Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OCI技術資料 : ロード・バランサー 詳細 / Load Balancer 200

OCI技術資料 : ロード・バランサー 詳細 / Load Balancer 200

Oracle Cloud Infrastructure (OCI) の技術説明資料、ロード・バランサーの詳細編 (Level 200) です。

セッション永続性、仮想ホストによるルーティング、URIパス・ベース・ルーティング、SSLの利用とSSLターミネーションの設定、ロードバランサー で取得できるメトリックなどについて解説しています。

More Decks by Oracle Cloud Infrastructure ソリューション・エンジニア

Other Decks in Technology

Transcript

  1. https://oracle-japan.github.io/ocidocs/services/networking/load-balancer-100/ • OCI 1 VCN • OCI (FLB) (NLB) 2

    • – TCP, HTTP/1.0, HTTP/1.1, HTTP/2, WebSocket • SSL SSL SSL • FLB 7 • • ( IP ) • • TCP ( 4) HTTP ( 7) Copyright © 2022, Oracle and/or its affiliates 2
  2. • • IP • SSL SSL • • • WAF(Web

    Application Firewall) Web • • • Copyright © 2022, Oracle and/or its affiliates 3
  3. FLB Copyright © 2022, Oracle and/or its affiliates 5 clients

    Load Balancer Backend Servers HTTP message/ TCP segment HTTP 200 3way handshake 3way handshake Fin/ACK GET HTTP message/ TCP segment HTTP message/ TCP segment GET HTTP 200 HTTP message/ TCP segment Fin/ACK = 65 10,000 ( ) (C) (C') ( ) = TCP : 300 , 7200 = HTTP : 60 , 7200 (A) (A') (B) (B') = 300 ( ) (D) (D') ( ) = 310 (E) (E') (A) (A') (D') (D) (C) (C') (E') (E) (A-A') receive timer (B-B') send timer (B) (B') https://docs.oracle.com/ja-jp/iaas/Content/Balance/Reference/connectionreuse.htm
  4. 65 FLB FIN TCP 1 0.000000000 10.0.1.25 -> 10.0.2.228 TCP

    74 43744 > http [SYN] Seq=0 Win=65340 Len=0 MSS=1485 SACK_PERM=1 TSval=3551202664 TSecr=0 WS=128 2 0.002493772 10.0.2.228 -> 10.0.1.25 TCP 74 http > 43744 [SYN, ACK] Seq=0 Ack=1 Win=26844 Len=0 MSS=8960 SACK_PERM=1 TSval=4158075881 TSecr=3551202664 WS=1024 3 0.000013286 10.0.1.25 -> 10.0.2.228 TCP 66 43744 > http [ACK] Seq=1 Ack=1 Win=65408 Len=0 TSval=3551202667 TSecr=4158075881 ( ) 13 0.000005690 10.0.1.25 -> 10.0.2.228 TCP 66 43744 > http [ACK] Seq=241 Ack=1663 Win=64128 Len=0 TSval=3551202681 TSecr=4158075896 14 65.001322203 10.0.2.228 -> 10.0.1.25 TCP 66 http > 43744 [FIN, ACK] Seq=1663 Ack=241 Win=27648 Len=0 TSval=4158140891 TSecr=3551202681 15 0.040574411 10.0.1.25 -> 10.0.2.228 TCP 66 43744 > http [ACK] Seq=241 Ack=1664 Win=64128 Len=0 TSval=3551267723 TSecr=4158140891 16 40.054097462 10.0.1.25 -> 10.0.2.228 TCP 66 43744 > http [FIN, ACK] Seq=241 Ack=1664 Win=64128 Len=0 TSval=3551307777 TSecr=4158140891 17 0.001380630 10.0.2.228 -> 10.0.1.25 TCP 66 http > 43744 [ACK] Seq=1664 Ack=242 Win=27648 Len=0 TSval=4158180983 TSecr=3551307777 – FLB Copyright © 2022, Oracle and/or its affiliates 6 3-way handshake 65 FIN LB->
  5. IP IP IP … • HTTP HTTP X-Forwarded- • TCP

