Picking the right Azure Load Balancing Solution

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone in this video i want to really explore what is the right load balancing solution or solutions and to use for my solutions maybe only in azure maybe in azure and on-premises as well as always if this is useful a like subscribe comment and share is appreciated make sure you hit that bell to be notified when i post new videos now i could think about i create some resource i create some resource maybe it's a website whatever that resource may be and i could just have the one resource but we have problems with that we have problems around things like resiliency well what if it's unavailable because of hey it's got planned maintenance and an upgrade of some sort of the app or the os or there's some unplanned problem an app crash an os crash a hardware failure what if maybe i have users distributed geographically so i want instances spread around and so what we typically will see is we have multiple instances of some service that gives us the ability to scale or even dynamically add and remove as we need based on the load gives us resiliency if one fails hey there's others still available and i could geographically distribute them but as an end user i don't want to have to know about hey there's a bunch of different endpoints so we use some kind of central endpoint they can share a load balancer so here we can put in a solution and that solution has an endpoint that the user can go and talk to and it will then distribute to those back ends assuming they're available which it can detect through some kind of health probing now there are scenarios where maybe you don't use this kind of load balancer and instead the user just gets told about all of the instances maybe it looks like a dns entry and it gets lots of results and it tries one and then if it fails it goes and tries another one um your machine with active directory works like that but for most things we don't want that we don't want the client to have to do the work we want this kind of central end point now when i think about putting in a load balancing solution the first step is you have to understand your application so maybe my application has multiple tiers hey maybe there's kind of a database tier and most likely there's a date based here there's kind of an active and a passive for most kind of relational databases then maybe there's some kind of middle tier element to it and then maybe there's some kind of front end so i have to understand these elements now most databases they have their own kind of maybe different listeners they might have different addresses they use so hey i'm going to go and talk to the active one automatically then the front ends need to know okay well i'm going to go and talk to the middle tiers via this kind of load balancer and then something has to come to the front ends and talk to those to balance them again now is this private i within my network or is this maybe public it's coming from the internet so i have to understand where that's coming from and i have to think about well where are these things are they for example all sitting in azure great they're all within kind of this maybe one region well what happens then if you split them over multiple regions hey i have all these same kind of stuff maybe i have kind of a a passive copy over here and i've got kind of this asynchronous replication going on but absolutely i have again a middle tier component i have front end components i have all of those same kind of solution parts it's a bit more complicated hey i'll go and do my rights over here but maybe i can read from there potentially but now i have to think about well how do i balance between these things so i have to understand all of these elements where is it coming from where are they are they kind of doing this geographical distribution to make sure i'm addressing the right need when i think about my solutions that i'm actually going to create so i have to really understand my app and where i want my app and where the components are when i think about the right load balancing solution now i drew a few different types of things hey stuff coming maybe from the internet to front ends and maybe enter tier type communications and we have to really understand what is the type of that communication now you'll often hear people talk about with load balancers layer 4 and layer 7. that's based on the old osi model where we have these seven layers but we really just care about four and seven because i can really think about it that layer seven this is really the application and what that means to us is well is it http based now that could also be http kind of s it could be http 2 the 2.0 kind of revision the major new revision compared to the 1.1 we're used to but are we dealing with http https http 2 type traffic if not then there's kind of other tiers there's kind of a presentation here there's a session tear again i don't really care about any of these things then we get to layer four now for layer 4 we're dealing with the transport and the transport for what we care about is udp or tcp now obviously there are others there are other types of transport available there's things like sctp but while they would work on an azure virtual network the load balancer solutions we're going to talk about do not support those things so we've really talked about is it udp or tcp traffic and then of course there's kind of layer three layer three is just a network i.e for us and then a virtual network is ip and that can often be kind of v4 or v6 and then underneath that you get kind of data link and physical again we don't see any of those things in azure what we see in azure a virtual network is really that layer three we get an ip space and on top of that ip we can use tcp udp various other things so we need to understand fundamentally which of these are we focusing on is this http type traffic i maybe i want to use a layer 7 solution if it's not it's just some other form of udp tcp when i'm going to be using a layer four type solution so that's what i really want to dive into now then we have to think well are they all within one region or are we distributing over multiple regions and the way this works is there's a set of solutions we're going to use for within a region i intra region and then there are other solutions we can kind of lay on top if it's inter region i am balancing between regions so we're going to start off looking at things within a region so we have azure load balancer and the azure app gateway now i'm focusing on the azure solutions there were others there were network virtual appliances that essentially are pre-configured virtual machines that perform these types