OCI技術資料 : ロード・バランサー詳細 / Load Balancer 200

ロード・バランサ詳細
Load Balancer Level 200
Oracle Cloud Infrastructure
2023 1

View Slide

https://oracle-japan.github.io/ocidocs/services/networking/load-balancer-100/
• OCI 1 VCN
• OCI (FLB)
(NLB) 2
• – TCP, HTTP/1.0, HTTP/1.1, HTTP/2, WebSocket
• SSL SSL SSL
• FLB 7
•
• ( IP )
•
• TCP ( 4) HTTP ( 7)
Copyright © 2022, Oracle and/or its affiliates
2

View Slide

•
• IP
• SSL SSL
•
•
• WAF(Web Application Firewall) Web
•
•
•
3

View Slide

4
タイムアウトとキープ・アライブ設定

View Slide

FLB
5
clients Load Balancer
Backend
Servers
HTTP message/
TCP segment
HTTP 200
3way handshake
3way handshake
Fin/ACK
GET
HTTP message/
TCP segment
HTTP message/
TCP segment
GET
HTTP 200
HTTP message/
TCP segment
Fin/ACK
= 65 10,000 ( )
(C)
(C')
( )
= TCP : 300 , 7200
= HTTP : 60 , 7200
(A)
(A')
(B) (B')
= 300 ( )
(D)
(D')
( )
= 310
(E)
(E')
(A)
(A')
(D')
(D)
(C)
(C') (E')
(E)
(A-A') receive timer
(B-B') send timer
(B)
(B')
https://docs.oracle.com/ja-jp/iaas/Content/Balance/Reference/connectionreuse.htm

View Slide

65 FLB FIN TCP
1 0.000000000 10.0.1.25 -> 10.0.2.228 TCP 74 43744 > http [SYN] Seq=0 Win=65340 Len=0
MSS=1485 SACK_PERM=1 TSval=3551202664 TSecr=0 WS=128
2 0.002493772 10.0.2.228 -> 10.0.1.25 TCP 74 http > 43744 [SYN, ACK] Seq=0 Ack=1 Win=26844
Len=0 MSS=8960 SACK_PERM=1 TSval=4158075881 TSecr=3551202664 WS=1024
3 0.000013286 10.0.1.25 -> 10.0.2.228 TCP 66 43744 > http [ACK] Seq=1 Ack=1 Win=65408 Len=0
TSval=3551202667 TSecr=4158075881
( )
13 0.000005690 10.0.1.25 -> 10.0.2.228 TCP 66 43744 > http [ACK] Seq=241 Ack=1663 Win=64128
Len=0 TSval=3551202681 TSecr=4158075896
14 65.001322203 10.0.2.228 -> 10.0.1.25 TCP 66 http > 43744 [FIN, ACK] Seq=1663 Ack=241
Win=27648 Len=0 TSval=4158140891 TSecr=3551202681
15 0.040574411 10.0.1.25 -> 10.0.2.228 TCP 66 43744 > http [ACK] Seq=241 Ack=1664 Win=64128
Len=0 TSval=3551267723 TSecr=4158140891
16 40.054097462 10.0.1.25 -> 10.0.2.228 TCP 66 43744 > http [FIN, ACK] Seq=241 Ack=1664
Win=64128 Len=0 TSval=3551307777 TSecr=4158140891
17 0.001380630 10.0.2.228 -> 10.0.1.25 TCP 66 http > 43744 [ACK] Seq=1664 Ack=242 Win=27648
Len=0 TSval=4158180983 TSecr=3551307777
– FLB
6
3-way handshake
65
FIN LB->

View Slide

7
バックエンド・サーバーでの
クライアントのIPアドレスの識別

View Slide

IP
IP
IP …
• HTTP HTTP X-Forwarded-
• TCP
IP
IP
8
: 1.1.1.1
: 192.168.1.2
Src 1.1.1.1
Dst 2.2.2.2
VIP : 2.2.2.2
192.168.1.254
Src 192.168.1.254
Dst 192.168.1.2
Src 192.168.1.2
Dst 192.168.1.254
Src 2.2.2.2
Dst 1.1.1.1
X-Forwarded-For
IP
IP
X-Forwarded-Host
X-Forwarded-Port
X-Forwarded-Proto
X-Real-IP X-Forwarded-For IP

