VMware NSX ga ƙananan yara. Sashe na 5: Saita Ma'aunin Load

Kashi na daya. gabatarwa
Kashi na biyu. Yana daidaita Firewall da Dokokin NAT
Kashi na uku. Ana saita DHCP
Kashi na hudu. Saitin hanya

Lokaci na ƙarshe da muka yi magana game da damar NSX Edge cikin sharuddan daidaitawa da daidaitawa, kuma a yau za mu magance ma'aunin nauyi.
Kafin mu fara saitin, Ina so in tunatar da ku a taƙaice game da manyan nau'ikan daidaitawa.

Ka'idar

Duk hanyoyin daidaita kayan aikin yau da kullun ana rarraba su zuwa nau'i biyu: daidaitawa a matakan na huɗu (motoci) da na bakwai (aiki) na ƙirar. KO IDAN. Samfurin OSI ba shine mafi kyawun ma'anar tunani ba yayin da ake kwatanta hanyoyin daidaitawa. Misali, idan ma'auni na L4 shima yana goyan bayan ƙarewar TLS, shin zai zama ma'auni na L7? Amma shi ne abin da yake.

• Farashin L4 Mafi sau da yawa shi ne tsakiyar wakili tsaye tsakanin abokin ciniki da kuma saitin samuwa backends, wanda ya ƙare TCP haši (wato, da kansa amsa ga SYN), zabar baya da kuma fara wani sabon TCP zaman a cikin shugabanci, da kansa aika SYN. Wannan nau'in yana ɗaya daga cikin na asali; wasu zaɓuɓɓukan suna yiwuwa.
• Farashin L7 yana rarraba zirga-zirgar ababen hawa a cikin guraren baya da ake da su "mafi ƙwarewa" fiye da ma'auni na L4. Yana iya yanke shawarar wane baya don zaɓar bisa, misali, abubuwan da ke cikin saƙon HTTP (URL, kuki, da sauransu).

Ko da menene nau'in, ma'auni na iya tallafawa ayyuka masu zuwa:

• Gano sabis shine tsari na tantance saitin bayanan baya (Static, DNS, Consul, etc.).
• Bincika ayyuka na bayanan baya da aka gano ("ping" mai aiki na baya ta amfani da buƙatun HTTP, gano matsaloli masu wuyar gaske a cikin haɗin TCP, kasancewar lambobin 503 HTTP da yawa a cikin martani, da sauransu).
• Daidaita kanta (zagaye robin, zaɓin bazuwar, tushen IP hash, URI).
• Ƙarshen TLS da tabbacin takaddun shaida.
• Zaɓuɓɓukan da suka danganci tsaro (tabbaci, rigakafin DoS, ƙayyadaddun sauri) da ƙari mai yawa.

NSX Edge yana ba da tallafi don yanayin ƙaddamar da ma'aunin nauyi guda biyu:

Yanayin wakili, ko hannu ɗaya. A cikin wannan yanayin, NSX Edge yana amfani da adireshin IP ɗin sa azaman adireshin tushen lokacin aika buƙatu zuwa ɗaya daga cikin masu baya. Don haka, ma'auni a lokaci guda yana aiwatar da ayyukan Source da Destination NAT. Mai baya yana ganin duk zirga-zirga kamar yadda aka aiko daga ma'auni kuma yana amsawa kai tsaye. A cikin irin wannan makirci, ma'auni dole ne ya kasance a cikin sashin cibiyar sadarwa ɗaya tare da sabobin ciki.

Ga yadda abin yake:
1. Mai amfani yana aika buƙatu zuwa adireshin VIP (adireshin daidaitawa) wanda aka saita akan Edge.
2. Edge ya zaɓi ɗaya daga cikin backends kuma yayi NAT manufa, ya maye gurbin VIP address tare da adireshin da aka zaɓa.
3. Edge yana aiwatar da tushen NAT, yana maye gurbin adireshin mai amfani wanda ya aiko da buƙatun da nasa.
4. An aika kunshin zuwa ga baya da aka zaɓa.
5. Ƙaƙwalwar baya ba ta amsa kai tsaye ga mai amfani ba, amma ga Edge, tun lokacin da aka canza ainihin adireshin mai amfani zuwa adireshin ma'auni.
6. Edge yana watsa martanin uwar garken ga mai amfani.
Tsarin yana ƙasa.


Yanayin bayyane, ko layi. A cikin wannan yanayin, mai daidaitawa yana da musaya akan cibiyoyin sadarwa na ciki da na waje. A lokaci guda, babu damar kai tsaye zuwa cibiyar sadarwa ta ciki daga na waje. Ginin ma'auni na kayan aiki yana aiki azaman ƙofar NAT don injunan kama-da-wane akan hanyar sadarwar ciki.