of functionalities as well historically they would still use an azure load balancer in front of them to enable them to be resilient and maybe to scale and with the new azure route server maybe they don't have to use a load balancer anymore they can use the equal cost multipathing ecmp and they can update the route table of the v-net and it doesn't have to have a load balancer in front of it anymore however for now we're just going to focus on the azure native solutions but be aware obviously our other solutions out there so let's work our way up um let's kind of start with the layer 4 solution so my layer 4 solution is going to be the azure load balancer so i can think about okay great i have this azure load balancer thing so this is my azure load balancer now the azure load balancer supports both tcp and udp so this thing is a layer 4 solution that's kind of the key point so it understands tcp and udp when we start talking about how it distributes traffic it can understand the protocol that's kind of a key point around it now it actually comes in two different skews there's kind of a basic skew and then there is this kind of higher standard sku and we pay for the standard offering basic is free now the basic supports means up to 300 instances on the back end um all of the vms on the back end have to be in a single availability set or virtual machine scale set so it's kind of limited in terms of what it has to support the basic is open by default there's no concept of outbound rules it has no sla it's free but the standard this paid offering well it now supports the ability that this load balancer thing i create it can either be zonal i remember regions when i think about an azure region well an azure region is actually made up remember of different physical facilities and when those different physical facilities have independent calling power communications they're exposed as availability zones so in my subscription for a region that supports azs i see az1 2 and 3. and so we can then use those so a zonal deployment means zona is deployed to a specific az that i specify if it's zone redundant well then it spans those zones automatically so it's resilient against any individual zone having a problem if i pick zonal what i typically do is i deploy an instance to zone one two and three and i use something else to kind of balance between them so that's the whole idea of using zone or zone redundant well my standard skew azure load balancer can be zonal or i can deploy it in that cone kind of a zone redundant way so now i have that that better flexibility and likewise because that can be zone redundant it can also use a kind of a standard public ip which also can be zone redundant so i can hook on the front end there if i think about yes i have a front end resource going into this that front end can either be private by is an internal ip address from the virtual network or it can be public and again if i'm using the standard sku it can use a standard public ip which then can also be zonal or zone redundant so i can kind of match that when i think about the the back end of the kind of this standard load balancer i have a lot more flexibility so yes i can put nyx the standard way we do this is kind of a vm nick is what i can have as kind of those back ends it's the next we add to kind of a a back end pull or the other nice thing we can do with standard is it can actually be ip addresses now as well so i can just point to kind of particular ip addresses which could be vms but they could also now be things like containers a container doesn't have its own nick but it does have an ip address so i can now have this ip range option for my load balancer an important point is an azure load balancer is one or the other it's private or public it cannot have both a private and a public it's only one of them so i have that choice to make hey what is talking to this thing if i went back to my kind of architecture here most likely front ends talking to middle tiers that's internal so i'd use an internal load balancer here if maybe i was fronting some service to the internet probably wants to be public facing so i would pick that to match my requirements so this is fantastic when i have that kind of layer 4 and i have a deep dive if you go and look i have an azure load balancer deep dive so i go through all of this specific detail but the key part is the traffic comes in it goes through kind of a hashing algorithm and that hashing algorithm is based on kind of the five tuples you can think about well there's kind of the source ip the destination ip the protocol because remember it's layer 4 it knows if it's tcp or udp the source port and the destination port so those five things by default it's using in that five two pull distribution so if traffic is coming in from the same source same port same destination same port same protocol it will always go to the same back end set member now sometimes maybe hey do you know what the port is going to change so there's also the option to do a 3-2 pull where the ports can change and i can also pick a two-tuple where even the protocol could change now as long as the source and destination is the same it'll always go to the same back end set member so i have those options now a key point of this solution is these all have to be in the same v-net as the load balancer which means it's in one location likewise the load balancer itself is zonal zone redundant but it's contained within one particular region it's using health probes to check they're available it will only return healthy ones but that's fundamentally what i'm getting there one little point when i put things behind a load balancer it's going to use the load balancer for its outbound traffic as well there's a few little caveats you have to think about if it's an internal standard load balancer how's it going to get to the public internet so it's things to consider there but the azure log balancer fantastic i can have vmnix behind it i can have ip ranges behind it can be zone redundant or zonal private facing or public it's one or the other i can have multiple front-end configurations i can have multiple back-end pools but it's only of one type everything is either internal or it's all public so that's great that's kind of that layer four what about if when i'm looking at my workload it's actually http and if it's http maybe i want some different stuff and this five tuple thing i'm more interested in cookies and the session type affinity to go to the back end maybe i'm doing ssl i want to kind of offload some of that work maybe i want to direct it based on the full path which this has zero clue about the path is sort of higher up in the stack i sabotech.net something i want to route