The most detailed load balancing principle diagram of the entire network

The origin of load balancing

In the initial stage of the business, we generally use a single server to provide external services. With the increasing business traffic, no matter how good a single server is optimized, no matter how good hardware is used, there will always be a performance ceiling. When the performance of a single server cannot meet the business needs, multiple servers need to be formed into a cluster system to improve Overall processing performance.

Based on the above requirements, we need to use a unified traffic portal to provide services to the outside world. In essence, we need a traffic scheduler to distribute a large amount of user request traffic to different servers in the cluster evenly through a balanced algorithm. This is actually the load balancing we are talking about today .

Using load balancing can bring us several benefits:

• Improve the overall performance of the system;
• Improve the scalability of the system;
• Improve the availability of the system;

Load balancing type

In a broad sense, load balancers can be roughly divided into three categories, including: DNS to achieve load balancing, hardware load balancing, and software load balancing.

(1) DNS achieves load balancing

DNS is the most basic and simple way to achieve load balancing. A domain name is resolved to multiple IPs through DNS, and each IP corresponds to a different server instance. This completes the traffic scheduling. Although a conventional load balancer is not used, a simple load balancing function is realized.

The biggest advantage of using DNS to achieve load balancing is that it is simple to implement and low in cost. There is no need to develop or maintain load balancing equipment by yourself, but there are some disadvantages:

• Server failover delay is large, and server upgrade is inconvenient . We know that there are layers of caching between DNS and users. Even if the faulty server is modified or removed through DNS in time when a fault occurs, it passes through the operator’s DNS cache, and the cache is likely to not follow the TTL rule, which will cause DNS to take effect. Time becomes very slow, and sometimes there will be a small amount of request traffic after a day.
• Unbalanced traffic scheduling, too coarse granularity . The balance of DNS scheduling is related to the strategy of the regional operator LocalDNS returning the IP list. Some operators will not poll to return multiple different IP addresses. In addition, the number of users served by a certain operator's LocalDNS will also constitute an important factor in uneven traffic scheduling.
• The traffic distribution strategy is too simple and the supported algorithms are too few . DNS generally only supports the polling method of rr, and the traffic distribution strategy is relatively simple, and it does not support scheduling algorithms such as weight and Hash.
• The list of IP supported by DNS is limited . We know that DNS uses UDP packets for information transmission. The size of each UDP packet is limited by the MTU of the link, so the number of IP addresses stored in the packet is also very limited. The Ali DNS system supports 10 different configurations for the same domain name. IP address.

In fact, this method is rarely used in the production environment to achieve load balancing, after all, the shortcomings are obvious. The reason why DNS load balancing is described in this article is to explain the concept of load balancing more clearly.

Companies like BAT generally use DNS to achieve geographic-level global load balancing, to achieve nearby access, and to increase access speed. This method is generally the basic load balancing of ingress traffic, and the lower layer will have more professional load balancing equipment. Load architecture.

(2) Hardware load balancing

Hardware load balancing is a dedicated hardware device to achieve load balancing function, it is a dedicated load balancing device. At present, there are two typical hardware load balancing devices in the industry: F5 and A10.

This type of equipment has strong performance and powerful functions, but the price is very expensive. Generally, only local tyrants use such equipment. Small and medium-sized companies generally cannot afford it. The business volume is not that large. Using these equipment is also quite wasteful.

Advantages of hardware load balancing:

• Powerful functions: fully support load balancing at all levels, and support comprehensive load balancing algorithms.
• Powerful performance: performance far exceeds common software load balancers.
• High stability: Commercial hardware load balances, has passed a good and strict test, and has been used on a large scale with high stability.
• Security protection: It also has security functions such as firewall, anti-DDoS attack, and supports SNAT function.

The disadvantages of hardware load balancing are also obvious:

• Expensive;
• Poor scalability, unable to expand and customize;
• Debugging and maintenance are more troublesome and require professionals;

(3) Software load balancing

Software load balancing can run load balancing software on ordinary servers to achieve load balancing functions. At present, the common ones are Nginx, HAproxy, LVS. The difference:

• Nginx: Seven-layer load balancing, supports HTTP and E-mail protocols, and also supports 4-layer load balancing;
• HAproxy: supports seven-layer rules, and the performance is also very good. The load balancing software used by OpenStack by default is HAproxy;
• LVS: Running in the kernel mode, the performance is the highest in software load balancing. Strictly speaking, it works in the third layer, so it is more general and suitable for various application services.

