VMware NSX for abancinci. Icandelo 5: Ukumisela iBalancer yomthwalo

Icandelo lokuqala. intshayelelo
Icandelo lesibini. Ukuqwalasela i-Firewall kunye neMithetho ye-NAT
Icandelo lesithathu. Ukuqwalasela i-DHCP
Icandelo lesine. Ukuseta indlela

Ngexesha lokugqibela sithethe ngezakhono ze-NSX Edge ngokwemigaqo ye-static kunye ne-dynamic routing, kwaye namhlanje siza kujongana ne-balancer yomthwalo.
Ngaphambi kokuba siqale ukuseta, ndingathanda ukukukhumbuza ngokufutshane malunga neentlobo eziphambili zokulinganisa.

Iingcamango

Zonke izisombululo zanamhlanje zokulinganisa umthwalo wemivuzo zihlala zohlulwa zibe ngamacandelo amabini: ukulinganisa kwinqanaba lesine (izithuthi) kunye nelesixhenxe (isicelo) somzekelo. OKANYE UKUBA. Imodeli ye-OSI ayisiyiyo eyona ndawo ifanelekileyo yokubhekisa xa ichaza iindlela zokulinganisa. Umzekelo, ukuba i-balancer ye-L4 ikwaxhasa ukupheliswa kwe-TLS, ingaba iba yi-L7 balancer? Kodwa yiloo nto.

• Isilinganisi L4 kakhulu idla ngokuba ngummeli ophakathi omi phakathi komxhasi kunye neseti yee-backends ezikhoyo, eziphelisa uxhulumaniso lwe-TCP (oko kukuthi, iphendula ngokuzimeleyo kwi-SYN), ikhetha i-backend kwaye iqalise iseshoni entsha ye-TCP kwicala layo, ithumela ngokuzimeleyo i-SYN. Olu hlobo lolunye lwezona zisisiseko; ezinye iinketho zinokwenzeka.
• Isilinganisi L7 isasaza itrafikhi kuzo zonke iindawo ezingasemva ezifumanekayo "ziphucuke ngakumbi" kune-balancer ye-L4. Inokugqiba ukuba yeyiphi i-backend yokukhetha ngokusekelwe, umzekelo, imixholo yomyalezo we-HTTP (i-URL, i-cookie, njl.).

Nokuba luhlobo luni na, i-balancer inokuxhasa le misebenzi ilandelayo:

• Ukufunyanwa kwenkonzo yinkqubo yokumisela isethi ye-backends ekhoyo (Static, DNS, Consul, Etcd, njl.).
• Ukujonga ukusebenza kwee-backends ezifunyenweyo (i-"ping" esebenzayo ye-backend usebenzisa isicelo se-HTTP, ukufumanisa i-passive yeengxaki kwi-TCP uxhumano, ubukho beekhowudi ezininzi ze-503 ze-HTTP kwiimpendulo, njl.).
• Ukulinganisa ngokwayo (i-robin ejikelezileyo, ukhetho olungahleliwe, umthombo we-IP hash, i-URI).
• Ukupheliswa kwe-TLS kunye nokuqinisekiswa kwesatifikethi.
• Iinketho ezinxulumene nokhuseleko (ukuqinisekiswa, ukuthintela ukuhlaselwa kweDoS, ukunciphisa isantya) kunye nokunye okuninzi.

I-NSX Edge ibonelela ngenkxaso kwiindlela ezimbini zokubeka ibhalansi yomthwalo:

Imo yommeli, okanye ingalo enye. Kule ndlela, i-NSX Edge isebenzisa idilesi ye-IP njengedilesi yomthombo xa ithumela isicelo kwenye yee-backends. Ke, umlinganisi ngaxeshanye wenza imisebenzi yoMthombo kunye neNdawo yokuFikela ye-NAT. I-backend ibona yonke i-traffic njengoko ithunyelwe kwi-balancer kwaye iphendule ngokuthe ngqo kuyo. Kwiskimu esinjalo, umlinganisi kufuneka abe kwicandelo elifanayo lenethiwekhi kunye neeseva zangaphakathi.

