In my project, we already have an external load balancer. However, there are several teams within the organisation which uses our internal load balancer. I want to know why do we need internal load balancer if we already have a public-facing external load balancer? Please elaborate.
Asked
Active
Viewed 2,897 times
0
-
Simply to reduce the public exposure! Reduce attack surface. Security Best practice. – guillaume blaquiere Jul 06 '20 at 12:58
-
@guillaumeblaquiere but we already have an external public-facing load balancer. Then why is internal load balancer needed in this case? – XYZ Jul 06 '20 at 13:59
2 Answers
1
I answer here to your question in the comment because it's too long for a comment
Things are internal, other are external. For examples
- You have an external TCP/UDP load balancer
- Your external Load Balancer accepts connexion on port 443 and redirects them to your backend with NGINX installed on it
- Your backend needs a MongoDB database. You install your database on a compute and your choose to abstract the VM IP and to use your Load Balancer
- You define a new backend on your external load balancer on the port 27017
RESULT: Because the load balancer is external, your MongoDB is publicly exposed on the port 27017.
If you use an internal load balancer, it's not the case, and you increase the security. Only the web facing port is open (443), the rest is not accessible from internet, only by your in your project.
guillaume blaquiere
- 66,369
- 2
- 47
- 76
-
I get the usage of internal load balancer. I just want to know that if there is already an external load balancer for a particular service, then why an internal load balancer might be needed for that same service if some other team is using this service? – XYZ Jul 19 '20 at 16:23
-
If you reuse your external load balancer, you expose on the internet your internal communication/ports, and you increase your attack surface. It's less secure, that's all! – guillaume blaquiere Jul 19 '20 at 18:11
-
Why can't the other team use the external load balancer only on the same port as internet? Why is there a need for internal load balancer in this scenario at all? – XYZ Jul 19 '20 at 18:34
-
I don't understand your concern. For external communication, use external load balancer. For internal communication, and ONLY IF YOU WANT TO HAVE A BETTER LEVEL OF SECURITY, use an internal load balancer. Of course, you can reuse your external load balancer for internal services, but it's not recommended! – guillaume blaquiere Jul 19 '20 at 18:48
-
-
Because you expose internal communications on internet. And that expose you to attack from external on this internal only flows. – guillaume blaquiere Jul 20 '20 at 07:43
0
You should check the documentation and then decided if your use case requires using internal load balancer or not. Below you can find links to the Google Cloud documentation and an example.
At first, have a look at the documentation Choosing a load balancer:
To decide which load balancer best suits your implementation of Google Cloud, consider the following aspects of Cloud Load Balancing:
- Global versus regional load balancing
- External versus internal load balancing
- Traffic type
After that, have a look at the documentation Cloud Load Balancing overview section Types of Cloud Load Balancing:
External load balancers distribute traffic coming from the Internet to your Google Cloud Virtual Private Cloud (VPC) network. Global load balancing requires that you use the Premium Tier of Network Service Tiers. For regional load balancing, you can use Standard Tier.
Internal load balancers distribute traffic to instances inside of Google Cloud.
and
The following diagram illustrates a common use case: how to use external and internal load balancing together. In the illustration, traffic from users in San Francisco, Iowa, and Singapore is directed to an external load balancer, which distributes that traffic to different regions in a Google Cloud network. An internal load balancer then distributes traffic between the us-central-1a and us-central-1b zones.
More information you can find at the documentation.
UPDATE Have a look at the possible use cases for internal HTTP(S) load balancer and for internal TCP/UDP load balancer and check if they're suitable for you and if using them could improve your service.
It's not required to use internal load balancer if you don't need it.
Serhii Rohoza
- 4,287
- 2
- 16
- 29
-
but that does not answer my question. Maybe it's not clear. There is already an external load balancer exposed to the internet. Then what is the need of internal load balancer if some internal team is using your service? Why can't they use external load balancer only? – XYZ Jul 06 '20 at 14:05
-
I've updated my answer with some use cases. Is it possible for you to update your question with current diagram of your service? – Serhii Rohoza Jul 06 '20 at 15:06
-
@XYZ I am also trying to figure this out myself but I think it's because there will be a performance impact if you just use an external load balancer as it will route out to the internet first and then route internally. Whereas if you use just an internal load balancer your traffic does not go out to the internet first and so it is slightly faster. – Toofy May 05 '21 at 15:30