负载均衡设备基本原理
Internet
216.34.94.17:80 Virtual Server
Maps to
Pool Members
© F5 Networks
Virtual Server - Address Translation
Internet
216.34.94.17:80 Virtual Server Address
– 提供生产网络机房内部调用,比如:搜索的 isearch内部VIP,外部不可访问
• 外部VIP
– 提供对外用户的访问需求,比如中文站主站, 以及CRM的应用,能够通过安全设备提供对源 地址的访问限制
6
© F5 Networks
负载均衡的VIP功能地址转换 负载均衡的VIP功能地址转换 VIP • 模式A(SNAT/DNAT:万能模式)
Packet # 1 Src – 207.17.117.20:4003 Dest – 172.16.20.1:80
© F5 Networks
Network Flow – Packet #1 Return
207.17.117.20 Packet # 1 - return Dest - 207.17.117.20:4003 Src – 216.34.94.17:80
BIG-IP Controller
1 5
2 6
3 7
4 8
Servers
© F5 Networks
Ratio
Internet Clients
Router Administrator sets ratio for distributing Client requests 3:2:1:1
BIG-IP Controller
1 2 4 5 3 6
BIG-IP Controller
Servers
459 460 461 470 Current Connections
© F5 Networks
Least Connections
Internet Clients Router Some time later, number of connections change
1 5 2 6
Clients
Router
BIG-IP Controller Priority 1
3 7 4 8
© F5 Networks
Servers
重要的健康检查Monitor 重要的健康检查 • 7层检查: GET / REPONSE 200ok • 4层检查:SYN-SHAKE;FIN-SHAKE • ICMP: ping 检查 模拟环境示例: 在模拟环境上创建3种类型的MONTIOR,在 服务器上观察数据包
Dynamic
• Priority Group Activation • Fallback Host
Failure Mechanisms
© F5 Networks
Round Robin
Internet Clients
Router
Client requests are distributed evenly
1 4 2 5 3 6
Clients
Router BIG-IP Controller Priority 1 Servers
© F5 Networks
Priority Group Activation
Internet If number of members falls below Priority Group Activation (2), then the next highest priority members are used also. Priority 2
Network Flow - Packet #2
207.17.117.21 Packet # 2 Src - 207.17.117.21:4003 Dest – 216.34.94.17:80
Internet
216.34.94.17:80
Packet # 2 Src – 207.17.117.21:4003 Dest – 172.16.20.2:4002
3 6
Servers
10ms 10ms 10ms 17ms Current Response Times
© F5 Networks
Fastest
Internet Clients Router Some time later, response times change
BIG-IP Controller
© F5 Networks
Network Flow - Packet #3
207.17.117.25 Packet # 3 Src - 207.17.117.25:4003 Dest – 216.34.94.17:80
Internet
216.34.94.17:80
Packet # 3 Src – 207.17.117.25:4003 Dest – 172.16.20.4:8080
接入交换机
© F5 Networks
LB用途 用途 • F5 8400:
– 中文站市场/收费/社区/P4P/SA应用/附属应用
• A10 AX3200:
– 中文站图片CACHE
• NS:
– 10010:搜索/TPDNS/图片VIP – 9950:图片CACHE
5
© F5 Networks
内部VIP与外部 与外部VIP 内部 与外部 • 内部VIP
© F5 Networks
负载均衡的SNAT(Secure NAT)功能地址转换 负载均衡的SNAT(Secure NAT)功能地址转换 • 当服务器只有私有地址的时候,但是又想 访问外网的时候,需要网络设备提供地址 转换。 • 是不是回忆起啥?对!!!就是家里的宽 带路由器的共享上网功能 • 如果服务器要访问工商银行的FTP服务器, 对方会向你索要你的公网地址,加入到白 名单。你就可以通过它的防火墙了。
© F5 Networks
负载均衡基础
3
© F5 Networks
中文站负载均衡设备使用情况
兴议CSR
L3 10G F5 BIG8400 A10 AX3200
L3 10G F5 BIG8400 A10 AX3200
兴议核心交换机 L3 L2 1G NS 10010 NS 9950 NS 10010 NS 9950 L3
Real Server Address
© F5 Networks
Network Flow - Packet #1
Internet
216.34.94.17:80
DNS Server resolves to BIG-IP Virtual Server Address 216.34.94.17:80
BIG-IP Controller
61 62 63
Servers
280 290 111 112 Current Connections
© F5 Networks
Priority Group Activation
Internet If you set Priority Group Activation to 2, and 3 of the highest priority members are available, then lower priority members will not be used. Priority 2
© F5 Networks
Network Flow – Packet #3 Return
207.17.117.25 Packet # 3 - return Dest - 207.17.117.25:4003 Src – 216.34.94.17:80
Internet
216.34.94.17
Packet # 3 - return Dest – 207.17.117.25:4003 Src – 172.16.20.4:8080
© F5 Networks
Network Flow – Packet #2 Return
207.17.117.21 Packet # 2 - return Dest - 207.17.117.21:4003 Src – 216.34.94.17:80
Internet
216.34.94.17:80
Packet # 2 - return Dest – 207.17.117.21:4003 Src – 172.16.20.2:4002
负载均衡设备综合介绍
熊 柯(jeff) 运维部/网络工程师
Agenda • • • • • • • • 负载均衡基础 中文站负载均衡设备使用情况 内部VIP和外部VIP VIP和外部 内部VIP和外部VIP 负载均衡的地址转换( 种工作模式/SNAT /SNAT) 负载均衡的地址转换(3种工作模式/SNAT) 连接分配与保持技术(源地址,COOKIE) 连接分配与保持技术(源地址,COOKIE) 健康检查 F5工作原理 F5工作原理 F5性能指标 安全防护) 性能指标( F5性能指标(安全防护)
BIG-IP performs network address translation to real server addresses such that all machines are viewed as one Virtual Server
Network Address Translation
ICMP
© F5 Networks
端口检查
Internet
Steps
– Opens TCP connection (IP Address : service) – Connection closed – If TCP connection fails, then no traffic sent to associated Members – Example – TCP
