vip-id ] ] ip-address

Configuring port number:

vport { any | port-number }

If we need to use sticky sessions, then configure them:

persistence persistence-name

Configuring HTTP Scheduling Policy:

httpclass httpclass-name

Assigning real server group:

group group-name

Additional optional configuration:

fallback fallback-host
http x-forward enable
max-connection max-connections-value

Using CLI you can add virtual server to the VRRP group:

vrrp virtual-router-id

Tons of details are available in the documentation.


Server Load BalancingSLBHCIP Security

Like (2) Dislike (0) Favorite(0) Share Report
Previous: L3 Virtual firewall - in 5 easy steps
Next: Overview of L2TP
(0) (0)
2#
LucianoNhantumbo
Created May 30, 2021 13:05:03

Thanks for explaining the knowledge to support the forum of servers, congratulations more infomation.
View more
  • x
  • convention:
(0) (0)
3#
adrian_alucard
Moderator Created Nov 17, 2021 06:26:38

A good article! Thank you for sharing
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.