View Slide

9
SSL通信への対応
SSL Handling

View Slide

3 SSL
10
SSL • SSL
•
• SSL
• Web
• FLB HTTPS
SSL • SSL SSL
•
• SSL
• FLB HTTPS
SSL
• SSL
SSL
• SSL
• FLB TCP NLB
HTTPS
( )
HTTP
( )
HTTPS
( )
HTTPS
( )
HTTPS( )

View Slide

OCI (Certificates)
11
OCI SSL (FLB)
→ OCI
OCI (OCI Certificates Service)
• (Certificate) (CA) CA
• CA/ /CA
•
•
•

View Slide

SSL
12

View Slide

RSA
(CSR)
SSL - 1. (CSR)
13
$ openssl req -new -key MyKey.key -out MyCSR.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:WA
Locality Name (eg, city) []:Redmond
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Oracle
Organizational Unit Name (eg, section) []:OCI
Common Name (e.g. server FQDN or YOUR name) []:*.example.org
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ openssl genrsa -out MyKey.key 2048
Generating RSA private key, 2048 bit long modulus
.........................+++
.....................+++
e is 65537 (0x10001)

View Slide

SSL - 2.
14
$ openssl x509 -req -days 365 -in MyCSR.csr -signkey MyKey.key -out ExampleCert.crt
Signature ok
subject=/C=US/ST=WA/L=Redmond/O=Oracle/OU=OCI/CN=*.example.org/[email protected]
Getting Private key
$ openssl x509 -in exampleCert.crt -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
fa:98:bb:ae:1e:19:4d:a3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=WA, L=Redmond, O=Oracle, OU=OCI, CN=*.example.org/[email protected]
Validity
Not Before: Jun 6 18:34:41 2018 GMT
Not After : Jun 6 18:34:41 2019 GMT
Subject: C=US, ST=WA, L=Redmond, O=Oracle, OU=OCI, CN=*.example.org/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c0:63:f1:aa:d8:98:b1:01:0f:9f:fa:71:6a:9a:
f1:05:9d:d6:84:01:88:8d:51:6e:b5:d4:fa:5e:fb:
95:f7:ac:ed:07:11:bf:89:85:4b:39:70:71:9e:7e:
cd:ba:24:96:65:d9:41:69:d1:05:f7:1a:a2:43:29:
7a:6b:de:11:e7:2b:6f:95:ee:04:de:2b:23:b1:0b:
a6:a2:76:8f:40:42:50:1e:d8:2a:16:2c:d5:97:2b:

View Slide

PEM
SSL - 3.
15
$ openssl x509 -in ExampleCert.crt -out ExampleCert.pem -outform PEM

View Slide

SSL - 4. 443
16

View Slide

SSL
17
※

View Slide

18
セッション永続性機能を利⽤した
バックエンド・サーバーの固定
Using Session Persistence

View Slide

Web
:
Cookie Cookie persistence
※Cookie
19
Cookie
Client A
Client B
cookie
Client A
Client B
FLB HTTP/HTTPS

View Slide

Cookie 2
1. Cookie
• Cookie
• Cookie
OK
2. Cookie
• Cookie
•
• Cookie
Cookie(+α)
Cookie Cookie
FLB HTTP/HTTPS
20

View Slide

Cookie
Cookie
Client Load Balancer Backend Server
1
2
200 OK
3
200 OK
Set-cookie:X-Oracle-BMC-LBS-Route=yyy
4
5
1.
2.
3.
X-Oracle-BMC-LBS-Route
Cookie
4. Cookie
5. Cookie
FLB HTTP/HTTPS
21

