3.2. Load Balancer Add-On via Direct Routing
- Network Layout
- In a direct routing Load Balancer Add-On setup, the LVS router needs to receive incoming requests and route them to the proper real server for processing. The real servers then need to directly route the response to the client. So, for example, if the client is on the Internet, and sends the packet through the LVS router to a real server, the real server must be able to go directly to the client by means of the Internet. This can be done by configuring a gateway for the real server to pass packets to the Internet. Each real server in the server pool can have its own separate gateway (and each gateway with its own connection to the Internet), allowing for maximum throughput and scalability. For typical Load Balancer Add-On setups, however, the real servers can communicate through one gateway (and therefore one network connection).
ImportantIt is not recommended to use the LVS router as a gateway for the real servers, as that adds unneeded setup complexity as well as network load on the LVS router, which reintroduces the network bottleneck that exists in NAT routing.
- The hardware requirements of an Load Balancer Add-On system using direct routing is similar to other Load Balancer Add-On topologies. While the LVS router needs to be running Piranha Configuration Tool to process the incoming requests and perform load-balancing for the real servers, the real servers do not need to be Linux machines to function correctly. The LVS routers need one or two NICs each (depending on if there is a backup router). You can use two NICs for ease of configuration and to distinctly separate traffic — incoming requests are handled by one NIC and routed packets to real servers on the other.Since the real servers bypass the LVS router and send outgoing packets directly to a client, a gateway to the Internet is required. For maximum performance and availability, each real server can be connected to its own separate gateway which has its own dedicated connection to the carrier network to which the client is connected (such as the Internet or an intranet).
- There is some configuration outside of Piranha Configuration Tool that needs to be done, especially for administrators facing ARP issues when using Load Balancer Add-On by means of direct routing. Refer to Section 3.2.1, “Direct Routing and
arptables_jf” or Section 3.2.2, “Direct Routing and
iptables” for more information.
3.2.1. Direct Routing and
arptables_jf, each real server must have their virtual IP address configured, so they can directly route packets. ARP requests for the VIP are ignored entirely by the real servers, and any ARP packets that might otherwise be sent containing the VIPs are mangled to contain the real server's IP instead of the VIPs.
arptables_jfmethod, applications may bind to each individual VIP or port that the real server is servicing. For example, the
arptables_jfmethod allows multiple instances of Apache HTTP Server to be running bound explicitly to different VIPs on the system. There are also significant performance advantages to using
arptables_jfmethod, VIPs cannot be configured to start on boot using standard Red Hat Enterprise Linux system configuration tools.
- Create the ARP table entries for each virtual IP address on each real server (the real_ip is the IP the director uses to communicate with the real server; often this is the IP bound to
arptables -A IN -d <virtual_ip> -j DROP arptables -A OUT -s <virtual_ip> -j mangle --mangle-ip-s <real_ip>This will cause the real servers to ignore all ARP requests for the virtual IP addresses, and change any outgoing ARP responses which might otherwise contain the virtual IP so that they contain the real IP of the server instead. The only node that should respond to ARP requests for any of the VIPs is the current active LVS node.
- Once this has been completed on each real server, save the ARP table entries by typing the following commands on each real server:
service arptables_jf save
chkconfig --level 2345 arptables_jf onThe
chkconfigcommand will cause the system to reload the arptables configuration on bootup — before the network is started.
- Configure the virtual IP address on all real servers using
ifconfigto create an IP alias. For example:
ifconfig eth0:1 192.168.76.24 netmask 255.255.252.0 broadcast 192.168.79.255 upOr using the
ip, for example:
ip addr add 192.168.76.24 dev eth0As previously noted, the virtual IP addresses cannot be configured to start on boot using the Red Hat system configuration tools. One way to work around this issue is to place these commands in
- Configure Piranha for Direct Routing. Refer to Chapter 4, Configuring the Load Balancer Add-On with Piranha Configuration Tool for more information.
3.2.2. Direct Routing and
iptablesfirewall rules. To configure direct routing using
iptables, you must add rules that create a transparent proxy so that a real server will service packets sent to the VIP address, even though the VIP address does not exist on the system.
iptablesmethod is simpler to configure than the
arptables_jfmethod. This method also circumvents the LVS ARP issue entirely, because the virtual IP address(es) only exist on the active LVS director.
iptablesmethod compared to
arptables_jf, as there is overhead in forwarding/masquerading every packet.
iptablesmethod. For example, it is not possible to run two separate Apache HTTPD Server services bound to port 80, because both must bind to
INADDR_ANYinstead of the virtual IP addresses.
iptablesmethod, perform the following steps:
- On each real server, enter the following command for every VIP, port, and protocol (TCP or UDP) combination intended to be serviced for the real server:
iptables -t nat -A PREROUTING -p <tcp|udp> -d <vip> --dport <port> -j REDIRECTThis command will cause the real servers to process packets destined for the VIP and port that they are given.
- Save the configuration on each real server:
service iptables save#
chkconfig --level 2345 iptables onThe commands above cause the system to reload the
iptablesconfiguration on bootup — before the network is started.