Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OCI技術資料 : ロード・バランサー 詳細 / Load Balancer 200

OCI技術資料 : ロード・バランサー 詳細 / Load Balancer 200

Oracle Cloud Infrastructure (OCI) の技術説明資料、ロード・バランサーの詳細編 (Level 200) です。

セッション永続性、仮想ホストによるルーティング、URIパス・ベース・ルーティング、SSLの利用とSSLターミネーションの設定、ロードバランサー で取得できるメトリックなどについて解説しています。

More Decks by Oracle Cloud Infrastructure ソリューション・エンジニア

Other Decks in Technology

Transcript

  1. ロード・バランサ 詳細 Load Balancer Level 200 Oracle Cloud Infrastructure 2022

    9
  2. https://oracle-japan.github.io/ocidocs/services/networking/load-balancer-100/ • OCI 1 VCN • OCI (FLB) (NLB) 2

    • – TCP, HTTP/1.0, HTTP/1.1, HTTP/2, WebSocket • SSL SSL SSL • FLB 7 • • ( IP ) • • TCP ( 4) HTTP ( 7) Copyright © 2022, Oracle and/or its affiliates 2
  3. • • IP • SSL SSL • • • WAF(Web

    Application Firewall) Web • • • Copyright © 2022, Oracle and/or its affiliates 3
  4. Copyright © 2022, Oracle and/or its affiliates 4 タイムアウトとキープ・アライブ設定

  5. FLB Copyright © 2022, Oracle and/or its affiliates 5 clients

    Load Balancer Backend Servers HTTP message/ TCP segment HTTP 200 3way handshake 3way handshake Fin/ACK GET HTTP message/ TCP segment HTTP message/ TCP segment GET HTTP 200 HTTP message/ TCP segment Fin/ACK = 65 10,000 ( ) (C) (C') ( ) = TCP : 300 , 7200 = HTTP : 60 , 7200 (A) (A') (B) (B') = 300 ( ) (D) (D') ( ) = 310 (E) (E') (A) (A') (D') (D) (C) (C') (E') (E) (A-A') receive timer (B-B') send timer (B) (B') https://docs.oracle.com/ja-jp/iaas/Content/Balance/Reference/connectionreuse.htm
  6. Copyright © 2022, Oracle and/or its affiliates 6 バックエンド・サーバーでの クライアントのIPアドレスの識別

  7. IP IP IP … • HTTP HTTP X-Forwarded- • TCP

    IP IP Copyright © 2022, Oracle and/or its affiliates 7 : 1.1.1.1 : 192.168.1.2 Src 1.1.1.1 Dst 2.2.2.2 VIP : 2.2.2.2 192.168.1.254 Src 192.168.1.254 Dst 192.168.1.2 Src 192.168.1.2 Dst 192.168.1.254 Src 2.2.2.2 Dst 1.1.1.1 X-Forwarded-For IP IP X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto X-Real-IP X-Forwarded-For IP
  8. Copyright © 2022, Oracle and/or its affiliates 8 SSL通信への対応 SSL

    Handling
  9. 3 SSL Copyright © 2022, Oracle and/or its affiliates 9

    SSL • SSL • • SSL • Web • FLB HTTPS SSL • SSL SSL • • SSL • FLB HTTPS SSL • SSL SSL • SSL • FLB TCP NLB HTTPS ( ) HTTP ( ) HTTPS ( ) HTTPS ( ) HTTPS( )
  10. OCI (Certificates) Copyright © 2022, Oracle and/or its affiliates 10

    OCI SSL (FLB) → OCI OCI (OCI Certificates Service) • (Certificate) (CA) CA • CA/ /CA • • •
  11. SSL Copyright © 2022, Oracle and/or its affiliates 11

