Global Load balancing and Regional Load Balancing

  • [GLOBAL] HTTP(S) Load Balancing
  • [GLOBAL] SSL Proxy Load Balancing
  • [GLOBAL] TCP Proxy Load Balancing
  • [INTERNAL] Network Load Balancing
  • [INTERNAL] Internal Load Balancing

Managed instance groups are a requirement of load balancing. No instance groups, no load balancer. This works hand in hand with Auto-scaling technology as well.

Instance group updater BETA can be used to change instance images to production, useful when changing VM boot scripts.

Instance healer BETA can detect failed instance and redeploy images.

SSL is used by Lets Encrypt so no need to buy SSL certs

Google offer “Cloud Armor” which is a DDOS protection service.

Global External Load Balancer

HTTP Load Balancer

  • Global LB of HTTP traffic
  • Can configure URL rules
  • Traffic is routed to the closet LB instance group
  • Cross Region Load Balancer
  • LB is provided by 2 methods
    • Requests per second
    • CPU utilization
  • Session Affinity
    • Client IP affinity
    • Cookie affinity
  • Web Proxy Support (Web Socket)
    • 30 second timeout set
    • Timeout can be increased via API
  • LB Interfaces
    • Gcloud CLI
    • GCP Console
    • The REST API
  • LB Timeouts and Retries
    • Timeout 30 seconds
    • TCP session times out 10 mins (600secs)
    • API – retries GET requests not POST requests
  • LB Logged by Stackdriver
  • Server Firewall must be configured if used
  • LB does not keep instance in sync

Typical HTTP Load balancer setup

The load balancer blocks the following for HTTP/1.1 compliance:

  • It cannot parse the first line of the request.
  • A header is missing the : delimiter.
  • Headers or the first line contain invalid characters.
  • The content length is not a valid number, or there are multiple content length headers.
  • There are multiple transfer encoding keys, or there are unrecognized transfer encoding values.
  • There’s a non-chunked body and no content length specified.
  • Body chunks are unparseable. This is the only case where some data will make it to the backend. The load balancer will close the connections to client and backend when it receives an unparseable chunk.

The load balancer also blocks the request if any of the following are true:

  • The combination of request URL and headers is longer than about 15KB.
  • The request method does not allow a body, but the request has one.
  • The request contains an upgrade header.
  • The HTTP version is unknown.

SSL Load Balancer (SSL Proxy)

  • SSL(TLS) connections terminated @ LB layer – then SSL LB balances the connections across all instances
  • Benefits
    • Intelligent routing
    • Better use of instances
    • Certificate management
    • Security patching
    • Support ports 25,43,110,143,195,443,465,587,700,993,995
  • Component’s
    • Health checking
    • Backend services
    • SSL cert and key
    • Global forwarding rules

TCP Load Balancer

  • Same Properties of SSL proxy LB

Regional Load Balancer

Internal TCP/UDP Load Balancer

  • Internal LB scales services behind private LB IP accessible only to instances on VPC
  • Lower Latency (as within GCP network)
  • Supports Auto mode VPC, Custom mode VPC and Legacy Networks
  • Can be implemented with regional managed instance groups (enables auto scale across regions)
  • LB Selection Algorithm
    • By Default, internal LB used 5-tiple hash
      • Client source IP
      • Client port
      • Destination ip (the LB IP)
      • Destination port
      • Protocol (either TCP or UDP)
    • If you want to control backend traffic – use following options
      • 3-tuple hash (client IP, dest IP, Protocol)
      • 2-tuple hash (client IP, Dest IP)
  • Restrictions
    • Internal to GCP only
    • Cannot send traffic to VPN tunnel
    • 50 rules max
    • 250 forwarding rules max

Internal Load Balancer

  • Balance load on incoming IP data – address, port, protocol
  • Routes traffic to multiple backend services
  • Consideration
    • Load Distribution Algorithm
    • Target Pools
    • Session Affinity
    • Health Checking
    • Firewall rules and Network load balancing
  • Connection Draining
    • Can be drained manually or by auto-scaler
    • Must set timeout duration
    • User sessions gracefully terminate, new session re-routed (1-3600 seconds)