OCI Load Balancer — Part-II
In continuation to my previous blog on OCI Load Balancer
What shapes are available in OCI Load Balancer?
OCI Load Balancer comes in two shapes:
a) Flexible Shape: In this you can mention the minimum and maximum bandwidth required based on your backend applications. As by name the shape will be flexible where it will be at minimum bandwidth initially and based on traffic to your load balancer it will expand up to maximum bandwidth.
b) Dynamic Shape: Here, you will have to choose from the pre-defined bandwidths. At any time you can change the shape of your Load Balancer from Dynamic to Flexible but vice-versa is not possible.
What are Load Balancing policies?
Load Balancing policies are nothing but the algorithms which we use to route ingress traffic to backend servers.
Load Balancing policies are different for both Generic/General/Normal Load Balancer and Network Load Balancer.
As discussed, in my previous read, policies for General/Generic/Normal Load Balancer are: Weighted Round Robin, IPHash & Least Connections.
For Network Load Balancer the policies are:
a) 2-Tuple Hash → This routes traffic to the same backend server based on 2-Tuple (Source/Destination) Hash.
b) 3-Tuple Hash → This ensures that traffic from a particular client are always directed to same backend server based on 3-Tuple (SourceIP, DestinationIP and Protocol) Hash.
c) 5-Tuple Hash → This routes traffic to backend servers based on 5-Tuple (Source IP, Source Port, Destination IP, Destination Port & Protocol) Hash.
How do you ensure HA (High Availability) of Load Balancer?
Load Balancer ensures High Availability by automatically creating a Fail Over Load Balancer along with Active Load Balancer.
In a Multi-AD region, Fail Over Load Balancer is created on a different AD which will become active when Active Load Balancer is down due to some reasons.
In a region where there is a single AD, Fail Over Load Balancer is created on a different Fault Domain.
How to restrict Ingress traffic to your Load Balancer?
You can restrict Ingress traffic to Load Balancer in multiple ways as mentioned below:
a) WAF (Web Application Firewall): Here you can restrict Ingress traffic based on IP Address, URL, Country, Method, Request cookie, etc., You can also control on the number of requests to pass to Load Balancer.
NOTE: WAF is not applicable on Network Load Balancer.
b) NSG (Network Security Group): Here you will be attaching an NSG created on your VCN where you can mention the CIDR range from which you want to allow traffic.
c) SL (Security List): Here you will be creating Security List on the VCN Subnet on which you will be creating Load Balancer. In Security List you can mention the CIDR Range, protocol and port from which you want to allow Ingress traffic.
How and at how many levels can we encrypt data to and from OCI Load Balancer?
Encryption of data is done using SSL. SSL Encryption can be done at three levels for data flowing from Client to backend servers via Load Balancer.
- SSL Termination at Load Balancer
- SSL between Load Balancer & Backend Servers
- End to End SSL
For SSL encryption, there are three options: SSL Certificate File, CA Certificate & Private Key.
Note: You can add SSL even after configuring Load Balancer.
How do you ensure that backend servers are available?
To ensure backend servers attached to backend set are available, Load Balancer keeps polling the backend servers based on the Protocol & Port mentioned in the Health Check Policy.
This polling happens at an interval specified in the Health Check Policy.
Based on the result from Backend servers Load Balancer will route traffic to appropriate backend server.
What is the role of Listener in Load Balancer? How many Listeners can we attach to a Load Balancer? When do we create multiple Listeners?
Listener checks for incoming traffic on the Load Balancer’s IP address based on the type of traffic i.e., HTTPS, HTTP/2, HTTP, TCP, UDP, TCP/UDP.
We can attach a max of 16 listeners to a Load Balancer.
We create multiple listeners to route traffic from a specific application to a specific set of backend servers.
Example: If we’ve both CRM & ERP applications installed in the same VCN and across regional subnets. Then we can create two listeners one for ERP & CRM and that listener will be talking to Backend Servers via Backend set.