    IP IP Copyright © 2022, Oracle and/or its affiliates 8 : 1.1.1.1 : 192.168.1.2 Src 1.1.1.1 Dst 2.2.2.2 VIP : 2.2.2.2 192.168.1.254 Src 192.168.1.254 Dst 192.168.1.2 Src 192.168.1.2 Dst 192.168.1.254 Src 2.2.2.2 Dst 1.1.1.1 X-Forwarded-For IP IP X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto X-Real-IP X-Forwarded-For IP
  6. 3 SSL Copyright © 2022, Oracle and/or its affiliates 10

    SSL • SSL • • SSL • Web • FLB HTTPS SSL • SSL SSL • • SSL • FLB HTTPS SSL • SSL SSL • SSL • FLB TCP NLB HTTPS ( ) HTTP ( ) HTTPS ( ) HTTPS ( ) HTTPS( )
  7. OCI (Certificates) Copyright © 2022, Oracle and/or its affiliates 11

    OCI SSL (FLB) → OCI OCI (OCI Certificates Service) • (Certificate) (CA) CA • CA/ /CA • • •
  8. RSA (CSR) SSL - 1. (CSR) Copyright © 2022, Oracle

    and/or its affiliates 13 $ openssl req -new -key MyKey.key -out MyCSR.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:WA Locality Name (eg, city) []:Redmond Organization Name (eg, company) [Internet Widgits Pty Ltd]:Oracle Organizational Unit Name (eg, section) []:OCI Common Name (e.g. server FQDN or YOUR name) []:*.example.org Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: $ openssl genrsa -out MyKey.key 2048 Generating RSA private key, 2048 bit long modulus .........................+++ .....................+++ e is 65537 (0x10001)
  9. SSL - 2. Copyright © 2022, Oracle and/or its affiliates

    14 $ openssl x509 -req -days 365 -in MyCSR.csr -signkey MyKey.key -out ExampleCert.crt Signature ok subject=/C=US/ST=WA/L=Redmond/O=Oracle/OU=OCI/CN=*.example.org/[email protected] Getting Private key $ openssl x509 -in exampleCert.crt -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: fa:98:bb:ae:1e:19:4d:a3 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=WA, L=Redmond, O=Oracle, OU=OCI, CN=*.example.org/[email protected] Validity Not Before: Jun 6 18:34:41 2018 GMT Not After : Jun 6 18:34:41 2019 GMT Subject: C=US, ST=WA, L=Redmond, O=Oracle, OU=OCI, CN=*.example.org/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c0:63:f1:aa:d8:98:b1:01:0f:9f:fa:71:6a:9a: f1:05:9d:d6:84:01:88:8d:51:6e:b5:d4:fa:5e:fb: 95:f7:ac:ed:07:11:bf:89:85:4b:39:70:71:9e:7e: cd:ba:24:96:65:d9:41:69:d1:05:f7:1a:a2:43:29: 7a:6b:de:11:e7:2b:6f:95:ee:04:de:2b:23:b1:0b: a6:a2:76:8f:40:42:50:1e:d8:2a:16:2c:d5:97:2b:
  10. PEM SSL - 3. Copyright © 2022, Oracle and/or its

    affiliates 15 $ openssl x509 -in ExampleCert.crt -out ExampleCert.pem -outform PEM
  11. Web : Cookie Cookie persistence ※Cookie Copyright © 2022, Oracle

    and/or its affiliates 19 Cookie Client A Client B cookie Client A Client B FLB HTTP/HTTPS
  12. Cookie 2 1. Cookie • Cookie • Cookie OK 2.