Tsarin shine kamar haka:
1. Mai amfani yana aika buƙatu zuwa adireshin VIP (adireshin daidaitawa) wanda aka saita akan Edge.
2. Edge ya zaɓi ɗaya daga cikin backends kuma yayi NAT manufa, ya maye gurbin VIP address tare da adireshin da aka zaɓa.
3. An aika kunshin zuwa ga baya da aka zaɓa.
4. Mai baya yana karɓar buƙatun tare da adireshin asali na mai amfani (ba a yi tushen NAT ba) kuma ya amsa kai tsaye zuwa gare shi.
5. An sake karɓar zirga-zirga ta hanyar ma'aunin nauyi, tun da yake a cikin tsarin layi yakan yi aiki a matsayin tsohuwar ƙofa don gonar uwar garke.
6. Edge yana aiwatar da tushen NAT don aika zirga-zirga zuwa mai amfani, ta amfani da VIP ɗin sa azaman adireshin IP na tushen.
Tsarin yana ƙasa.

Yi aiki

Benci na gwaji yana da sabobin 3 da ke tafiyar da Apache, wanda aka saita don yin aiki akan HTTPS. Edge zai yi ma'aunin daidaita buƙatun HTTPS, yana ba da izini ga kowace sabuwar buƙata zuwa sabuwar uwar garken.
Bari mu fara

Samar da takardar shaidar SSL wacce NSX Edge za ta yi amfani da ita
Kuna iya shigo da ingantacciyar takardar shedar CA ko amfani da mai sanya hannu. Don wannan gwajin zan yi amfani da mai sanya hannu.

1. A cikin dubawar Daraktan vCloud, je zuwa saitunan sabis na Edge.
   
2. Jeka shafin Takaddun shaida. Daga lissafin ayyuka, zaɓi ƙara sabon CSR.
   
3. Cika filayen da ake buƙata kuma danna Ci gaba.
   
4. Zaɓi sabuwar CSR da aka ƙirƙira kuma zaɓi zaɓin CSR alamar kai.
   
5. Zaɓi lokacin ingancin takardar shaidar kuma danna Ci gaba
   
6. Takaddun shaida mai sanya hannu yana bayyana a cikin jerin da ake samu.
   

Saita Bayanan Bayanin Aikace-aikacen
Bayanan martaba na aikace-aikacen suna ba ku cikakken iko akan zirga-zirgar hanyar sadarwa kuma suna sa sarrafa shi mai sauƙi da inganci. Ana iya amfani da su don ayyana hali don takamaiman nau'ikan zirga-zirga.

1. Jeka shafin Load Balancer kuma kunna balancer. Zaɓin da aka kunna Haɗawa anan yana bawa ma'auni damar amfani da daidaitawar L4 cikin sauri maimakon L7.
   
2. Jeka shafin bayanin martabar aikace-aikacen don saita bayanin martabar aikace-aikacen. Danna +.
   
3. Saita sunan bayanin martaba kuma zaɓi nau'in zirga-zirga wanda za'a yi amfani da bayanin martabar. Bari in bayyana wasu sigogi.
   dagewa - adanawa da bin diddigin bayanan zaman, misali: wane takamaiman uwar garken a cikin tafkin ke ba da buƙatar mai amfani. Wannan yana tabbatar da cewa ana tura buƙatun mai amfani zuwa ga memba ɗaya na tafkin har tsawon rayuwar zaman ko zaman gaba.
   Kunna hanyar wucewa ta SSL - Lokacin da aka zaɓi wannan zaɓi, NSX Edge ya daina ƙare SSL. Madadin haka, ƙarewa yana faruwa kai tsaye akan sabar da ake daidaitawa.
   Saka X-Forwarded-Don HTTP header - yana ba ku damar ƙayyade tushen adireshin IP na abokin ciniki da ke haɗawa da sabar yanar gizo ta hanyar ma'aunin nauyi.
   Kunna Pool Side SSL – ba ka damar saka cewa tafkin da aka zaɓa ya ƙunshi sabar HTTPS.
   
4. Tun da zan daidaita zirga-zirgar HTTPS, Ina buƙatar kunna Pool Side SSL kuma zaɓi takardar shaidar da aka ƙirƙira a baya a cikin Takaddun Takaddun Sabar -> Takaddun Sabis.
   