based on that maybe i want to redirect from http to https use different listeners so there's different things i might want to do if it's this http type traffic so i need a richer solution so if i think richer solution let's azure out gateway so at gateway here see if i can remember to draw the icon correctly there we go if i do the app gateway solution so app gateway is all about layer 7. it is all about http and again https and hdb2 it's kind of those things are all supported through that layer 7. so this now is my azure app gateway solution so it's now focusing on that http https now there are there are basic skus there are standard skus once again there are different skews of this thing that affect both the pricing and actually the functionality as well there's kind of actually this standard v2 which is what i'm going to focus on here the other thing i can add to this is a web application firewall now i guess i should have pointed out that standard v2 has things like auto scale and based on load it also so this standard offering here now i can once again kind of do zonal deployments i can do those zone redundant deployments so it adds those kind of nice features i'll do that in the same color just so we remember these are kind of standard features it's kind of giving me that capability with that because it's doing http i can also do things like ssl termination as the request comes in it can actually crack that open look inside and then fold it on and it can encrypt it again so i can have end-to-end encryption but one of the nice things i can actually do with this solution let's move that out of the way a little bit is because i can do that ssl termination i can actually add things like the web application firewall with this solution so web application firewall is all about that open web application security project there's a core rule set that helps me detect things like sql injection attacks uh cross-site scripting and much more there's different versions of these but i get a much richer set of functionality as i talked about with all those different url rewrites and path-based routing and redirects all of these great things now when i think about the front end of this this is public whether i use waff or not or public plus private i.e i cannot do a private only version of azure app gateway it does not support that today and once again it has that kind of front end configuration this is all going to seem very very familiar once again it's going to have kind of a back end pull the things it can point to and it can point to a lot so i can point to things like virtual machines i can point to things like a virtual machine scale set i can point to things like app services now i can even just point to ip addresses i can just point to fully qualified domain names so those things could actually be in other locations they could be on premises i could have sites like vpn or express route or they could just be a public endpoint if this is a public ip technically it could point to that thing and again it's using those kind of health probes it actually even works with aks pods because it has an ingress controller to help manage kind of those connections and the various routing so i can have all of these different things that could then respond to that traffic but the key point here is all of this is still within a region this azure app gateway even if its own redundant is still contained in one region the request comes in it uses round robin to kind of distribute and then it will send it to one of those those are really my options so typically within a region i'm going to kind of look and if it's a layer seven especially if it's public facing i'm probably going to use app gateway if it's not then i'm probably use the azure load balancer now if it was internal and it was https i still might use the load balancer here because maybe i don't care about path um rewriting and path-based redirection and cracking open the ssl and doing all that stuff i might not need that i don't care about that i just want this kind of to go through so i have choices but pretty much if this was public facing i thought he'd want things like the web application firewall i probably want to use some of those redirection capabilities this is probably the place i'm going to go and of course across both of these if they're public endpoints there's still things like the azure distributed denial of service protection that we have and there's the standard version of that to help protect against ddos type attacks also remember we have layers of the solution remember so different parts depending on the different layer i want so that's great within a region load balancer or app gateway what about now if i have maybe stamps of that solution in different azure regions how do i do that how do i kind of balance between those and there's actually a a bunch of different solutions we can layer things on top i'm actually going to stay up here but kind of the layer 7. so if it's the layer 7 i can think about hey i have multiple services that are available offering web-based stuff so i'm staying up here i'm still focusing on my kind of http again s2 what whatever that might be i'm focusing again on my layer 7. so what we're going to do now is it's azure front door and once again i have kind of a deep dive video on azure front door and it covers traffic manager as well in the same video so go and check that out if you want the details but azure front door is a layer 7 global load balancing solution if i think about microsoft has this huge backbone network that kind of spans the world and then connected to that global network we have kind of lots of azure regions now in those azure regions i might have instances of my service maybe i'm kind of got my kind of app gateways locally in the region it could be a load balancer as well but i have kind of instances of a service that are public facing they have to be public facing and then also off of this great big microsoft network there's a whole bunch of edge locations points of presence they're the same ones used by the microsoft content delivery network and what azure front door is it creates an anycast address for the service and what the anycast means is so it's this anycast ip and that anycast ip is essentially available at any of these points of presence that same ip address is kind of made available through any of them so now if i'm a user and i'm here it also does something called split tcp so the first thing is i'm going to go to whichever point location is closest to me and what it does is it establishes kind of the tcp connection with me then it establishes the ssl the tls with me all to that local point so it's very fast it's not having to go over here to do the