VMware NSX yevadiki. Chikamu 5: Kugadzirisa Mutoro weBalancer

Chikamu chekutanga. nhanganyaya
Chikamu chechipiri. Kugadzirisa Firewall uye NAT Mitemo
Chikamu chetatu. Kugadzirisa DHCP
Chikamu chechina. Routing setup

Nguva yadarika takataura nezve kugona kweNSX Edge maererano neiyo static uye ine simba routing, uye nhasi tichabata nemutoro wekuyera.
Tisati tatanga kugadzirisa, ndinoda kukuyeuchidza muchidimbu nezvemhando huru dzekuenzanisa.

Dzidziso

Yese yanhasi miripo yekuyeresa mhinduro dzinowanzo kupatsanurwa muzvikamu zviviri: kuenzanisa pachikamu chechina (chokufambisa) uye chechinomwe (chikumbiro) mazinga emuenzaniso. KANA KANA. Iyo OSI modhi haisi iyo yakanakisa yekunongedza kana uchitsanangura nzira dzekuenzanisa. Semuyenzaniso, kana L4 balancer ichitsigirawo kumisa TLS, inozoita L7 balancer? Asi ndizvo zvazviri.

• Balancer L4 kazhinji inomiririra yepakati inomira pakati pemutengi uye seti yezvinowanikwa kumashure, iyo inomisa TCP kubatana (kureva, yakazvimirira inopindura kuSYN), inosarudza backend uye inotanga chirongwa chitsva cheTCP munzira yayo, ichitumira yakazvimiririra SYN. Rudzi urwu ndeimwe yeakakosha; dzimwe sarudzo dzinogoneka.
• Balancer L7 inogovera traffic kune inowanika kumashure "yakanyanya kuoma" kupfuura iyo L4 balancer inoita. Inogona kusarudza kuti ndeipi backend yekusarudza zvichibva, semuenzaniso, zviri mukati memeseji yeHTTP (URL, cookie, nezvimwewo).

Pasinei nemhando, iyo balancer inogona kutsigira zvinotevera mabasa:

• Kuwanikwa kwesevhisi ndiyo maitiro ekuona seti yeanowanikwa kumashure (Static, DNS, Consul, Etcd, nezvimwewo).
• Kutarisa kushanda kweakaonekwa kumashure (inoshanda "ping" yekumashure uchishandisa chikumbiro cheHTTP, kungoona chete matambudziko mukubatana kweTCP, kuvapo kweanoverengeka 503 HTTP makodhi mumhinduro, nezvimwewo).
• Iko kuzvienzanisa pachayo (kutenderera robin, kusarudzwa kwakasarudzika, sosi IP hashi, URI).
• Kumiswa kweTLS uye kusimbiswa kwechitupa.
• Sarudzo dzine chekuita nekuchengetedza (kutendeseka, kudzivirira kurwiswa kweDoS, kumisa kumhanya) nezvimwe zvakawanda.

NSX Edge inopa tsigiro kune maviri anoremedza balancer deployment modes:

Proxy mode, kana ruoko rumwe. Mune iyi modhi, NSX Edge inoshandisa yayo IP kero seyosiyo kero kana ichitumira chikumbiro kune imwe yekumashure. Nekudaro, iyo balancer panguva imwe chete inoita mabasa eKunobva uye Kuenda NAT. Iyo backend inoona traffic yese seyakatumirwa kubva kune balancer uye inopindura zvakananga kwairi. Muchirongwa chakadaro, muchengeti anofanira kunge ari mune imwechete network segment nemaseva emukati.

Hezvino mafambiro azvinoita:
1. Mushandisi anotumira chikumbiro kuVIP kero (balancer kero) iyo inogadziriswa paEdge.
2. Edge inosarudza imwe yemashure uye inoita nzvimbo yekuenda NAT, ichitsiva kero yeVIP nekero yemashure akasarudzwa.
3. Edge inoita sosi NAT, ichitsiva kero yemushandisi akatumira chikumbiro neyayo.
4. Iyo pasuru inotumirwa kune yakasarudzwa backend.
5. The backend haipindure zvakananga kumushandisi, asi kuEdge, sezvo kero yepakutanga yemushandisi yakashandurwa kukero yemubhadhari.
6. Edge inotumira mhinduro yeserver kumushandisi.
Dhiagiramu iri pazasi.


