0

I have a certain distributed (as in, multiple components on multiple machines) service, that should be made available from the outside world. So, in LVS terminology, the clients are "on the internet", while the realservers are in the private network. This, as I understand, is not particulary difficult to set up using LVS.

But (there's always a but!) there are some components on the private network, that should be load balanced (actually, for this part I am not concerned about "load". I just need the failover capability), but their clients are also on the private network. For example, the application server's access to queue brokers must go through a load balancer.

Can I use the same director for both tasks? Obviously, it will have at least two network interfaces (one on the external, one on the private network).

Ideally, I'll need to provide redundancy for the director via VRRP (presumably, utilizing keepalived for that).

Does this setup make any sense? Is it normal at all to do it this way? Perhaps I am better off using a separate load-balancer for internal-only traffic? It is kind of undesirable, though, since it will introduce at least 2 extra machines that will not be used much, since the queue brokers receive minimal traffic (all I need is failover).

shylent
  • 812
  • 11
  • 22

1 Answers1

1

For internal load balancing I have taken to using HAProxy on each originating server and proxying to other internal servers. This is not a great solution for load-balancing as it only has a partial view of the requests but works well for failover without having to setup a new lb pair/keepalived or using the public facing infrastructure. You can still use round-robin or leastconn balancing and maxconn to mitigate spikes from affecting the rest of your infrastructure.

This started in particular after trying to automate setting up lb-pairs for new services. After a year of use this technique hasn't had any problems unique to this setup. This also allows rolling out LB changes per originating node instead of messing with the single pair.

Philip Cristiano
  • 391
  • 3
  • 6
  • While this is certainly a possible solution, it seems, that we will lose the ability to "guard the guardsmen", that is, HAProxy becomes the SPOF (in contrast to the VRRPd directors) – shylent Apr 21 '13 at 17:28
  • Actually, your answer got me thinking, that I might not need to use LVS for load-balancing/ha on the private network. I can probably use 2 machines with haproxy and make them highly available using heartbeat or VRRP. Wish I could upvote you twice. – shylent Apr 21 '13 at 17:45
  • HAProxy becomes a single point of failure as much as that single box is, if you are worried about HAProxy becoming a SPOF then you would have multiple originating boxes as well. Deploying changes to it can be controlled as well by only updating a portion of the nodes at once. Our applications would verify the backends were working in their healthcheck so requests would not be routed to that server if it couldn't connect to the backends. – Philip Cristiano Apr 21 '13 at 18:15