Nantsi indlela ehamba ngayo:
1. Umsebenzisi uthumela isicelo kwidilesi ye-VIP (idilesi ye-balancer) elungiselelwe kwi-Edge.
2. I-Edge ikhetha enye ye-backends kwaye yenza i-NAT yokuya kuyo, ithatha indawo yedilesi ye-VIP kunye nedilesi ye-backend ekhethiweyo.
3. I-Edge yenza umthombo we-NAT, ibuyisela idilesi yomsebenzisi othumele isicelo ngeyakhe.
4. Iphakheji ithunyelwa kwi-backend ekhethiweyo.
5. I-backend ayiphenduli ngokuthe ngqo kumsebenzisi, kodwa kwi-Edge, ekubeni idilesi yasekuqaleni yomsebenzisi itshintshiwe kwidilesi yokulinganisa.
6. I-Edge idlulisela impendulo yomncedisi kumsebenzisi.
Umzobo ungezantsi.


Indlela ecacileyo, okanye engaphakathi. Kule meko, i-balancer ine-interfaces kuthungelwano lwangaphakathi nangaphandle. Ngexesha elifanayo, akukho ukufikelela ngokuthe ngqo kwinethiwekhi yangaphakathi evela ngaphandle. I-balancer yomthwalo eyakhelwe-ngaphakathi isebenza njengesango le-NAT kumatshini obonakalayo kuthungelwano lwangaphakathi.

Indlela yokusebenza ngolu hlobo lulandelayo:
1. Umsebenzisi uthumela isicelo kwidilesi ye-VIP (idilesi ye-balancer) elungiselelwe kwi-Edge.
2. I-Edge ikhetha enye ye-backends kwaye yenza i-NAT yokuya kuyo, ithatha indawo yedilesi ye-VIP kunye nedilesi ye-backend ekhethiweyo.
3. Iphakheji ithunyelwa kwi-backend ekhethiweyo.
4. I-backend ifumana isicelo ngedilesi yokuqala yomsebenzisi (umthombo we-NAT awuzange wenziwa) kwaye uphendule ngokuthe ngqo kuyo.
5. I-traffic iphinda yamkelwe ngumlinganisi womthwalo, kuba kwi-inline scheme idla ngokusebenza njengesango lokusilela kwifama yomncedisi.
6. I-Edge yenza umthombo we-NAT ukuthumela i-traffic kumsebenzisi, usebenzisa i-VIP yayo njengedilesi ye-IP yomthombo.
Umzobo ungezantsi.

Zenza

Ibhentshi yam yovavanyo ineeseva ezi-3 eziqhuba i-Apache, eqwalaselwe ukuba isebenze ngaphezulu kwe-HTTPS. I-Edge iya kwenza i-robin ejikelezayo yokulinganisa izicelo ze-HTTPS, i-proxying yesicelo esitsha ngasinye kwiseva entsha.
Masiqalise.

Ukuvelisa isatifikethi se-SSL esiza kusetyenziswa yi-NSX Edge
Ungangenisa ngaphandle isatifikethi se-CA esisebenzayo okanye usebenzise esazisayinayo. Kolu vavanyo ndiza kusebenzisa ukuzisayina.

1. Kwi-interface ye-vCloud Director, yiya kwiisetingi zeenkonzo ze-Edge.
   
2. Yiya kwiZatifikethi thebhu. Kuluhlu lwezenzo, khetha ukongeza i-CSR entsha.
   
3. Gcwalisa iindawo ezifunekayo kwaye ucofe Gcina.
   
4. Khetha i CSR esandula ukuyilwa kwaye ukhethe ukuzisayina kwe CSR ukhetho.
   
5. Khetha ixesha lokuqinisekisa lesatifikethi kwaye ucofe Gcina
   
6. Isatifikethi esizisayinileyo siyavela kuluhlu lwabakhoyo.
   

Ukumisela iProfayili yosetyenziso
Iiprofayili zesicelo zikunika ulawulo olupheleleyo ngakumbi kwitrafikhi yothungelwano kwaye zenze ukulawula kube lula kwaye kusebenze. Zingasetyenziselwa ukuchaza indlela yokuziphatha kwiintlobo ezithile zetrafikhi.