Advantages of software load balancing:

• Easy to operate: both deployment and maintenance are relatively simple;
• Cheap: only the cost of the server is required, and the software is free;
• Flexible: Layer 4 and Layer 7 load balancing can be selected according to business characteristics, which facilitates expansion and customization.

Load balancing LVS

Software load balancing mainly includes: Nginx, HAproxy, and LVS, all of which are commonly used. Four-layer load balancing basically uses LVS. It is understood that large manufacturers such as BAT are heavy users of LVS, because of the excellent performance of LVS, which can save the company huge costs.

LVS, the full name of Linux Virtual Server, is an open source project initiated by Dr. Zhang Wensong, a native of China. It has a lot of enthusiasm in the community. It is a four-layer, powerful reverse proxy server.

It is now part of the standard kernel, which has the characteristics of reliability, high performance, scalability and operability, so as to achieve the best performance at a low cost.

Basic principles of Netfilter

LVS is based on the load balancing function implemented by the netfilter framework in the Linux kernel, so you must briefly understand the basic working principle of netfilter before learning LVS. Netfilter is actually very complicated. The Linux firewall we usually talk about is netfilter, but we usually operate on iptables. iptables is just a tool for user space to write and transmit rules. Netfilter is what really works. You can simply understand the working mechanism of netfilter through the following figure:

Netfilter is a kernel-mode Linux firewall mechanism. As a general and abstract framework, it provides a complete set of hook function management mechanisms, providing functions such as packet filtering, network address translation, and connection tracking based on protocol types.

In layman's terms, netfilter provides a mechanism to set up several levels (hook functions) to perform related operations during the flow of data packets. Netfilter has set a total of 5 points, including: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

• PREROUTING: packets that have just entered the network layer and have not yet been routed, pass here
• INPUT: Through routing search, determine the packet sent to this machine, pass here
• FORWARD: The packet to be forwarded after route search, before POST_ROUTING
• OUTPUT: The packet just sent from the native process, through here
• POSTROUTING: After entering the network layer, the packet that has been routed and forwarded is determined, and will leave the device, pass here

When a data packet enters the network card and enters the network layer after passing through the link layer, it will reach PREROUTING, and then perform routing lookup according to the target IP address. If the target IP is the local machine, the data packet will continue to be transmitted to INPUT, after passing through the protocol stack, according to the port Send the data to the corresponding application.

After the application processes the request, the response packet is sent to the OUTPUT, and finally the network card is sent out after the POTROUTING.

If the target IP is not the local machine, and the server has the forward parameter enabled, the data packet will be delivered to FORWARD, and finally the network card will be sent out after POSTROUTING.

Basic Principles of LVS

LVS is based on the netfilter framework and mainly works on the INPUT chain. Register the ip_vs_in HOOK function on INPUT to perform the main process of IPVS. The general principle is shown in the figure:

• When a user visits www.sina.com.cn, the user data passes through the layer-by-layer network, and finally enters the LVS server network card through the switch, and enters the kernel network layer.
• After entering PREROUTING, after routing search, it is determined that the destination VIP of the visit is the local IP address, so the data packet enters the INPUT chain
• LVS works on the INPUT chain. It will determine whether the request is an LVS service based on the IP: Port accessed. If it is, the LVS main process will be performed, the relevant data of the data packet will be forcibly modified, and the data packet will be sent to the POSTROUTING chain.
• After receiving the data packet on POSTROUTING, according to the target IP address (the real back-end server), the data packet is finally sent to the back-end server through routing.

The open source LVS version has 3 working modes, each working principle is different, each mode has its own advantages and disadvantages and different application scenarios, including the following three modes:

• DR mode
• NAT mode
• Tunnel mode

It must be mentioned here that another mode is FullNAT, which is not available in the open source version. This model originated from Baidu, and later developed in Ali. It was open sourced by the Ali team. The code address is as follows:

• https://github.com/alibaba/lvs

The LVS official website also has related download addresses, but it has not merged into the kernel mainline version.

There will be a special chapter to introduce FullNAT mode in detail. The principles of DR, NAT, and Tunnel modes are introduced in detail below.

Principle of DR mode implementation

The description in the LVS basic principle diagram is relatively simple, and it expresses a more general process. The following will explain in detail how the DR mode works for the specific implementation principle of the DR mode.