    Cookie • Cookie • • Cookie Cookie(+α) Cookie Cookie FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 20
  13. Cookie Cookie Client Load Balancer Backend Server 1 2 200

    OK 3 200 OK Set-cookie:X-Oracle-BMC-LBS-Route=yyy 4 5 Set-cookie:X-Oracle-BMC-LBS-Route=yyy 1. 2. 3. X-Oracle-BMC-LBS-Route Cookie 4. Cookie 5. Cookie FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 21
  14. Cookie Cookie Client Load Balancer Backend Server 1 2 200

    OK Set-cookie: sessionid=xxx 3 200 OK Set-cookie:sessionid=xxx Set-cookie:X-Oracle-BMC-LBS-Route=yyy 4 5 Set-cookie:sessionid=xxx Set-cookie:X-Oracle-BMC-LBS-Route=yyy 1. 2. Set-cookie Cookie 3. Cookie Cookie+ X-Oracle-BMC-LBS-Route Cookie 4. Cookie 5. Cookie : FLB X-Oracle-VMC- LBS-Route Cookie 2 Cookie FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 22
  15. Q. ? • (Fallback) • : • : HTTP 502

    Q. ? • cookie(match-all cookie) • cookie Cookie • Cookie ( ) ( ) FAQ Copyright © 2022, Oracle and/or its affiliates 23 FLB HTTP/HTTPS
  16. Q. ? • Cookie • Cookie • Cookie Q. Cookie

    ? • FLB Cookie • Cookie Cookie FLB Cookie • Cookie : Expires, Max-Age, SameSite, Secure, HTTP-Only • : FLB Cookie FLB FAQ Copyright © 2022, Oracle and/or its affiliates 24 FLB HTTP/HTTPS
  17. Cookie - (FLB) HTTP/HTTPS × - (FLB) TCP × -

    (NLB) Cookie HTTP Cookie FLB HTTP(S) Cookie IP (FLB) 2 (NLB) IP( ) Cookie Copyright © 2022, Oracle and/or its affiliates 25 Proxy 1.1.1.1 2.2.2.2 3.3.3.3 1.1.1.1 2.2.2.2 3.3.3.3 5.5.5.5 NLB 2 FLB TCP IP
  18. • IP • FLB HTTP HTTPS • : 7 •

    FLB TCP NLB • 3 1. - 2. URI Cookie • 2021 3 ( ) 3. - HTTP(S) Copyright © 2022, Oracle and/or its affiliates 27 FLB HTTP/HTTPS
  19. (IP : xxx.xxx.xxx.xxx) 1 2 (IP + + ) •

    1 IP • 1 • 1 • 1 – 1. 1 (TCP/80) 2 (TCP/80) www.example1.com www.example2.com FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 28
  20. • FQDN (e.g. app.example.com) • (*.example.com) • (app.example.*) (Catch-all) •

    ※ • • 16 • 16 – 1. Copyright © 2022, Oracle and/or its affiliates 29 FLB HTTP/HTTPS
  21. – 2. 1 (IP + + ) • 縮 •

    URL URI( ) • HTTP • Cookie • 1 • 1 • 1 (IP : xxx.xxx.xxx.xxx) (TCP/80) 1 2 1 user-agent = mobile 2 = /admin/ FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 30
  22. (IP : xxx.xxx.xxx.xxx) (Port : 80) 1 2 2022/3/24 [CN-64788]

    1 (IP + + ) URI URI • 1 • 1 • 1 – 2'. (~2022/3/24) 1 /pages/ 2 /video/ FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 31
  23. • (EXACT_MATCH) • URI : ^<path_string>$ • (FORCE_LONGEST_PREFIX_MATCH) • URI

    : <path_string>.* • (PREFIX_MATCH) • URI : ^<path_string>.* • (SUFFIX_MATCH) • URI : .*<path_string>$ – 2'. (~2022/3/24) Copyright © 2022, Oracle and/or its affiliates 32 FLB HTTP/HTTPS
  24. 1. (EXACT_MATCH) 2. (FORCE_LONGEST_PREFIX_MATCH) 3. (PREFIX_MATCH) (SUFFIX_MATCH) – 2'. (~2022/3/24)