1. Yiya kwi Load Balancer ithebhu kwaye uvule isilinganisi. I-Acceleration eyenziweyo ukhetho apha ivumela umlinganisi ukuba asebenzise ngokukhawuleza ukulinganisa kwe-L4 endaweni ye-L7.
   
2. Yiya kwiProfayile yeSicelo isithuba ukuseta inkangeleko yesicelo. Cofa +.
   
3. Seta igama leprofayile kwaye ukhethe uhlobo lwetrafikhi apho iprofayili iya kusetyenziswa khona. Makhe ndichaze ezinye iiparamitha.
   Ukunyamezela - iivenkile kunye nokulandelela idatha yeseshoni, umzekelo: yeyiphi iseva ethile echibini ebonelela ngesicelo somsebenzisi. Oku kuqinisekisa ukuba izicelo zabasebenzisi zithunyelwa kwilungu elinye lequla ubomi bonke beseshoni okanye iiseshoni ezilandelayo.
   Vula i-SSL yokugqitha Xa olu khetho lukhethiwe, i-NSX Edge iyayeka ukuphelisa i-SSL. Endaweni yoko, ukupheliswa kwenzeka ngokuthe ngqo kwiiseva ezilungelelanisiweyo.
   Faka i-X-Forwarded-For HTTP header - ikuvumela ukuba unqume idilesi ye-IP yomthombo womxhasi odibanisa kwi-server yewebhu ngokusebenzisa ibhalansi yomthwalo.
   Yenza i-Pool Side SSL - ikuvumela ukuba ucacise ukuba i-pool ekhethiweyo iqukethe iiseva ze-HTTPS.
   
4. Ekubeni ndiza kulinganisa i-traffic ye-HTTPS, kufuneka ndenze i-Pool Side ye-SSL kwaye ukhethe isatifikethi esenziwe ngaphambili kwiSatifikethi seSeva esibonakalayo -> ithebhu yeSatifikethi seNkonzo.
   
5. Ngokufanayo kwiZiqinisekiso zePool -> iSatifikethi seNkonzo.
   

Senza i-pool yeeseva, i-traffic eya kuba yi-Pools elinganayo

1. Yiya kwi Pools thebhu. Cofa +.
   
2. Sibeka igama le-pool, khetha i-algorithm (ndiya kusebenzisa i-robin ejikelezayo) kunye nohlobo lokubeka iliso kwi-backend yokukhangela impilo.Inketho ye-Transparent ibonisa ukuba i-IP yokuqala yomthombo wabathengi ibonakala kwiiseva zangaphakathi.
   • Ukuba ukhetho luvaliwe, i-traffic yeeseva zangaphakathi ivela kumthombo we-IP we-balancer.
   • Ukuba ukhetho lwenziwe, abancedisi bangaphakathi babona imvelaphi ye IP yabaxhasi. Kolu lungelelwaniso, i-NSX Edge kufuneka isebenze njengesango elingagqibekanga lokuqinisekisa ukuba iipakethi ezibuyisiweyo zidlula kwi-NSX Edge.