In fact, DR is the most commonly used working mode because of its powerful performance. The following is an attempt to describe the working principle of the DR mode with a certain request and response data flow process

(1) Implementation principle process

①When the client requests the homepage of www.sina.com.cn, the request data packet passes through the network to reach Sina's LVS server network card: the source IP is the client IP address CIP, and the destination IP is Sina's external server IP address, which is VIP; At this time, the source MAC address is CMAC, which is actually the MAC address of the router connected to LVS (to be easily understood as CMAC), and the destination MAC address is the MAC corresponding to the VIP, which is recorded as VMAC.

②The data packet arrives at the PREROUTING position through the link layer (just entered the network layer), and the route is searched and the destination IP is found to be the VIP of the LVS, and it will be delivered to the INPUT chain. At this time, the MAC, IP, and Port of the data packet are not modified.

③Data packet arrives in INPUT chain, INPUT is the main working position of LVS. At this time LVS will confirm whether it is a service defined by LVS according to the destination IP and Port. If it is a defined VIP service, it will select one from the list of real servers as RS1 according to the configuration information, and then use RS1 as the target to find the Out direction To determine the hop information and the network card through which the data packet is sent. Finally, the data packet is delivered to the OUTPUT chain.

④After the data packet passes through the POSTROUTING chain, it is transferred from the network layer to the link layer, and the destination MAC address is changed to the RealServer server MAC address, which is recorded as RMAC; and the source MAC address is changed to the MAC address corresponding to selfIP in the same network segment of LVS and RS , Denoted as DMAC. At this time, the data packet is forwarded to the RealServer server through the switch (note: the switch is not shown in the figure for simplicity ).

⑤ After the request data packet arrives at the back-end real server, the link layer checks that the destination MAC is its own network card address. At the network layer, search for a route. The destination IP is VIP (VIP is configured on lo). It is determined that it is the data packet of the local host, and it is copied to the application (such as nginx server) through the protocol stack. After nginx responds to the request, it generates a response data packet.

Then use CIP to find the outbound route, determine the next hop information and send the network card device information. At this time, the source and destination IP of the data packet are VIP and CIP respectively, and the source MAC address is the RMAC of RS1, and the destination MAC is the MAC address of the next hop (router), denoted as CMAC (for easy understanding, denoted as CMAC). Then the data packet is forwarded to the real client through the router connected to RS, completing the whole process of request and response.

It can be seen from the whole process that the logic of DR mode LVS is relatively simple. Data packets are forwarded to the back-end server through direct routing, and the response data packets are sent directly from the RS server to the client without passing through LVS.

We know that usually request data packets are relatively small, and response packets are relatively large. The data packets passing through LVS are basically small packets, so this is also the main reason for the powerful performance of LVS's DR mode.

(2) Advantages and disadvantages and usage scenarios

• Advantages of DR mode

Response data does not pass through LVS, high performance

Small modification of data packets, complete information preservation (carrying client source IP)

• Disadvantages of DR mode

lvs and rs must be on the same physical network (cross-machine rooms are not supported)

Lo and other kernel parameters must be configured on the server

Does not support port mapping

• Use scenarios of DR mode

If the performance requirements are very high, the DR mode can be preferred, and the source IP address of the client can be transparently transmitted.

NAT mode implementation principle

The second working mode of lvs is the NAT mode. The following figure details the data packet from the client to the lvs and then forwards it to rs, and then the response data is forwarded to lvs through rs, and the lvs returns the data packet to the client. .

(1) Implementation principle and process

① The user requests the data packet to pass through the layer-by-layer network and reach the lvs network card. At this time, the source IP of the data packet is CIP, and the destination IP is VIP.

② Enter the prerouting position of the network layer through the network card, find the route according to the destination IP, confirm that it is the local IP, and forward the data packet to INPUT. At this time, the source and destination IP have not changed.

③After arriving at lvs, check whether it is IPVS service through the destination IP and destination port. If it is an IPVS service, an RS will be selected as the back-end server, the destination IP of the data packet will be changed to RIP, the RIP will be used as the destination IP to look up routing information, determine the next hop and egress information, and forward the data packet to the output.

④ After the modified data packet is processed by postrouting and link layer, it reaches the RS server. At this time, the source IP of the data packet is CIP and the destination IP is RIP.