5. Hakanan don Takaddun Takaddun Ruwa -> Takaddun Sabis.
   

Mun ƙirƙiri tafkin sabobin, zirga-zirgar zirga-zirgar da za a daidaita tafkunan

1. Jeka shafin Pools. Danna +.
   
2. Mun saita sunan tafkin, zaɓi algorithm (Zan yi amfani da zagaye robin) da kuma nau'in sa ido don duba bayanan lafiya. Zaɓin mai bayyanawa yana nuna ko tushen tushen IP na abokan ciniki suna bayyane ga sabar ciki.
   • Idan zaɓin ya ƙare, zirga-zirga don sabobin ciki ya fito daga tushen IP na ma'auni.
   • Idan zaɓin ya kunna, sabobin ciki suna ganin tushen IP na abokan ciniki. A cikin wannan saitin, NSX Edge dole ne yayi aiki azaman tsohuwar ƙofar don tabbatar da cewa fakitin da aka dawo sun wuce ta NSX Edge.

   NSX tana goyan bayan daidaita algorithms masu zuwa:

   • IP_HASH - zaɓin uwar garken dangane da sakamakon aikin hash don tushen da kuma manufa IP na kowane fakiti.
   • LEASTCONN - daidaita haɗin haɗin da ke shigowa, dangane da adadin da aka rigaya ya samu akan takamaiman sabar. Sabbin haɗin kai za a kai su zuwa uwar garken tare da mafi ƙarancin haɗi.
   • ROUND_ROBIN – Ana aika sabbin hanyoyin haɗi zuwa kowane uwar garken bi da bi, daidai da nauyin da aka sanya masa.
   • Uri - ɓangaren hagu na URI (kafin alamar tambaya) an hashe kuma an raba shi ta jimlar nauyin sabobin a cikin tafkin. Sakamakon yana nuna wace uwar garken ne ya karɓi buƙatun, yana tabbatar da cewa ana tura buƙatar zuwa uwar garken guda ɗaya, muddin duk sabar ɗin ta kasance.
   • HTTPHEADER - daidaitawa dangane da takamaiman taken HTTP, wanda za'a iya ƙayyade shi azaman siga. Idan taken ya ɓace ko bashi da wata ƙima, ana amfani da ROUND_ROBIN algorithm.
   • URL - Kowane buƙatar HTTP GET yana bincika sigar URL da aka ƙayyade azaman hujja. Idan ma'aunin yana biye da alamar daidai da ƙima, to ana hashed darajar kuma a raba ta da jimlar nauyin sabar masu gudana. Sakamakon yana nuna wace uwar garken ke karɓar buƙatar. Ana amfani da wannan tsari don kiyaye ID na mai amfani a cikin buƙatun da kuma tabbatar da cewa ana aika id ɗin mai amfani koyaushe zuwa sabar iri ɗaya, muddin duk sabobin ya wanzu.

   

3. A cikin toshe Membobi, danna + don ƙara sabobin zuwa tafkin.
   
   
   Anan kuna buƙatar ƙayyade:
   • sunan uwar garke;
   • Adireshin IP na uwar garken;
   • tashar jiragen ruwa wanda uwar garken zai karbi zirga-zirga;
   • tashar jiragen ruwa don duba lafiya (Binciken kiwon lafiya);
   • nauyi - ta amfani da wannan siga za ku iya daidaita madaidaicin adadin zirga-zirgar da aka karɓa don takamaiman memba na tafkin;
   • Matsakaicin Haɗin kai - matsakaicin adadin haɗin haɗi zuwa uwar garken;
   • Min Haɗin kai – ƙaramin adadin haɗin da uwar garken dole ne ta aiwatar kafin a tura zirga-zirga zuwa memba na tafkin na gaba.

   
   
   Wannan shine abin da tafkin karshe na sabobin uku yayi kama.
   

Ƙara Sabar Virtual

1. Je zuwa Virtual Servers tab. Danna +.
   
2. Muna kunna uwar garken kama-da-wane ta amfani da Enable Virtual Server.
   Muna ba ta suna, zaɓi bayanin martabar aikace-aikacen da aka ƙirƙira a baya, Pool kuma nuna adireshin IP ɗin da uwar garken Virtual zai karɓi buƙatun daga waje. Mun ƙayyade ka'idar HTTPS da tashar jiragen ruwa 443.
   Alamomin zaɓi anan:
   Iyakar Haɗi – matsakaicin adadin haɗin haɗin gwiwa tare da uwar garken kama-da-wane zai iya aiwatarwa;
   Iyakar Haɗin Haɗi (CPS) – matsakaicin adadin sabbin buƙatun masu shigowa a sakan daya.
   