  12. RSA (CSR) SSL - 1. (CSR) Copyright © 2022, Oracle

    and/or its affiliates 12 $ openssl req -new -key MyKey.key -out MyCSR.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:WA Locality Name (eg, city) []:Redmond Organization Name (eg, company) [Internet Widgits Pty Ltd]:Oracle Organizational Unit Name (eg, section) []:OCI Common Name (e.g. server FQDN or YOUR name) []:*.example.org Email Address []:rohit.rahi@oracle.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: $ openssl genrsa -out MyKey.key 2048 Generating RSA private key, 2048 bit long modulus .........................+++ .....................+++ e is 65537 (0x10001)
  13. SSL - 2. Copyright © 2022, Oracle and/or its affiliates

    13 $ openssl x509 -req -days 365 -in MyCSR.csr -signkey MyKey.key -out ExampleCert.crt Signature ok subject=/C=US/ST=WA/L=Redmond/O=Oracle/OU=OCI/CN=*.example.org/emailAddress=rohit.rahi@oracle.com Getting Private key $ openssl x509 -in exampleCert.crt -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: fa:98:bb:ae:1e:19:4d:a3 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=WA, L=Redmond, O=Oracle, OU=OCI, CN=*.example.org/emailAddress=rohit.rahi@oracle.com Validity Not Before: Jun 6 18:34:41 2018 GMT Not After : Jun 6 18:34:41 2019 GMT Subject: C=US, ST=WA, L=Redmond, O=Oracle, OU=OCI, CN=*.example.org/emailAddress=rohit.rahi@oracle.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c0:63:f1:aa:d8:98:b1:01:0f:9f:fa:71:6a:9a: f1:05:9d:d6:84:01:88:8d:51:6e:b5:d4:fa:5e:fb: 95:f7:ac:ed:07:11:bf:89:85:4b:39:70:71:9e:7e: cd:ba:24:96:65:d9:41:69:d1:05:f7:1a:a2:43:29: 7a:6b:de:11:e7:2b:6f:95:ee:04:de:2b:23:b1:0b: a6:a2:76:8f:40:42:50:1e:d8:2a:16:2c:d5:97:2b:
  14. PEM SSL - 3. Copyright © 2022, Oracle and/or its

    affiliates 14 $ openssl x509 -in ExampleCert.crt -out ExampleCert.pem -outform PEM
  15. SSL - 4. 443 Copyright © 2022, Oracle and/or its

    affiliates 15
  16. SSL Copyright © 2022, Oracle and/or its affiliates 16 ※

  17. Copyright © 2022, Oracle and/or its affiliates 17 セッション永続性機能を利⽤した バックエンド・サーバーの固定

    Using Session Persistence
  18. Web : Cookie Cookie persistence ※Cookie Copyright © 2022, Oracle

    and/or its affiliates 18 Cookie Client A Client B cookie Client A Client B FLB HTTP/HTTPS
  19. Cookie 2 1. Cookie • Cookie • Cookie OK 2.

    Cookie • Cookie • • Cookie Cookie(+α) Cookie Cookie FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 19
  20. Cookie Cookie Client Load Balancer Backend Server 1 2 200

    OK 3 200 OK Set-cookie:X-Oracle-BMC-LBS-Route=yyy 4 5 Set-cookie:X-Oracle-BMC-LBS-Route=yyy 1. 2. 3. X-Oracle-BMC-LBS-Route Cookie 4. Cookie 5. Cookie FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 20
  21. Cookie Cookie Client Load Balancer Backend Server 1 2 200

    OK Set-cookie: sessionid=xxx 3 200 OK Set-cookie:sessionid=xxx Set-cookie:X-Oracle-BMC-LBS-Route=yyy 4 5 Set-cookie:sessionid=xxx Set-cookie:X-Oracle-BMC-LBS-Route=yyy 1. 2. Set-cookie Cookie 3. Cookie Cookie+ X-Oracle-BMC-LBS-Route Cookie 4. Cookie 5. Cookie : FLB X-Oracle-VMC- LBS-Route Cookie 2 Cookie FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 21
  22. Q. ? • (Fallback) • : • : HTTP 502