    Copyright © 2022, Oracle and/or its affiliates 33 FLB HTTP/HTTPS
  25. • 20 • 1 – 2'. (~2022/3/24) Copyright © 2022,

    Oracle and/or its affiliates 34 FLB HTTP/HTTPS
  26. URI Cookie : 1 A B C 3 A •

    • foo.com → B • bar.com → C • URI • /biz → B ( ) • /baz → C ( ) Copyright © 2022, Oracle and/or its affiliates 35 URL http://foo.com B http://foo.com/biz B http://foo.com/baz C http://bar.com C http://bar.com/biz B http://bar.com/baz C http://example.com A http://example.com/biz B http://example.com/baz C FLB HTTP/HTTPS
  27. LB-APPS-1 ipAddress = ip-1 name = foo-and-bar-LB BackendSet[[] Listeners[] PathRouteSet[]

    Listener-default port = 554 serverName = null defaultBackendSet = foo.BES-1 certificate = foo-Certificate PathRouteSet = PRS-1 Listener-foo port = 443 serverName = *.foo.com defaultBackendSet = foo.BES-1 certificate = foo-Certificate PathRouteSet = null Listener-bar port = 443 serverName = *.bar.com defaultBackendSet = bar.BES-1 certificate = foo-Certificate PathRouteSet = PRS-1 foo-Certificate CN = www.foo.com SAN = *.foo.com bar-Certificate CN = www.bar.com SAN = *.bar.com foo-BES-1 [] – foo-Backends-1 bar-BES-1 [] – bar-Backends-1 bar-BES-2 [] – bar-Backends-2 PRS-1 [] – bar-path-route-rules Exact Matches /biz à bar-BES-1 /baz à bar-BES-2 URL http://example.com foo-BES-1 http://example.com/biz bar-BES-1 http://example.com/baz bar-BES-2 http://foo.com foo-BES-1 http://bar.com bar-BES-1 http://bar.com/baz bar-BES-2 FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 36
  28. HTTP(S) • IP • GET HEAD POST HTTP URL •

    URI HTTP URI • HTTP(80) HTTPS(443) SSL • HTTP ( ) • • HTTP ( ) • [x-xss-protection] [x- content-type] HTTP • HTTP 8KB 64KB • . _ – 3. FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 37
  29. HTTP 50 • • [Server] • Web • [x-xss-protection] [x-content-type]

    FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 38
  30. • • IP • GET HEAD POST HTTP FLB HTTP/HTTPS

    Copyright © 2022, Oracle and/or its affiliates 39
  31. URL HTTP URL • HTTP HTTPS FLB HTTP/HTTPS Copyright ©

    2022, Oracle and/or its affiliates 40
  32. ? • Cookie • Cookie • Cookie FAQ Copyright ©

    2022, Oracle and/or its affiliates 41 FLB HTTP/HTTPS
  33. Copyright © 2022, Oracle and/or its affiliates 42 WAF(Web Application

    Firewall)、 Webアプリケーション・アクセラレーションとの連携
  34. FLB WAF VCN • OCI Web Application Firewall WAF L7

    DDOS SQL Web • VCN / WAF • VCN WAF • Blog Announcing Oracle Cloud Infrastructure WAF Protection on Flexible Load Balancers • WAF Web Application Firewall Copyright © 2022, Oracle and/or its affiliates 43 2021/10/27 OCI VCN DRG WAF WAF Product Price Metric Instance $5 Instance Per Month Requests $0.6 1,000,000 Incoming Requests Per Month
  35. HTTP • 100MB • Accept-Encoding • [Network] Web Application Acceleration

    Copyright © 2022, Oracle and/or its affiliates 44 2022/6/15 “cacheStatus” HIT MISS https://blogs.oracle.com/oracle4engineer/post/ja-intro-waa
  36. (NLB) OCI • 2 • • ※ (NLB) / •