Wannan yana kammala daidaita ma'aunin daidaitawa; zaku iya bincika aikinsa. Sabis ɗin suna da tsari mai sauƙi wanda ke ba ka damar fahimtar wane uwar garken daga tafkin ya sarrafa buƙatar. A lokacin saitin, mun zaɓi tsarin daidaita ma'auni na Round Robin, kuma ma'aunin nauyi na kowane uwar garken daidai yake da ɗaya, don haka kowace sabar na gaba za a sarrafa ta sabar na gaba daga tafkin.
Muna shigar da adireshi na waje na ma'auni a cikin burauzar kuma duba:


Bayan an sabunta shafin, za a sarrafa buƙatar ta uwar garken mai zuwa:


Kuma sake - don duba uwar garken na uku daga tafkin:


Lokacin dubawa, zaku iya ganin cewa takardar shaidar da Edge ta aiko mana ita ce wadda muka ƙirƙira a farkon.

Ana duba matsayin ma'auni daga na'urar wasan bidiyo na ƙofa na Edge. Don yin wannan, shigar nuna sabis na kaya mai ɗaukar nauyi.


Yana daidaita Sabis ɗin Sabis don duba matsayin sabobin a cikin tafkin
Amfani da Sabis na Sabis za mu iya saka idanu kan matsayin sabobin a cikin tafkin baya. Idan amsa ga buƙatun ba kamar yadda ake tsammani ba, za a iya fitar da uwar garken daga cikin tafkin don kada ya karɓi sabon buƙatun.
Ta hanyar tsoho, hanyoyin tabbatarwa guda uku ana daidaita su:

• Mai saka idanu TCP,
• HTTP Monitor,
• HTTPS-sa idanu.

Bari mu ƙirƙiri wani sabo.

1. Jeka shafin Kula da Sabis, danna +.
   
2. Zaɓi:
   • sunan sabuwar hanya;
   • lokacin da za a aika buƙatun,
   • lokacin yana jiran amsa,
   • nau'in saka idanu - buƙatar HTTPS ta amfani da hanyar GET, lambar matsayi da ake tsammani - 200 (Ok) da buƙatar URL.
3. Wannan yana kammala saitin sabon Sabis ɗin Sabis; yanzu za mu iya amfani da shi lokacin ƙirƙirar tafki.
   

Saita Dokokin Aikace-aikacen

Dokokin aikace-aikacen hanya ce ta sarrafa zirga-zirga bisa wasu abubuwan da ke haifar da rudani. Tare da wannan kayan aikin za mu iya ƙirƙirar ƙa'idodin daidaita nauyi na ci gaba waɗanda ƙila ba za su yiwu ba ta bayanan bayanan aikace-aikacen ko wasu ayyuka da ake samu akan Ƙofar Edge.

1. Don ƙirƙirar ƙa'ida, je zuwa shafin Dokokin Aikace-aikacen na ma'auni.
   
2. Zaɓi suna, rubutun da zai yi amfani da ƙa'idar, kuma danna Ci gaba.
   
3. Bayan an ƙirƙiri ƙa'idar, muna buƙatar gyara riga-kafi wanda aka riga aka tsara.
   
4. A cikin Babba shafin, ƙara ƙa'idar da muka ƙirƙira.
   

A cikin misalin da ke sama mun kunna tallafin tlsv1.

Misalai guda biyu:

Miyar da zirga-zirga zuwa wani tafkin.
Tare da wannan rubutun za mu iya tura zirga-zirga zuwa wani wurin shakatawa idan babban tafkin ya faɗi. Don ka'idar ta yi aiki, dole ne a saita wuraren waha da yawa akan ma'auni kuma duk membobin babban tafkin dole ne su kasance a cikin ƙasa. Kuna buƙatar saka sunan tafkin, ba ID ɗin sa ba.

acl pool_down nbsrv(PRIMARY_POOL_NAME) eq 0
use_backend SECONDARY_POOL_NAME if PRIMARY_POOL_NAME


Miyar da zirga-zirga zuwa hanyar waje.
Anan muna tura zirga-zirga zuwa gidan yanar gizon waje idan duk membobin babban tafkin sun kasa.

acl pool_down nbsrv(NAME_OF_POOL) eq 0
redirect location http://www.example.com if pool_down

Har ma da ƙarin misalai a nan.

Shi ke nan a gare ni game da ma'auni. Idan kuna da wasu tambayoyi, tambaya, a shirye nake in amsa.

source: www.habr.com