Transparent, kana inline, modhi. Mune ino mamiriro, iyo balancer ine interfaces pane yemukati nekunze network. Panguva imwecheteyo, hapana kuwanikwa kwakananga kune network yemukati kubva kune yekunze. Iyo yakavakirwa-mukati mutoro balancer inoita senge NAT gedhi remakina chaiwo pane yemukati network.

Mechanicha yacho iri sezvinotevera:
1. Mushandisi anotumira chikumbiro kuVIP kero (balancer kero) iyo inogadziriswa paEdge.
2. Edge inosarudza imwe yemashure uye inoita nzvimbo yekuenda NAT, ichitsiva kero yeVIP nekero yemashure akasarudzwa.
3. Iyo pasuru inotumirwa kune yakasarudzwa backend.
4. The backend inogamuchira chikumbiro nekero yepakutanga yemushandisi (source NAT haina kuitwa) uye inopindura zvakananga kwairi.
5. Kufambisa kunogamuchirwa zvakare nemutoro wekuenzanisa, sezvo mu inline scheme inowanzoita segedhi rekupedzisira revhavha yefasi.
6. Edge inoita sosi NAT kutumira traffic kumushandisi, ichishandisa VIP yayo seyakabva IP kero.
Dhiagiramu iri pazasi.

Dzidzira

Bhenji rangu rekuyedza rine maseva matatu anomhanya Apache, akagadzirirwa kushanda pamusoro peHTTPS. Edge ichaita kutenderera robin kuenzanisa kweHTTPS zvikumbiro, proxying yega yega chikumbiro chitsva kune sevha nyowani.
Ngatitangei.

Kugadzira chitupa cheSSL chinozoshandiswa neNSX Edge
Unogona kuunza kunze chitupa cheCA chakakodzera kana kushandisa chakasaina wega. Pabvunzo iyi ndichashandisa kuzvisainira.

1. Mune vCloud Director interface, enda kuEdge masevhisi marongero.
   
2. Enda kune Zvitupa tab. Kubva pane rondedzero yezviito, sarudza kuwedzera CSR itsva.
   
3. Zadza ndima dzinodiwa wodzvanya Keep.
   
4. Sarudza iyo ichangobva kugadzirwa CSR uye sarudza yekuzvisaina CSR sarudzo.
   
5. Sarudza iyo yechokwadi nguva yechitupa wobva wadzvanya Keep
   
6. Chitupa chega-chakasaina chinowanikwa mune rondedzero yeanowanikwa.
   

Kumisikidza Application Profile
Maprofiles ekushandisa anokupa iwe kutonga kwakazara pamusoro petiweki traffic uye kuita kuti kuibata kuve nyore uye kunoshanda. Iwo anogona kushandiswa kutsanangura maitiro kune chaiwo marudzi e traffic.

1. Enda kune iyo Load Balancer tebhu uye gonesa iyo balancer. Iyo Kukwidziridza inogoneswa sarudzo pano inobvumira iyo balancer kushandisa nekukurumidza L4 kuenzanisa panzvimbo yeL7.
   
2. Enda kuApplication profile tab kuti uise purogiramu yepurogiramu. Dzvanya +.
   
3. Seta zita reiyo mbiri uye sarudza mhando yetraffic iyo iyo profil ichashandiswa. Rega nditsanangure mamwe maparameter.
   Kushivirira - zvitoro uye inoteedzera chikamu data, semuenzaniso: ndeipi chaiyo sevha mudziva iri kushandira chikumbiro chemushandisi. Izvi zvinova nechokwadi chekuti zvikumbiro zvemushandisi zvinoendeswa kune imwe nhengo yedziva kwehupenyu hwesesesheni kana zvikamu zvinotevera.
   Ita kuti SSL ipfuure - Kana iyi sarudzo yasarudzwa, NSX Edge inomira kumisa SSL. Pane kudaro, kugumisa kunoitika zvakananga pamaseva ari kuenzaniswa.
   Isa X-Forwarded-For HTTP musoro -Inokutendera kuti uone kwainobva IP kero yemutengi anobatana newebhu server kuburikidza nemutoro wekutakura.
   Gonesa Pool Side SSL - inokutendera kuti utaure kuti dziva rakasarudzwa rine maseva eHTTPS.
   
4. Sezvo ini ndichave ndichienzanisa HTTPS traffic, ini ndinofanira kugonesa Pool Side SSL uye sarudza iyo yakambogadzirwa chitupa muVirtual Server Certificates -> Service Certificate tab.
   