    Q. ? • cookie(match-all cookie) • cookie Cookie • Cookie ( ) ( ) FAQ Copyright © 2022, Oracle and/or its affiliates 22 FLB HTTP/HTTPS
  23. Q. ? • Cookie • Cookie • Cookie Q. Cookie

    ? • FLB Cookie • Cookie Cookie FLB Cookie • Cookie : Expires, Max-Age, SameSite, Secure, HTTP-Only • : FLB Cookie FLB FAQ Copyright © 2022, Oracle and/or its affiliates 23 FLB HTTP/HTTPS
  24. Cookie - (FLB) HTTP/HTTPS × - (FLB) TCP × -

    (NLB) Cookie HTTP Cookie FLB HTTP(S) Cookie IP (FLB) 2 (NLB) IP( ) Cookie Copyright © 2022, Oracle and/or its affiliates 24 Proxy 1.1.1.1 2.2.2.2 3.3.3.3 1.1.1.1 2.2.2.2 3.3.3.3 5.5.5.5 NLB 2 FLB TCP IP
  25. Copyright © 2022, Oracle and/or its affiliates 25 リクエスト・ルーティングを⽤いた ⾼度なルーティング

    Request Routing
  26. • IP • FLB HTTP HTTPS • : 7 •

    FLB TCP NLB • 3 1. - 2. URI Cookie • 2021 3 ( ) 3. - HTTP(S) Copyright © 2022, Oracle and/or its affiliates 26 FLB HTTP/HTTPS
  27. (IP : xxx.xxx.xxx.xxx) 1 2 (IP + + ) •

    1 IP • 1 • 1 • 1 – 1. 1 (TCP/80) 2 (TCP/80) www.example1.com www.example2.com FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 27
  28. • FQDN (e.g. app.example.com) • (*.example.com) • (app.example.*) (Catch-all) •

    ※ • • 16 • 16 – 1. Copyright © 2022, Oracle and/or its affiliates 28 FLB HTTP/HTTPS
  29. – 2. 1 (IP + + ) • 縮 •

    URL URI( ) • HTTP • Cookie • 1 • 1 • 1 (IP : xxx.xxx.xxx.xxx) (TCP/80) 1 2 1 user-agent = mobile 2 = /admin/ FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 29
  30. (IP : xxx.xxx.xxx.xxx) (Port : 80) 1 2 2022/3/24 [CN-64788]

    1 (IP + + ) URI URI • 1 • 1 • 1 – 2'. (~2022/3/24) 1 /pages/ 2 /video/ FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 30
  31. • (EXACT_MATCH) • URI : ^<path_string>$ • (FORCE_LONGEST_PREFIX_MATCH) • URI

    : <path_string>.* • (PREFIX_MATCH) • URI : ^<path_string>.* • (SUFFIX_MATCH) • URI : .*<path_string>$ – 2'. (~2022/3/24) Copyright © 2022, Oracle and/or its affiliates 31 FLB HTTP/HTTPS
  32. 1. (EXACT_MATCH) 2. (FORCE_LONGEST_PREFIX_MATCH) 3. (PREFIX_MATCH) (SUFFIX_MATCH) – 2'. (~2022/3/24)

    Copyright © 2022, Oracle and/or its affiliates 32 FLB HTTP/HTTPS
  33. • 20 • 1 – 2'. (~2022/3/24) Copyright © 2022,

    Oracle and/or its affiliates 33 FLB HTTP/HTTPS
  34. URI Cookie : 1 A B C 3 A •

    • foo.com → B • bar.com → C • URI • /biz → B ( ) • /baz → C ( ) Copyright © 2022, Oracle and/or its affiliates 34 URL http://foo.com B http://foo.com/biz B http://foo.com/baz C http://bar.com C http://bar.com/biz B http://bar.com/baz C http://example.com A http://example.com/biz B http://example.com/baz C FLB HTTP/HTTPS
  35. LB-APPS-1 ipAddress = ip-1 name = foo-and-bar-LB BackendSet[[] Listeners[] PathRouteSet[]