    / • OCI ( : 10GB/ ) / OCI Copyright © 2022, Oracle and/or its affiliates 46 Logging VCN Flow Logs OCI
  37. https://docs.oracle.com/ja-jp/iaas/Content/Network/Concepts/vcn_flow_logs.htm VCN OCI • VCN (or VCN ) → •

    NIC IP • OCI IP VTAP VCN ( ) ACCEPT TCP 172.21.2.185 Port 43360 → 129.146.13.236 Port 443 Bytes 10515 Packets 19 ACCEPT TCP 129.146.13.236 Port 443 → 172.21.2.185 Port 43360 Bytes 5548 Packets 14 VCN Copyright © 2022, Oracle and/or its affiliates 47 VCN Flow Logs
  38. https://docs.oracle.com/ja-jp/iaas/Content/Network/Tasks/vtap.htm (FLB) VTAP (Virtual Test Access Point) (NLB) • (

    ) • IDS • FLB VTAP VTAP (Virtual Test Access Point) Copyright © 2022, Oracle and/or its affiliates 48 ( )
  39. OCI (FLB, NLB) OCI • • • OCI • OCI

    Events • → OCI OCI 2 Copyright © 2022, Oracle and/or its affiliates 50
  40. https://docs.oracle.com/ja-jp/iaas/Content/Balance/Reference/loadbalancermetrics.htm OCI ( : oci_lbaas) 3 (lbComonent) • lbComponent =

    loadbalancer • SSL (11 ) • lbComponent = listener • HTTP (HTTP ) (8 ) • lbComponent = backendset • HTTP (HTTP ) (19 ) : Load Balancer Copyright © 2022, Oracle and/or its affiliates 51
  41. 2 lbHostId (PeakBandwidth) lbHostId=ae41d2132 lbHostId=f6d9d18 2 lbHostId ( grouping().sum()) MQL

    PeakBandwidth[1m]{resourceId="ocid1…"}.grouping().s um() Tips : lbHostId Copyright © 2022, Oracle and/or its affiliates 52
  42. PeakBandwidth[1m]{lbName="<LB >"}.grouping().sum() LBHOST (UnHealthyBackendServers[1m].mean() > 0).groupBy(backendSetName).mean() > 0.5 5 HTTP

    200 95% HttpResponses200[5m]{lbname="<LB >"}.groupBy(listenerName).sum() / HttpResponses[5m]{lbname="<LB >"}.groupBy(listenerName).sum() < 0.95 Copyright © 2022, Oracle and/or its affiliates 53
  43. • 3 • [ ] [ ] • • •

    • • • • VCN • Copyright © 2022, Oracle and/or its affiliates 55
  44. • • IP • SSL SSL • • • WAF(Web

    Application Firewall) Web • • • Copyright © 2022, Oracle and/or its affiliates 56
  45. Oracle Cloud Infrastructure • https://docs.oracle.com/ja-jp/iaas/Content/home.htm - ( ) • https://docs.cloud.oracle.com/iaas/api/

    - API • https://docs.oracle.com/ja-jp/iaas/Content/General/Reference/aqswhitepapers.htm - • https://docs.cloud.oracle.com/iaas/releasenotes/ - • https://docs.oracle.com/ja-jp/iaas/Content/knownissues.htm - (Known Issues) • https://docs.oracle.com/ja-jp/iaas/Content/General/Reference/graphicsfordiagrams.htm - OCI (PPT SVG Visio ) Oracle Cloud Infrastructure Copyright © 2022, Oracle and/or its affiliates 58
  46. Oracle Cloud Infrastructure • https://oracle-japan.github.io/ocidocs/ - Oracle Cloud Infrastructure •

    https://oracle-japan.github.io/ocitutorials/ Oracle • https://www.oracle.com/search/events/ ( Filter Locations -> Asia Pacific -> Japan ) Oracle Cloud Infrastructure – General Forum ( ) • https://cloudcustomerconnect.oracle.com/resources/9c8fa8f96f/summary Oracle Cloud Infrastructure Copyright © 2022, Oracle and/or its affiliates 59