tcp and the kind of tls establishment then i send some requests for some data at this point it goes to whichever one is closest and available again health probing it gets a big chunk of data from whatever back-end service remember this is essentially redirecting to and then it serves up that in small chunks over here as the response so it's doing that split tcp and it can cache it um it can add in things like web application firewall again on this solution i can do ssl offload i can do cookie based affinity there's url redirect url rewrite it's gonna sound familiar layer seven very similar to what app gateway can do and one of the core things here is the back ends yes pretty much be anything in azure but it could actually also be hey i have maybe some on-premise thing that's got some public facing that could actually be part of the azure front door targets as well i could actually target something that i'm hosting as well now there are different versions um of azure front door we're kind of now in this v2 world of azure front door that has this is it standard and premium it's really bringing together content delivery network for static content front door for dynamic content and then the premium ads things like the web application firewall if we quickly looked at the comparison of the tiers you can just kind of see over here hey it's telling you hey we're combining the cdn the front door and the waff into this new standard and premium and it really tells you the differences so i can see things like hey the waff is all of these things already focused well most there's a few yeses in there but those for sure are part of the premium and then kind of those security reports so we have these different options and again i have that kind of deeper dive video around that but really the key point for this is the azure front door is designed around those again layer 7 http workload that's all it works with http https http 2 and then it can using that split tcp that anycast it's going to optimize your performance and it's going to speed up it's going to cache it add security phenomenal solution okay so what if it's not http https it's something else so then we come back into our kind of layer 4 world again and if i was doing this previously a few months ago i would have been talking about azure traffic manager which i'm going to talk about in a second but we actually now have this new solution the azure global load balancer and i actually just released a video on this two days ago so that's the deep dive go and check that out but fundamentally this is layer four so it's talking about that that again tcp and udp doesn't care about anything above that and the way this is really working is again you can think about that great big global network and once again we have these kind of regions hanging off of that global network now what i have to have is within each region i want to use remember i have to have a standard load balancer that is public that's the key point the back end of the global load balancer are instances of the standard azure load balance of a public endpoint so let's say i've got it in these two regions i have standard load balancers each of them have their own public endpoint now additionally there are other regions remember there's all these other regions as well scattered around now i'm drawing this from a logical perspective i can think about now i can create this global standard load balancer that for the front end has a global standard public ip now these have to live in a specific home region but if that region was unavailable they still carry on working and they're actually serviced by a whole bunch of other regions but the back end set at the global you guessed it are the regional standard load balancers so when i use this thing it's actually going to redirect to whichever one is closest to the user so again if i was over here hey i would kind of talk maybe there or whatever i would go to this version of it now there are only certain regions participating so if we look at the documentation here it shows us the ultra low latency these are the regions we can actually create a global load balancer and a global public ip if you try and create it in another region it won't work but again if the home region goes down don't worry it's not going to affect it and then we can actually see hey these are all the regions that participate in actually having again that any car so that global public ip essentially becomes an anycast ip so this public ip once again this ip1 for example or ip1 is available here ip1 is available here ip1 it's anycasting that it's available through all of those different regions to actually get to it and one of the great things about this is this traffic coming in it is pass-through and why that's nice what that really means is this has a client ip that client ip will be seen by those back end services it's not getting abstracted away this global public ip you kind of own that it's in your subscription whereas your front door it's just part of the service you don't have absolute control over that and i i kind of have one of these if i again if you look at my global load balancer deep dive i go into detail but hey my load balancers you can see i created regional ones this is just a regular regional load balancer it has a public front end and i had two vms in it and i created a global load balancer and you can see the back end pull of this are my two regional standard load balancers so now if i actually went to this in kind of any way let's actually just copy that um that address over here so if we go and look at it so that's the public ip if we just went to that ip address stop clicking it if i just went to that now quickly it goes to my standalone balancer in south central because that's where i'm physically closest to so that's really what that global load balancer is doing it's just now available throughout all these different regions but now hey fantastic i can access it globally throughout the world but again it has to be public facing both front door and the azure global load balancer are public facing with not internal and the resources have to be public facing there is there is a third solution here and this is currently in preview i should be very careful about that this is in preview right now so the other solution is well it's azure traffic manager now azure traffic manager is a dns solution essentially it adds a name and then it will resolve that depending on whatever kind of routing criteria i give it so once again i could think about hey there's a whole bunch of different maybe azure regions but it could just as easily be hey i've got some on premises thing over here it really doesn't matter but there's some kind of public