    Listener-default port = 554 serverName = null defaultBackendSet = foo.BES-1 certificate = foo-Certificate PathRouteSet = PRS-1 Listener-foo port = 443 serverName = *.foo.com defaultBackendSet = foo.BES-1 certificate = foo-Certificate PathRouteSet = null Listener-bar port = 443 serverName = *.bar.com defaultBackendSet = bar.BES-1 certificate = foo-Certificate PathRouteSet = PRS-1 foo-Certificate CN = www.foo.com SAN = *.foo.com bar-Certificate CN = www.bar.com SAN = *.bar.com foo-BES-1 [] – foo-Backends-1 bar-BES-1 [] – bar-Backends-1 bar-BES-2 [] – bar-Backends-2 PRS-1 [] – bar-path-route-rules Exact Matches /biz à bar-BES-1 /baz à bar-BES-2 URL http://example.com foo-BES-1 http://example.com/biz bar-BES-1 http://example.com/baz bar-BES-2 http://foo.com foo-BES-1 http://bar.com bar-BES-1 http://bar.com/baz bar-BES-2 FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 35
  36. HTTP(S) • IP • GET HEAD POST HTTP URL •

    URI HTTP URI • HTTP(80) HTTPS(443) SSL • HTTP ( ) • • HTTP ( ) • [x-xss-protection] [x- content-type] HTTP • HTTP 8KB 64KB • . _ – 3. FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 36
  37. HTTP 50 • • [Server] • Web • [x-xss-protection] [x-content-type]

    FLB HTTP/HTTPS Copyright © 2022, Oracle and/or its affiliates 37
  38. • • IP • GET HEAD POST HTTP FLB HTTP/HTTPS

    Copyright © 2022, Oracle and/or its affiliates 38
  39. URL HTTP URL • HTTP HTTPS FLB HTTP/HTTPS Copyright ©

    2022, Oracle and/or its affiliates 39
  40. ? • Cookie • Cookie • Cookie FAQ Copyright ©

    2022, Oracle and/or its affiliates 40 FLB HTTP/HTTPS
  41. Copyright © 2022, Oracle and/or its affiliates 41 WAF(Web Application

    Firewall)、 Webアプリケーション・アクセラレーションとの連携
  42. FLB WAF VCN • OCI Web Application Firewall WAF L7

    DDOS SQL Web • VCN / WAF • VCN WAF • Blog Announcing Oracle Cloud Infrastructure WAF Protection on Flexible Load Balancers • WAF Web Application Firewall Copyright © 2022, Oracle and/or its affiliates 42 2021/10/27 OCI VCN DRG WAF WAF Product Price Metric Instance $5 Instance Per Month Requests $0.6 1,000,000 Incoming Requests Per Month
  43. HTTP • 100MB • Accept-Encoding • [Network] Web Application Acceleration

    Copyright © 2022, Oracle and/or its affiliates 43 2022/6/15 “cacheStatus” HIT MISS https://blogs.oracle.com/oracle4engineer/post/ja-intro-waa
  44. Copyright © 2022, Oracle and/or its affiliates 44 ロード・バランサのロギング Logging

    for Load Balancers
  45. (NLB) OCI • 2 • • ※ (NLB) / •

    / • OCI ( : 10GB/ ) / OCI Copyright © 2022, Oracle and/or its affiliates 45 Logging VCN Flow Logs OCI
  46. https://docs.oracle.com/ja-jp/iaas/Content/Network/Concepts/vcn_flow_logs.htm VCN OCI • VCN (or VCN ) → •