⑤After the data packets arriving at the RS server are checked by the link layer and the network layer, they are sent to the user space nginx program. The nginx program is processed, and the response packet is sent. Since the default gateway on the RS is configured as the lvs device IP, the nginx server will forward the packet to the next hop, which is the lvs server. At this time, the source IP of the data packet is RIP, and the destination IP is CIP.

⑥ After the lvs server receives the RS response data packet, according to the route search, it is found that the destination IP is not the local IP, and the lvs server has enabled the forwarding mode, so the data packet is forwarded to the forward chain, and the data packet is not modified at this time.

⑦ After receiving the response data packet, lvs looks up the service and connection table according to the destination IP and destination port, changes the source IP to VIP, determines the next hop and egress information through route search, and sends the data packet to the gateway. The network reaches the user client and finally completes a request and response interaction.

The bidirectional traffic in NAT mode passes through LVS, so the performance of NAT mode will have a certain bottleneck. But the difference from other modes is that NAT supports port mapping and supports windows operating system.

(2) Advantages, disadvantages and usage scenarios

• Advantages of NAT mode

Able to support windows operating system

Support port mapping. If the rs port and vport are inconsistent, lvs will not only modify the destination IP but also modify the dport to support port mapping.

• Disadvantages of NAT mode

The back-end RS needs to configure the gateway

Two-way flow has a relatively large load pressure on lvs

• Usage scenarios of NAT mode

If you are a windows system and use lvs, you must choose NAT mode.

Principles of Tunnel Mode Implementation

Tunnel mode is less used in China, but it is said that Tencent uses a lot of Tunnel mode. It is also a single-arm mode, only the request data will go through the lvs, and the response data will be sent directly from the back-end server to the client. The performance is also very powerful, and it supports cross-machine rooms. Continue to look at the graph analysis principle below.

(1) Implementation principle and process

① The user requests the data packet to pass through the multi-layer network and reach the lvs network card. At this time, the source IP of the data packet is cip and the destination IP is vip.

② Enter the prerouting position of the network layer through the network card, find the route according to the destination ip, confirm that it is the local ip, and forward the data packet to the input chain to reach the lvs. At this time, the source and destination ips have not changed.

③After arriving at lvs, check whether it is an IPVS service through the destination ip and destination port. If it is an IPVS service, an rs will be selected as the back-end server, and rip will be used as the destination ip to find routing information, determine the next hop, dev and other information, and then an additional IP header is added in front of the IP header (using dip as the source, rip For the destination ip), the data packet is forwarded to the output.

④The data packet is finally sent to the router gateway through the lvs network card according to the routing information, and reaches the back-end server through the network.

⑤After the back-end server receives the data packet, the ipip module unloads the tunnel header. The source ip is cip and the destination ip is vip normally seen. Because vip is configured on tunl0, it is determined as the local ip after route search and sent to application. After the application nginx normally responds to the data, it uses vip as the source ip and cip as the destination ip. The data packets are sent out of the network card and finally reach the client.

Tunnel mode has the high performance of DR mode and supports cross-machine room access, which sounds perfect. However, domestic operators have certain characteristics. For example, the source IP of RS response data packets is VIP. VIP and back-end server may have a cross-operator situation, which may be blocked by the operator’s strategy. Tunnel is in the production environment. I haven't used it before. It may be difficult to implement Tunnel in China.

(2) Advantages, disadvantages and usage scenarios

• Advantages of tunnel mode

Single arm mode, low load pressure on lvs

Small modification to the data package, complete information preservation

Can cross computer rooms (but it is difficult to realize in China)

• Disadvantages of tunnel mode

Need to install and configure the ipip module on the backend server

Need to configure vip on the backend server tunl0

The addition of the tunnel header may cause fragmentation and affect server performance

The IP address of the tunnel head is fixed, and the back-end server network card hash may be uneven

Does not support port mapping

• Use scenarios of Tunnel mode

In theory, if the forwarding performance requirements are high, and there is a need for cross-machine rooms, Tunnel may be a better choice.

So far, I have explained the principle of LVS clearly. There are more contents. It is recommended to read it twice. Due to the length of the article, the content of the practical operation will be discussed in the next article.

Original link: https://www.cnblogs.com/liwei0526vip/p/14311114.html

If you think this article is helpful to you, you can follow my official account and reply to the keyword [Interview] to get a compilation of Java core knowledge points and an interview gift package! There are more technical dry goods articles and related materials to share, let everyone learn and progress together!