View Slide

Cookie
Cookie
Client Load Balancer Backend Server
1
2
200 OK
Set-cookie: sessionid=xxx
3
200 OK
Set-cookie:sessionid=xxx
4
5
Set-cookie:sessionid=xxx
1.
2. Set-cookie
Cookie
3.
Cookie
Cookie+
X-Oracle-BMC-LBS-Route
Cookie
4. Cookie
5. Cookie
: FLB X-Oracle-VMC-
LBS-Route Cookie
2 Cookie
FLB HTTP/HTTPS
22

View Slide

Q. ?
• (Fallback)
• :
• : HTTP 502
Q. ?
• cookie(match-all cookie)
• cookie Cookie
• Cookie ( ) (
)
FAQ
23
FLB HTTP/HTTPS

View Slide

Q. ?
• Cookie
• Cookie
• Cookie
Q. Cookie ?
• FLB Cookie
• Cookie
Cookie FLB Cookie
• Cookie : Expires, Max-Age, SameSite, Secure, HTTP-Only
• : FLB Cookie
FLB
FAQ
24
FLB HTTP/HTTPS

View Slide

Cookie
- (FLB) HTTP/HTTPS
× - (FLB) TCP
× - (NLB)
Cookie HTTP Cookie FLB HTTP(S)
Cookie IP (FLB) 2 (NLB)
IP( )
Cookie
25
Proxy
1.1.1.1 2.2.2.2 3.3.3.3
1.1.1.1 2.2.2.2 3.3.3.3
5.5.5.5
NLB 2 FLB TCP
IP

View Slide

26
リクエスト・ルーティングを⽤いた
⾼度なルーティング
Request Routing

View Slide

• IP
• FLB HTTP HTTPS
• : 7
• FLB TCP NLB
• 3
1. -
2. URI Cookie
• 2021 3 ( )
3. - HTTP(S)
27
FLB HTTP/HTTPS

View Slide

(IP : xxx.xxx.xxx.xxx)
1
2
(IP + + )
• 1 IP
• 1
• 1
• 1
– 1.
1 (TCP/80)
2 (TCP/80)
www.example1.com
www.example2.com
FLB HTTP/HTTPS
28

View Slide

• FQDN (e.g. app.example.com)
• (*.example.com)
• (app.example.*)
(Catch-all)
• ※
•
• 16
• 16
– 1.
29
FLB HTTP/HTTPS

View Slide

– 2.
1 (IP + + )
• 縮
• URL URI( )
• HTTP
• Cookie
• 1
• 1
• 1
(TCP/80)
1
2
1
user-agent = mobile
2
= /admin/
FLB HTTP/HTTPS
30

View Slide

(Port : 80)
1
2
2022/3/24 [CN-64788]
1 (IP + + )
URI
URI
• 1
• 1
• 1
– 2'. (~2022/3/24)
1
/pages/
2
/video/
FLB HTTP/HTTPS
31

View Slide

• (EXACT_MATCH)
• URI : ^$
• (FORCE_LONGEST_PREFIX_MATCH)
• URI : .*
• (PREFIX_MATCH)
• URI : ^.*
• (SUFFIX_MATCH)
• URI : .*$
– 2'. (~2022/3/24)
32
FLB HTTP/HTTPS

View Slide

1. (EXACT_MATCH)
2.
(FORCE_LONGEST_PREFIX_MATCH)
3. (PREFIX_MATCH)
(SUFFIX_MATCH)
– 2'. (~2022/3/24)
33
FLB HTTP/HTTPS

View Slide

• 20
• 1
– 2'. (~2022/3/24)
34
FLB HTTP/HTTPS

View Slide

URI Cookie
: 1 A B C 3 A
•
• foo.com → B
• bar.com → C
• URI
• /biz → B ( )
• /baz → C ( )
35
URL
http://foo.com B
http://foo.com/biz B
http://foo.com/baz C
http://bar.com C
http://bar.com/biz B
http://bar.com/baz C
http://example.com A
http://example.com/biz B
http://example.com/baz C
FLB HTTP/HTTPS