ip public name so once again it's public only that's kind of the key thing with all of these so there's public and what i create in azure is a traffic manager instance so this is going to be some name dot traffic manager dot net which i give it endpoints so it points to that it can point to that it can point to that now i never ever want to share that name with anything so i would actually create an alias so in my home dns like saviletech.net i can create an alias which is a cname record that resolves to that name so that's a cname i.e an alias so what happens now is me as a user let's say i'm sitting over here at my computer and i want to go to www.sabortec.net so i make a query to my dns server my dns server then does a recursive lookup to find out well it will get that record and kind of send that response now some of the challenges of this approach is the time to live these records have a time to live if that then went down well that record maybe lasted for a minute so i will carry on talking to the the dead one for a period of time i have to wait for that ttl to expire before i'll actually go and look at a different one and once again we can kind of see this so i did create a little traffic manager that points to the same back ends so this time if i go home and i look at my traffic manager you can see i created savile tm so its name is saviletm.trafficmanager.net if i just go to that there went to south central what i actually created was an alias record so i can go www.tm.savaltech.net which goes to she went to the other one if we actually did an ns look up www.tm.savaltech.net you'll see it's just an alias too so there's my tm which resolves to savile tm.trafficmanager.net which actually resolved to the public name of one of them so i can see those kind of three levels bouncing around and just zoom in for a second so you can see hey i've got my alias that i used which actually resolves to my traffic manager name which actually then traffic manager resolved it to my load balancer in one of my regions so there are kind of different configurations you can do in my case i'm using performance which is going to be based on the dns latency of the lookup use the one closest to me but they were weighted priority geographic subnet based and my my endpoints are just those two public but again i could really add azure endpoints external endpoints nested endpoints i have a lot of flexibility in actually what i can do with that so those are my my really solutions there now notice all of those global solutions are based on public none of those would work for an internal balanced um between different azure regions there are third-party nvas that can do that kind of internal balancing but today there is no native azure solution so you have to go look at the nbas to do that but that that's kind of the summary so i think about within a region hey i can use the load balancer the azure load balancer public or private um or i could if it was http based i could use azure app gateway which adds a bunch of features because it understands http can do all those offloads and rewrites between regions it was http probably going to use front door in preview if it wasn't http i could maybe use the azure global load balancer or a dns based solution that was a huge amount of stuff the good news is there's actually something to help if we go back over to the portal if i go home if i look up load balancer you'll actually see there's this load balancing help me choose well that's very generous of it so we can see that nice solution here so if i select that firstly i can do a service comparison now it does not show me azure global load balancer yet once it goes out of preview that would then be included but i can see okay so app gateway oh yeah http http s http 2 same as front door okay load balancer is tcp udp does it support private load balancing okay yeah i can with load balancer or and app gateway or is it global okay well that's front door and traffic manager how does it route what the support environment so load balancer is azure only app gateway and front door and traffic managers i showed kind of any of them one of the nice things about app gateway is it can do connection draining hey i can actually say stop sending traffic to this box because then i want to do some maintenance around it talks about hey session affinity all these different i can just quickly see i can see the security options so waff available for front door and app gateway network security groups for well just a regular load balancer traffic manager none of them because it's the dns solution but even beyond that there were tutorials to help me but then it will help me choose hey what am i trying to do does your application use http hbs yes it does so right now it's showing me four options yes it's http https well now it's going to strip them down um we're going to throw azure load balancer out the door okay is it public facing yes is it deployed in multiple regions well yes do you want performance accelerations remember that's the thing that front door does because that's split tcp and the caching do you want ssl offload and they're saying okay well your solution should be front door and that gateway i could go back and i could change some of my answers if i say no it's probably going to use traffic manager instead oh let's just say i was just saying front door on these but basically you go through and you answer the questions and based on that it will advise you on hey what is the best solution so it's a great way to actually go and see it and again it links to all of the solutions within this one kind of area here on the left so i can actually go and see all of my various things that i actually have in the environment so it's really bringing it all together making it simpler for me so understand your application again i would say if it was internal and maybe i'm trying to balance from the front end to this middle tier and maybe it was restful you may not use that gateway you may still use fancy like an internal azure load balance there but understand the options um and yeah chances are especially if you're multi-region you're going to layer them you're going to use one of these for within the region and then layer one of these on top of it for that sort of global balancing between them assuming it's public facing so that was it i hope it was useful until next time take care you

Info

Channel: John Savill's Technical Training

Views: 6,741

Rating: 4.9874606 out of 5

Keywords: azure, azure cloud, azure networking, azure front door, azure load balancer, azure app gateway, azure traffic manager, load balancing

Id: s1H2HpSJ-cg

Channel Id: undefined

Length: 42min 27sec (2547 seconds)

Published: Thu Apr 22 2021