    NIC IP • OCI IP VTAP VCN ( ) ACCEPT TCP 172.21.2.185 Port 43360 → 129.146.13.236 Port 443 Bytes 10515 Packets 19 ACCEPT TCP 129.146.13.236 Port 443 → 172.21.2.185 Port 43360 Bytes 5548 Packets 14 VCN Copyright © 2022, Oracle and/or its affiliates 46 VCN Flow Logs
  47. https://docs.oracle.com/ja-jp/iaas/Content/Network/Tasks/vtap.htm (FLB) VTAP (Virtual Test Access Point) (NLB) • (

    ) • IDS • FLB VTAP VTAP (Virtual Test Access Point) Copyright © 2022, Oracle and/or its affiliates 47 ( )
  48. Copyright © 2022, Oracle and/or its affiliates 48 ロード・バランサのメトリック Metrics

    for Load Balancers
  49. - availabilityDomain backendSetName lbComponent (Backendset/Listener/Loadbalancer) lbHostId ID ID listenerName region

    resourceId OCID Copyright © 2022, Oracle and/or its affiliates 49 https://docs.oracle.com/ja-jp/iaas/Content/Balance/Reference/loadbalancermetrics.htm
  50. lbComponent LoadBalancer https://docs.oracle.com/cd/E97706_01/Content/Balance/Reference/loadbalancermetrics.htm AcceptedConnections Accepted Connections count AcceptedSSLHandshake Accepted SSL

    Handshakes count SSL ActiveConnections Active Connections count ActiveSSLConnections Active SSL Connections count SSL BytesReceived Bytes Received bytes BytesSent Bytes Sent bytes FailedSSLClientCertVerify Failed Client SSL Cert Verifications count SSL FailedSSLHandshake Failed SSL Handshakes count SSL HandledConnections Handled Connections count HttpRequests Inbound Requests count PeakBandwidth Peak Bandwidth MB/s / Copyright © 2022, Oracle and/or its affiliates 50
  51. Copyright © 2022, Oracle and/or its affiliates 51 トラブル時の対応ガイドライン Troubleshooting

    Guidelines
  52. • 3 • [ ] [ ] • • •

    • • • • VCN • Copyright © 2022, Oracle and/or its affiliates 52
  53. • • IP • SSL SSL • • • WAF(Web

    Application Firewall) Web • • • Copyright © 2022, Oracle and/or its affiliates 53
  54. – • https://docs.oracle.com/ja-jp/iaas/Content/Balance/Concepts/balanceoverview.htm – • https://docs.oracle.com/ja-jp/iaas/Content/NetworkLoadBalancer/overview.htm – Web • https://oracle-japan.github.io/ocitutorials/intermediates/using-load-balancer/

    Copyright © 2022, Oracle and/or its affiliates 54
  55. Oracle Cloud Infrastructure • https://docs.oracle.com/ja-jp/iaas/Content/home.htm - ( ) • https://docs.cloud.oracle.com/iaas/api/

    - API • https://docs.oracle.com/ja-jp/iaas/Content/General/Reference/aqswhitepapers.htm - • https://docs.cloud.oracle.com/iaas/releasenotes/ - • https://docs.oracle.com/ja-jp/iaas/Content/knownissues.htm - (Known Issues) • https://docs.oracle.com/ja-jp/iaas/Content/General/Reference/graphicsfordiagrams.htm - OCI (PPT SVG Visio ) Oracle Cloud Infrastructure Copyright © 2022, Oracle and/or its affiliates 55
  56. Oracle Cloud Infrastructure • https://oracle-japan.github.io/ocidocs/ - Oracle Cloud Infrastructure •

    https://oracle-japan.github.io/ocitutorials/ Oracle • https://www.oracle.com/search/events/ ( Filter Locations -> Asia Pacific -> Japan ) Oracle Cloud Infrastructure – General Forum ( ) • https://cloudcustomerconnect.oracle.com/resources/9c8fa8f96f/summary Oracle Cloud Infrastructure Copyright © 2022, Oracle and/or its affiliates 56
  57. Thank You Copyright © 2022, Oracle and/or its affiliates 57

  58. None