View Slide

LB-APPS-1
ipAddress = ip-1
name = foo-and-bar-LB
BackendSet[[]
Listeners[]
PathRouteSet[]
Listener-default
port = 554
serverName = null
defaultBackendSet = foo.BES-1
certificate = foo-Certificate
PathRouteSet = PRS-1
Listener-foo
port = 443
serverName = *.foo.com
defaultBackendSet = foo.BES-1
PathRouteSet = null
Listener-bar
port = 443
serverName = *.bar.com
defaultBackendSet = bar.BES-1
PathRouteSet = PRS-1
foo-Certificate
CN = www.foo.com
SAN = *.foo.com
bar-Certificate
CN = www.bar.com
SAN = *.bar.com
foo-BES-1
[] – foo-Backends-1
bar-BES-1
[] – bar-Backends-1
bar-BES-2
[] – bar-Backends-2
PRS-1
[] – bar-path-route-rules
Exact Matches
/biz à bar-BES-1
/baz à bar-BES-2
URL
http://example.com foo-BES-1
http://example.com/biz bar-BES-1
http://example.com/baz bar-BES-2
http://foo.com foo-BES-1
http://bar.com bar-BES-1
http://bar.com/baz bar-BES-2
FLB HTTP/HTTPS
36

View Slide

HTTP(S)
• IP
• GET HEAD POST HTTP
URL
• URI HTTP
URI
• HTTP(80)
HTTPS(443) SSL
•
HTTP ( )
•
• HTTP
( )
• [x-xss-protection] [x-
content-type]
HTTP
• HTTP 8KB
64KB
• . _
– 3.
FLB HTTP/HTTPS
37

View Slide

HTTP
50
•
• [Server]
• Web
• [x-xss-protection] [x-content-type]
FLB HTTP/HTTPS
38

View Slide

•
• IP
• GET HEAD POST HTTP
FLB HTTP/HTTPS
39

View Slide

URL
HTTP URL
• HTTP HTTPS
FLB HTTP/HTTPS
40

View Slide

?
• Cookie
• Cookie
• Cookie
FAQ
41
FLB HTTP/HTTPS

View Slide

42
WAF(Web Application Firewall)、
Webアプリケーション・アクセラレーションとの連携

View Slide

FLB WAF VCN
• OCI Web Application Firewall WAF L7 DDOS
SQL Web
• VCN / WAF
• VCN
WAF
• Blog Announcing Oracle Cloud Infrastructure WAF Protection on Flexible Load Balancers
• WAF
Web Application Firewall
43
2021/10/27
OCI
VCN
DRG
WAF WAF
Product Price Metric
Instance $5 Instance Per Month
Requests $0.6
1,000,000 Incoming
Requests Per Month

View Slide

HTTP
• 100MB
• Accept-Encoding
•
[Network] Web Application Acceleration
44
2022/6/15
“cacheStatus”
HIT
MISS
https://blogs.oracle.com/oracle4engineer/post/ja-intro-waa

View Slide

45
ロード・バランサのロギング
Logging for Load Balancers

View Slide

(NLB) OCI
• 2
•
•
※ (NLB) /
• /
• OCI
( : 10GB/ )
/ OCI
46
Logging
VCN
Flow Logs
OCI

View Slide

https://docs.oracle.com/ja-jp/iaas/Content/Network/Concepts/vcn_flow_logs.htm
VCN
OCI
• VCN (or VCN )
→
• NIC IP
• OCI
IP
VTAP
VCN ( )
ACCEPT TCP 172.21.2.185 Port 43360 → 129.146.13.236 Port 443 Bytes 10515 Packets 19
ACCEPT TCP 129.146.13.236 Port 443 → 172.21.2.185 Port 43360 Bytes 5548 Packets 14
VCN
47
VCN
Flow Logs

View Slide

https://docs.oracle.com/ja-jp/iaas/Content/Network/Tasks/vtap.htm
(FLB) VTAP
(Virtual Test Access Point)
(NLB)
•
( )
• IDS
•
FLB VTAP
VTAP (Virtual Test Access Point)
48
( )