   I-NSX ixhasa ezi ndlela zilandelayo zokulungelelanisa:

   • IP_HASH -ukhetho lomncedisi olusekelwe kwiziphumo zomsebenzi we-hash kumthombo kunye nendawo yokuya kwi-IP yepakethi nganye.
   • LEASTCONN - ukulinganisa ukudibanisa okungenayo, kuxhomekeke kwinani esele likhona kwiseva ethile. Imidibaniso emitsha iyakubhekiswa kumncedisi ngodibaniso olumbalwa.
   • ROUND_ROBIN -unxibelelwano olutsha luthunyelwa kumncedisi ngamnye ngokulandelelana, ngokuhambelana nobunzima obubelwe yona.
   • I-URI – inxalenye ekhohlo ye-URI (phambi kophawu lombuzo) ikhawuleza kwaye yahlulwe ngobunzima obupheleleyo beeseva echibini. Isiphumo sibonisa ukuba yeyiphi iseva efumana isicelo, iqinisekisa ukuba isicelo sihlala sihanjiswa kwiseva enye, nje ukuba zonke iiseva zihlala zikhona.
   • HTTPHEADER - ukulinganisa ngokusekelwe kwi-header ethile ye-HTTP, enokuthi ichazwe njengepharamitha. Ukuba iheader ilahlekile okanye ayinalo naliphi na ixabiso, i-ROUND_ROBIN algorithm iyasetyenziswa.
   • URL -Isicelo ngasinye se-HTTP GET sikhangela iparamitha ye-URL echazwe njengengxabano. Ukuba iparameter ilandelwa ngumqondiso olinganayo kunye nexabiso, ngoko ixabiso likhawuleza kwaye lahlulwe ubunzima obupheleleyo beeseva ezisebenzayo. Isiphumo sibonisa ukuba yeyiphi iseva efumana isicelo. Le nkqubo isetyenziselwa ukugcina umkhondo wee-ID zabasebenzisi kwizicelo kunye nokuqinisekisa ukuba i-id yomsebenzisi efanayo ihlala ithunyelwa kwiseva enye, nje ukuba zonke iiseva zihlala zikhona.

   

3. Kwibhloko yamaLungu, cofa + ukongeza iiseva echibini.
   
   
   Apha kufuneka ubonise:
   • igama lomncedisi;
   • Idilesi ye-IP yomncedisi;
   • izibuko apho umncedisi uya kufumana itrafikhi;
   • izibuko lokujonga impilo (Jonga isheke yezempilo);
   • ubunzima - usebenzisa le parameter unokuhlengahlengisa inani elilinganayo lezithuthi ezifunyenweyo kwilungu elithile le-pool;
   • Uqhagamshelo oluPhezulu - inani eliphezulu loqhagamshelwano kumncedisi;
   • Uqhagamshelo oluncinci - inani elincinci loqhagamshelo ekufuneka umncedisi aqhubeke nalo phambi kokuba i-traffic idluliselwe kwilungu le-pool elilandelayo.

   
   
   Le yindlela ekhangeleka ngayo iqula lokugqibela leeseva ezintathu.
   

Ukongeza iseva yeVirtual

1. Yiya kumncedisi we Virtual thebhu. Cofa +.
   
2. Sivula iseva yenyani sisebenzisa Yenza iSeva yeVirtual.
   Siyinika igama, khetha iProfayili yeSicelo eyenziwe ngaphambili, i-Pool kwaye ubonise idilesi ye-IP apho umncedisi weVirtual uya kufumana izicelo ezivela ngaphandle. Sicacisa iprotocol ye-HTTPS kunye ne-port 443.
   Iiparamitha ozikhethayo apha:
   Umda woQhagamshelwano – elona nani liphezulu loqhagamshelo lwangaxeshanye olunokwenziwa ngumncedisi wenyani;
   Umyinge weRhafu yoQhagamshelwano (CPS) – inani eliphezulu lezicelo ezitsha ezingenayo ngomzuzwana.
   

Oku kugqiba uqwalaselo lwe-balancer, ungajonga ukusebenza kwayo. Abancedisi banoqwalaselo olulula olukuvumela ukuba uqonde ukuba yeyiphi iseva esuka echibini eqhubekeke isicelo. Ngethuba lokucwangcisa, sakhetha i-algorithm yokulinganisa i-Round Robin, kunye ne-Weight parameter ye-server nganye ilingana neyodwa, ngoko isicelo ngasinye esilandelayo siya kucutshungulwa ngumncedisi olandelayo ukusuka echibini.
Sifaka idilesi yangaphandle ye-balancer kwisikhangeli kwaye sibone:


Emva kokuhlaziya iphepha, isicelo siya kuqhutywa yiseva elandelayo:


Kwaye kwakhona - ukujonga iseva yesithathu ukusuka echibini:


Xa ujonga, unokubona ukuba isatifikethi esisithumelela uEdge siyafana naso besisenzile kwasekuqaleni.

