4

I've got 2 servers, let's call them 'node1' and 'node2' installed at a data centre. They run our application software. They are interchangeable, and each have a full copy of all customers' databases. We want customers to be able to log into a single IP address, and have connections go to node1 if it's up, otherwise node2. (Automatic failover is more of a concern for us than load balancing, although in future we may configure load balancing too).

Our requirements are very simple: we can supply a URL to use as the health check, and if that's responding on 'node1' then all traffic should go there in preference to 'node2'.

The data-centre wants us to pay $3000 for a dedicated load balancer appliance. But they also say that their firewall has the ability to do this automatic failover _in_theory_, although they've never had a customer use that feature. I don't understand why such a simple task needs dedicated hardware or even a virtual server. Why wouldn't any small company prefer to do the load balancing in the firewall? It's less cost, less hops, less complexity...? What is it that I don't know about LTM (local traffic management)?

Tim Cooper
  • 151
  • 3
  • 4
    It all depends very much on what specific equipment is involved. – womble Nov 11 '15 at 00:43
  • Brand specifics make all the difference – Jacob Evans Nov 11 '15 at 04:16
  • I'd also ask the 'datacenter' if the firewall and load balancer are highly available and redundant, if not then that's a problem too – Jacob Evans Nov 11 '15 at 04:19
  • 1
    Would any self-respecting datacenter use a firewall that was not highly available? (Pardon my naivety). – Tim Cooper Nov 11 '15 at 06:55
  • 2
    And of course there's a third viable option, software based routing of traffic, such as HAProxy. And a fourth, DNS based, like through Amazon AWS Route 53. Do a SWOT analysis on these four and chances are you can keep the $3K. – JayMcTee Nov 11 '15 at 07:38
  • Why do you buy a screwdriver when a hammer does the job as well? Because for srews a screwdriver is better suited. Firewalls and load balancers have very unique requirements and the advantage of a hardware appliance is that they can contain specialized hardware for the specifc task. A load balancer may need to be able to do SSL termination and/or re-encryption. For that some brands have specialized CPU's. Whether you need that or not is something you have to decide. Another thing to consider is that if no other customer uses that functionality of the FW you risk problems getting support. – Bram Nov 11 '15 at 11:50
  • @JacobEvans Why does the brand specific make a difference? What will a gold-plated load balancer do which a simple firewall won't do? (I'm assuming a reputable datacentre has highly available firewalls, and I don't need SSL re-encryption). – Tim Cooper Nov 17 '15 at 01:54
  • Some check services, others session load, others just do round robin, some just tcp socket rr – Jacob Evans Nov 17 '15 at 01:56
  • While I think that you're right that failover is enough for your case, and I've seen nice "middle ground" as load balancer pools in Juniper firewalls or even pfSense... I still think you're wrong with one thing: the words "such a simple task". Don't assume anything is simple unless you've already mastered it. Load balancing is part of highly redundant infrastructures and we can aim to get it simple, but basically - do that for a job and one day you get the ticket that you spend days on and never really figure because it's some twisted tcp bug. Nothing is simple if you look closely. – Florian Heigl Nov 17 '15 at 02:41

2 Answers2

4

There is no reason for a dedicated load balancer if the firewall can be configured to do this basic task. What you are running up against is the expertise of the hosting service. They do it way X because that is the most efficient use of their resources. They maybe don't have the expertise, as stated, they definitely don't have the experience to set it up and more importantly to support it economically. Just for comparison, consider that an AWS ELB, balances, health checks and routes traffic for 19 bucks a month. What it also does is completely unpacks SSL for you. You don't need to worry about SSL at all on your application servers.

(Personally, if you have two servers, I would use sticky load balancing between them anyway).

mianos
  • 215
  • 2
  • 7
1

I don't think the firewall will provide the failover you describe, despite what you have described. Generally firewalls only look at traffic and decide if it should go through or not. They are intended for analyzing lots of traffic quickly (billions of ethernet frames per second) and will probably not look past the TCP/UDP headers. If the firewall offers failover, it is probably more primitive and only checks if a MAC address or IP is reachable. maybe if a TCP port is open.

Of course, if the firewall does as you described, then it is not a pure firewall, and may have performance implications. Does it do NAT or act as a routing gateway as well, or is it only a bridge? You haven't mentioned performance at all, so if that is not your concern and your firewall can do failover, then of course, why would spend $3000 when your needs are met for free?

If you find that this firewall does not do failover as you want, you may consider to introduce a gateway or bridge that can, but you'll need to pay for another machine for this. (If you need performance, spend the $3000 on the dedicated load balancer.) You could introduce a machine with haproxy, as JayMcTee suggested in the comments. But what if this additional machine fails? The firewall is already a single-point-of-failure, do you really want to introduce another one? A DNS-based failover like Route 53 (again suggested by JayMcTee) would help to eliminate an additional single-point-of-failure, but then there would be a [configurable] delay in the failover.

Really need more information on your needs to make the right choice.

Jayen
  • 1,857
  • 4
  • 16
  • 28
  • 1
    The firewall has a software feature to do "health checks" on a URL that can be configured, polling the URL every 15 seconds. So I believe it will do failover as described. Performance is of course a consideration, but I can't understand how sending traffic thru yet another server is going to improve performance? Nothing could be faster than doing failover in the firewall, right? And about the firewall being a single-point-of-failure, I'm assuming the datacentre have solved this problem and I don't want the responsibility of doing my own redundant load balancers. – Tim Cooper Nov 17 '15 at 02:12
  • So it sounds like you have your answer. Your firewall will probably only do 100Mbps (slow), but if your internet is only 20Mbps (slower), it doesn't really matter. You can install another machine (server/appliance), which will be able to handle 20Mbps no problem, but yes, it will add some delay for the extra hop (we're talking ns). – Jayen Nov 17 '15 at 02:20