View Slide

49
ロード・バランサのメトリック
Metrics for Load Balancers

View Slide

OCI (FLB, NLB)
OCI
•
•
• OCI
• OCI Events
•
→ OCI OCI
2
50

View Slide

https://docs.oracle.com/ja-jp/iaas/Content/Balance/Reference/loadbalancermetrics.htm
OCI ( : oci_lbaas) 3 (lbComonent)
• lbComponent = loadbalancer
• SSL (11 )
• lbComponent = listener
• HTTP (HTTP ) (8 )
• lbComponent = backendset
•
HTTP (HTTP ) (19 )
: Load Balancer
51

View Slide

2
lbHostId
(PeakBandwidth)
lbHostId=ae41d2132 lbHostId=f6d9d18 2
lbHostId
( grouping().sum())
MQL
PeakBandwidth[1m]{resourceId="ocid1…"}.grouping().s
um()
Tips : lbHostId
52

View Slide

PeakBandwidth[1m]{lbName=""}.grouping().sum()
LBHOST
(UnHealthyBackendServers[1m].mean() > 0).groupBy(backendSetName).mean() > 0.5
5 HTTP 200 95%
HttpResponses200[5m]{lbname=""}.groupBy(listenerName).sum() /
HttpResponses[5m]{lbname=""}.groupBy(listenerName).sum() < 0.95
53

View Slide

54
トラブル時の対応ガイドライン
Troubleshooting Guidelines

View Slide

• 3
• [ ] [ ]
•
•
•
•
•
•
• VCN
•
55

View Slide

•
• IP
• SSL SSL
•
•
• WAF(Web Application Firewall) Web
•
•
•
56

View Slide

–
• https://docs.oracle.com/ja-jp/iaas/Content/Balance/Concepts/balanceoverview.htm
–
• https://docs.oracle.com/ja-jp/iaas/Content/NetworkLoadBalancer/overview.htm
– Web
• https://oracle-japan.github.io/ocitutorials/intermediates/using-load-balancer/
57

View Slide

• https://docs.oracle.com/ja-jp/iaas/Content/home.htm - ( )
• https://docs.cloud.oracle.com/iaas/api/ - API
• https://docs.oracle.com/ja-jp/iaas/Content/General/Reference/aqswhitepapers.htm -
• https://docs.cloud.oracle.com/iaas/releasenotes/ -
• https://docs.oracle.com/ja-jp/iaas/Content/knownissues.htm - (Known Issues)
• https://docs.oracle.com/ja-jp/iaas/Content/General/Reference/graphicsfordiagrams.htm - OCI
(PPT SVG Visio )
58

View Slide

• https://oracle-japan.github.io/ocidocs/
- Oracle Cloud Infrastructure
• https://oracle-japan.github.io/ocitutorials/
Oracle
• https://www.oracle.com/search/events/
( Filter Locations -> Asia Pacific -> Japan )
Oracle Cloud Infrastructure – General Forum ( )
• https://cloudcustomerconnect.oracle.com/resources/9c8fa8f96f/summary
59

View Slide

Thank You
60

View Slide

View Slide

OCI技術資料 : ロード・バランサー詳細 / Load Balancer 200

OCI技術資料 : ロード・バランサー詳細 / Load Balancer 200

Oracle Cloud Infrastructure ソリューション・エンジニア

More Decks by Oracle Cloud Infrastructure ソリューション・エンジニア

Other Decks in Technology

Featured

Transcript

OCI技術資料 : ロード・バランサー 詳細 / Load Balancer 200

OCI技術資料 : ロード・バランサー 詳細 / Load Balancer 200

Oracle Cloud Infrastructure ソリューション・エンジニア

More Decks by Oracle Cloud Infrastructure ソリューション・エンジニア

Other Decks in Technology

Featured

Transcript

OCI技術資料 : ロード・バランサー詳細 / Load Balancer 200

OCI技術資料 : ロード・バランサー詳細 / Load Balancer 200