Ukujonga imeko ye-balancer kwi-Edge gateway console. Ukwenza oku, faka bonisa inkonzo loadbalancer pool.


Ukuqwalasela iNkonzo yokuHlola ukujonga ubume beeseva equleni
Ukusebenzisa i-Monitor yeNkonzo sinokubeka iliso kwimo yeeseva kwi-backend pool. Ukuba impendulo kwisicelo ayilindelekanga njengoko kulindelwe, umncedisi unokukhutshwa echibini ukuze angafumani naziphi na izicelo ezintsha.
Ngokungagqibekanga, iindlela ezintathu zokuqinisekisa ziqwalaselwe:

• TCP-monitha,
• Imonitha yeHTTP,
• HTTPS-esweni.

Masenze entsha.

1. Yiya kwisithuba sokuJonga iNkonzo, cofa +.
   
2. Khetha:
   • igama lendlela entsha;
   • ixesha lokuthunyelwa kwezicelo,
   • ixesha liphelile lilinde impendulo,
   • uhlobo lokubeka iliso - isicelo se-HTTPS usebenzisa indlela ye-GET, ikhowudi yesimo esilindelekileyo - 200(OK) kunye ne-URL yesicelo.
3. Oku kugqiba ukusetwa kweMoni yeNkonzo entsha; ngoku sinokuyisebenzisa xa sisenza ichibi.
   

Ukumisela iMithetho yeSicelo

Imithetho yeSicelo yindlela yokuguqula i-traffic ngokusekelwe kwizinto ezithile ezibangelayo. Ngesi sixhobo sinokwenza imithetho yokulinganisa imithwalo ephezulu enokuthi ingenzeki ngeeprofayili zeSicelo okanye ezinye iinkonzo ezikhoyo kwi-Edge Gateway.

1. Ukwenza umthetho, yiya kwiMithetho yeSicelo isithuba somlinganisi.
   
2. Khetha igama, iscript esiza kusebenzisa umthetho, kwaye ucofe uGcina.
   
3. Emva kokuba umthetho udaliwe, kufuneka sihlele iSeva yeVirtual esele iqwalaselwe.
   
4. Kwi-Advanced tab, yongeza umgaqo esiwudalile.
   

Kulo mzekelo ungasentla senze tlsv1 inkxaso.

Eminye imizekelo embalwa:

Ukwalathisa itrafikhi kwelinye idama.
Ngalo mbhalo singakwazi ukuqondisa kwakhona i-traffic kwelinye i-pool yokulinganisa ukuba i-pool enkulu iphantsi. Ukuze umthetho usebenze, amachibi amaninzi kufuneka aqulunqwe kwi-balancer kwaye onke amalungu echibi eliphambili kufuneka abe kwindawo ephantsi. Kufuneka ucacise igama le-pool, kungekhona i-ID yayo.

acl pool_down nbsrv(PRIMARY_POOL_NAME) eq 0
use_backend SECONDARY_POOL_NAME if PRIMARY_POOL_NAME


Qondisa itrafikhi kwisixhobo sangaphandle.
Apha sihambisa i-traffic kwiwebhusayithi yangaphandle ukuba onke amalungu echibi eliphambili aphantsi.

acl pool_down nbsrv(NAME_OF_POOL) eq 0
redirect location http://www.example.com if pool_down

Imizekelo engakumbi apha.

Kuphelele kum malunga ne-balancer. Ukuba unayo nayiphi na imibuzo, buza, ndikulungele ukuphendula.

umthombo: www.habr.com