5. Saizvozvo kune Dziva Zvitupa -> Sevhisi Setifiketi.
   

Isu tinogadzira dziva remaseva, iyo traffic iyo ichave yakadzikama Pools

1. Enda kune Pools tab. Dzvanya +.
   
2. Isu tinoisa zita redziva, sarudza algorithm (ini ndichashandisa round robin) uye mhando yekutarisa kune yehutano cheki backend.The Transparent sarudzo inoratidza kana yekutanga sosi IPs yevatengi inoonekwa kune mukati maseva.
   • Kana iyo sarudzo yakaremara, traffic yemaseva emukati inobva kune sosi IP yea balancer.
   • Kana iyo sarudzo ikagoneswa, maseva emukati anoona kunobva IP yevatengi. Mukugadzirisa uku, NSX Edge inofanirwa kuita senge yakasarudzika gedhi kuti ive nechokwadi chekuti mapaketi akadzoka anopfuura neNSX Edge.

   NSX inotsigira anotevera kuenzanisa algorithms:

   • IP_HASH -Kusarudzwa kweseva kunoenderana nemhedzisiro yebasa rehashi kune sosi uye kwainoenda IP yepakiti yega yega.
   • LEASTCONN - kuenzanisa kwekubatanidza kunouya, zvichienderana nenhamba yatovepo pane imwe server. Hutsva hunongedzo huchatungamirwa kune sevha ine mashoma ekubatanidza.
   • ROUND_ROBIN - mitsva yekubatanidza inotumirwa kune imwe neimwe server pamwe chete, zvichienderana nehuremu hwakapihwa kwairi.
   • URI - chikamu chekuruboshwe cheURI (pamberi pemubvunzo mucherechedzo) chine hashi uye chakakamurwa nehuremu hwese hwemaseva mudziva. Mhedzisiro inoratidza kuti ndeipi sevha inogamuchira chikumbiro, ichiva nechokwadi chekuti chikumbiro chinogara chichiendeswa kune imwechete sevha, chero masevha ese aripo.
   • HTTPHEADER -Kuenzanisa kwakavakirwa pane chaiyo HTTP musoro, iyo inogona kutsanangurwa separameter. Kana musoro usipo kana kuti usina kukosha, ROUND_ROBIN algorithm inoshandiswa.
   • URL -Chikumbiro chega chega cheHTTP GET chinotsvaga iyo URL parameter inotsanangurwa senharo. Kana iyo parameter ichiteverwa nechiratidzo chakaenzana uye kukosha, ipapo kukosha kwacho kunopera uye kukamurwa nehuremu hwese hwemaseva anomhanya. Mhedzisiro inoratidza kuti ndeipi server inogamuchira chikumbiro. Maitiro aya anoshandiswa kuchengeta ma ID evashandisi muzvikumbiro uye kuona kuti iyo mushandisi id inogara ichitumirwa kune imwechete sevha, chero masevha ese achiramba aripo.

   

3. MuNhengo block, tinya + kuwedzera maseva padziva.
   
   
   Pano iwe unofanirwa kutsanangura:
   • server name;
   • Sevha IP kero;
   • chiteshi apo sevha inogashira traffic;
   • chiteshi chekutarisa hutano (Monitor healthcheck);
   • uremu - uchishandisa iyi parameter unogona kugadzirisa huwandu hwetraffic inogamuchirwa kune imwe nhengo yedziva;
   • Max Connections - nhamba yakawanda yekubatanidza kune server;
   • Min Connections - iyo shoma nhamba yekubatanidza iyo sevha inofanirwa kugadzirisa traffic isati yaendeswa kune inotevera pool nhengo.

   
   
   Izvi ndizvo zvinoita dziva rekupedzisira remaseva matatu.
   

Kuwedzera Virtual Server

1. Enda kune Virtual Servers tab. Dzvanya +.
   
2. Isu tinomisa iyo virtual server tichishandisa Enable Virtual Server.
   Isu tinozvipa zita, sarudza iyo yakambogadzirwa Chikumbiro Profile, Dziva uye ratidza iyo IP kero iyo iyo Virtual Server ichagamuchira zvikumbiro kubva kunze. Isu tinotsanangura iyo HTTPS protocol uye port 443.
   Optional parameters pano:
   Connection Limit - iyo yakawanda nhamba yekubatanidza panguva imwe chete iyo virtual server inogona kugadzirisa;
   Connection Rate Limit (CPS) - iyo yakawanda nhamba yezvikumbiro zvitsva zvinouya pasekondi.
   

