负载均衡设备基本原理

负载均衡设备综合介绍熊柯(jeff)运维部/网络工程师©F5Networks•负载均衡基础•中文站负载均衡设备使用情况•内部VIP和外部VIP•负载均衡的地址转换（3种工作模式/SNAT）•连接分配与保持技术（源地址，COOKIE）•健康检查•F5工作原理•F5性能指标(安全防护)Agenda©F5Networks负载均衡基础3©F5Networks中文站负载均衡设备使用情况兴议CSR兴议核心交换机接入交换机L21GL3L3L310GL310GF5BIG8400F5BIG8400A10AX3200A10AX3200NS10010NS9950NS10010NS9950©F5NetworksLB用途•F58400：–中文站市场/收费/社区/P4P/SA应用/附属应用•A10AX3200：–中文站图片CACHE•NS：–10010：搜索/TPDNS/图片VIP–9950：图片CACHE5©F5Networks内部VIP与外部VIP•内部VIP–提供生产网络机房内部调用，比如：搜索的isearch内部VIP，外部不可访问•外部VIP–提供对外用户的访问需求，比如中文站主站，以及CRM的应用，能够通过安全设备提供对源地址的访问限制6©F5Networks负载均衡的VIP功能地址转换•模式A（SNAT/DNAT：万能模式）–源地址目标地址都转换，服务器无法看到真实客户源地址•模式B（DNAT：PBR模式）–只转换目标地址，需要网络结构/负载均衡都支持•模式C（NOTHING：DR/DSR模式）–不做地址转换，需要服务器创建一个LOOPBACK地址。推荐的使用模式。7©F5Networks一个例子:InternetVirtualServer216.34.94.17:80PoolMembersMapsto©F5NetworksVirtualServer-AddressTranslationBIG-IPperformsnetworkaddresstranslationtorealserveraddressessuchthatallmachinesareviewedasoneVirtualServerRealServerAddressNetworkAddressTranslationVirtualServerAddressInternet216.34.94.17:80©F5NetworksNetworkFlow-Packet#1resolves:80©F5NetworksNetworkFlow-Packet#1BIG-IPtranslatesDestAddresstoNodebasedonLoadBalancingInternetPacket#1Src-207.17.117.20:4003Dest–216.34.94.17:80Packet#1Src–207.17.117.20:4003Dest–172.16.20.1:80207.17.117.20216.34.94.17:80©F5NetworksNetworkFlow–Packet#1ReturnBIG-IPtranslatesSrcAddressbacktoVirtualServerAddressInternetPacket#1-returnDest-207.17.117.20:4003Src–216.34.94.17:80Packet#1-returnDest–207.17.117.20:4003Src–172.16.20.1:80207.17.117.20216.34.94.17:80©F5NetworksNetworkFlow-Packet#2InternetPacket#2Src-207.17.117.21:4003Dest–216.34.94.17:80Packet#2Src–207.17.117.21:4003Dest–172.16.20.2:4002207.17.117.21216.34.94.17:80©F5NetworksNetworkFlow–Packet#2ReturnInternetPacket#2-returnDest-207.17.117.21:4003Src–216.34.94.17:80Packet#2-returnDest–207.17.117.21:4003Src–172.16.20.2:4002207.17.117.21216.34.94.17:80©F5NetworksNetworkFlow-Packet#3InternetPacket#3Src-207.17.117.25:4003Dest–216.34.94.17:80Packet#3Src–207.17.117.25:4003Dest–172.16.20.4:8080207.17.117.25216.34.94.17:80©F5NetworksNetworkFlow–Packet#3ReturnInternetPacket#3-returnDest-207.17.117.25:4003Src–216.34.94.17:80Packet#3-returnDest–207.17.117.25:4003Src–172.16.20.4:8080207.17.117.25216.34.94.17©F5Networks负载均衡的SNAT(SecureNAT)功能地址转换•当服务器只有私有地址的时候，但是又想访问外网的时候，需要网络设备提供地址转换。•是不是回忆起啥？对！！！就是家里的宽带路由器的共享上网功能•如果服务器要访问工商银行的FTP服务器，对方会向你索要你的公网地址，加入到白名单。你就可以通过它的防火墙了。17©F5Networks请看SNAT的示意图18©F5Networks连接分配方法：•RoundRobin•Ratio•LeastConnections•Fastest•Observed•Predictive•DynamicRatio•PriorityGroupActivation•FallbackHostStaticDynamicFailureMechanisms©F5NetworksRoundRobinClientsRouterBIG-IPControllerServersClientrequestsaredistributedevenly12345678Internet©F5NetworksRatioClientsRouterBIG-IPControllerServersAdministratorsetsratiofordistributingClientrequests3:2:1:11234891011Internet571214613©F5NetworksFastestClientsRouterBIG-IPControllerServersNextrequestsgotoNodewithfastestresponsetime25Internet10ms10ms10ms17msCurrentResponseTimes1436©F5NetworksFastestClientsRouterBIG-IPControllerServersSometimelater,responsetimeschange102104Internet10ms10ms7ms7msCurrentResponseTimes101103©F5NetworksLeastConnectionsClientsRouterBIG-IPControllerServers12InternetNextrequestsgoestoNodewithfewestopenconnections459460461470CurrentConnections3456©F5NetworksLeastConnectionsClientsRouterBIG-IPControllerServersInternetSometimelater,numberofconnectionschange6163280290111112CurrentConnections62©F5NetworksPriorityGroupActivationClientsRouterBIG-IPControllerServers135246InternetPriority1Priority2IfyousetPriorityGroupActivationto2,and3ofthehighestprioritymembersareavailable,thenlowerprioritymemberswillnotbeused.©F5NetworksPriorityGroupActivationClientsRouterBIG-IPControllerServers15InternetPriority1Priority2324678IfnumberofmembersfallsbelowPriorityGroupActivation(2),thenthenexthighestprioritymembersareusedalso.©F5Networks重要的健康检查Monitor•7层检查:GET/REPONSE200ok•4层检查：SYN-SHAKE;FIN-SHAKE•ICMP:ping检查模拟环境示例：在模拟环境上创建3种类型的MONTIOR，在服务器上观察数据包28©F5NetworksPing检查Steps–PacketssenttoIPAddresses–Ifnoresponse,thennotrafficsenttomembersusingthatnodeaddressExample-ICMPInternetICMP©F5Networks端口检查Steps–OpensTCPconnection(IPAddress:service)–Connectionclosed–IfTCPconnectionfails,thennotrafficsenttoassociatedMembers–Example–TCPInternetTCPConnection©F5Networks7层/内容检查InternetSteps–OpensTCPconnection(IPAddress:service)–Sendsarequest–Responsereturnsdata–Connectionclosed–IfReceiveRulenotfoundindata,thennotrafficsenttoassociatedMembers–Example–httphttpGET/©F5Networks连接保持技术•源地址保持技术–示意图•Cookie保持技术–示意图©F5Networks源地址保持•BasedonClientSourceIPAddress•Netmask-AddressRange123123205.229.151.10205.229.152.11IfNetmaskis255.255.255.0205.229.151.107©F5NetworksCookie保持•Insertmode–BIG-IPInsertsacookieintothestream•Rewritemode–WebservercreatescookieandBIG-IPControllerchangesit•Passivemode–WebservercreatescookieandBIG-IPControllerReadsit•Hashmode–Mapsacookievaluetoaspecificnode–Webservermustgenerateacookie©F5NetworksClientServerHTTPrequest(nosp