Izvi zvinopedzisa kumisikidzwa kweiyo balancer; unogona kutarisa kushanda kwayo. Masevha ane gadziriso yakapusa inobvumidza iwe kuti unzwisise kuti ndeipi server kubva padziva yakagadzirisa chikumbiro. Panguva yekuseta, takasarudza Round Robin kuenzanisa algorithm, uye Weight parameter kune yega yega server yakaenzana neimwe, saka chimwe nechimwe chinotevera chikumbiro chichagadziriswa neanotevera sevha kubva padziva.
Isu tinoisa kero yekunze yebhalancer mubrowser uye ona:


Mushure mekuvandudza peji, chikumbiro chinozogadziriswa neserver inotevera:


Uye zvakare - kutarisa sevha yechitatu kubva padziva:


Kana uchitarisa, unogona kuona kuti chitupa chatinotumidzirwa naEdge ndicho chimwe chete chatakagadzira pakutanga.

Kutarisa mamiriro ekuenzanisa kubva kuEdge gateway console. Kuti uite izvi, pinda ratidza sevhisi loadbalancer dziva.


Kugadzirisa Service Monitor kutarisa mamiriro emaseva mudziva
Tichishandisa Service Monitor tinogona kutarisa mamiriro emaseva mune yekumashure dziva. Kana mhinduro kune chikumbiro isiri sezvaitarisirwa, sevha inogona kutorwa kunze kwedziva kuitira kuti irege kugamuchira zvikumbiro zvitsva.
Nekumisikidza, nzira nhatu dzekusimbisa dzakagadziriswa:

• TCP-monitor,
• HTTP monitor,
• HTTPS-monitor.

Ngatigadzire imwe itsva.

1. Enda kuSevhisi Monitoring tab, tinya +.
   
2. Sarudza:
   • zita renzira itsva;
   • nguva iyo zvikumbiro zvichatumirwa,
   • kupera nguva kumirira mhinduro,
   • yekutarisa mhando - Chikumbiro cheHTTPS uchishandisa nzira yeGET, kodhi yemamiriro inotarisirwa - 200(OK) uye URL yekukumbira.
3. Izvi zvinopedzisa kuseta kweiyo Service Monitor nyowani; ikozvino tinogona kuishandisa kana tichigadzira dziva.
   

Kugadzira Mitemo Yekushandisa

Mitemo Yekushandisa inzira yekushandisa traffic zvichibva pane zvimwe zvinokonzeresa. Nechishandiso ichi tinogona kugadzira epamusoro mitoro yekuyera mitemo iyo ingave isingagoneke kuburikidza neApplication profiles kana mamwe masevhisi aripo paEdge Gateway.

1. Kuti ugadzire mutemo, enda kune iyo Mitemo Yekushandisa tebhu yevalancer.
   
2. Sarudza zita, chinyorwa chichashandisa mutemo, uye baya Ramba.
   
3. Mushure mekunge mutemo wagadzirwa, tinoda kugadzirisa iyo yakatogadzirwa Virtual Server.
   
4. Mune Advanced tab, wedzera mutemo watakagadzira.
   

Mumuenzaniso uri pamusoro takagonesa tlsv1 rutsigiro.

Mimwe mienzaniso miviri:

Nangisa traffic kune rimwe dziva.
Nechinyorwa ichi tinogona kuendesa traffic kune imwe kuenzanisa dziva kana dziva guru riri pasi. Kuti mutemo ushande, madziva akawanda anofanirwa kugadziridzwa pabalancer uye nhengo dzese dzedziva guru dzinofanira kunge dziri pasi pasi. Iwe unofanirwa kutsanangura zita redziva, kwete ID yayo.

acl pool_down nbsrv(PRIMARY_POOL_NAME) eq 0
use_backend SECONDARY_POOL_NAME if PRIMARY_POOL_NAME


Nangisa traffic kune yekunze sosi.
Pano isu tinotungamira traffic kune yekunze webhusaiti kana nhengo dzese dzedziva huru dziri pasi.

acl pool_down nbsrv(NAME_OF_POOL) eq 0
redirect location http://www.example.com if pool_down

Kunyange mimwe mienzaniso pano.

Ndizvo zvose kwandiri pamusoro pekuenzanisa. Kana uine chero mibvunzo, bvunza, ndakagadzirira kupindura.

Source: www.habr.com