本文翻译自《10 Reasons Why You Should Think About Using an AWS Application Load Balancer》。介绍了在AWS环境中,为何应当考虑采用Application Load Balancer的10个关键原因。
aws 多网卡理由
In this blog post, I would like to share 10 points that can be achieved with an AWS Application Load Balancer. These can not be achieved or are limited in a classic setup with an Elastic Load Balancer or NGINX Proxy.
在此博客文章中,我想分享使用AWS Application Load Balancer可以实现的10点。 在使用弹性负载平衡器或NGINX代理的经典设置中,这些功能无法实现或受到限制。
What is an Application Load Balancer (ALB)
什么是应用程序负载平衡器(ALB)
Unlike the classic load balancer or network load balancer, the ALB works on layer 7 of the OSI model. This allows it to inspect the traffic at the application level instead of IP and port. It makes it possible to define more complex rules and to address different services via subdomains and path-based routes.
与传统的负载平衡器或网络负载平衡器不同,ALB在OSI模型的第7层上工作。 这样,它就可以在应用程序级别而不是IP和端口上检查流量。 它使得可以定义更复杂的规则,并通过子域和基于路径的路由来解决不同的服务。
I would like to dispel the myth that most people automatically associate with the term load balancer:
我想消除大多数人会自动将术语负载均衡器与之联系的神话:
A load balancer does not necessarily need two or more instances to be beneficial! Even a setup with only one instance and one load balancer can save costs and bring additional benefits, depending on the application.
负载均衡器不一定需要两个或更多实例才能受益! 根据应用程序的不同,即使只有一个实例和一个负载均衡器的设置也可以节省成本并带来其他好处。
In 7 out of 10 points mentioned below an architecture where there is a single instance or service is connected can be applied to the application load balancer.
在下面提到的10分中的7分中,可以将单个实例或服务已连接的体系结构应用于应用程序负载平衡器。
- High Availability* 高可用性*
- Automatic Failover* 自动故障转移*
- SSL Termination SSL终止
- Monitoring 监控方式
- Access Logs 访问日志
- Dual Stack IPv6 Integration 双栈IPv6集成
- HTTP/2 and websockets integration HTTP / 2和websockets集成
- Service Distribution* 服务分配*
- Security (DDOS, WAF, AWS Shield) 安全性(DDOS,WAF,AWS Shield)
- API Control API控制
* ) only applies to setups with at least two instances/services
*)仅适用于具有至少两个实例/服务的设置
1) High Availability
1)高可用性
One of the most important tasks of a load balancer is the distribution of the traffic to different endpoints. High availability is achieved by ensuring that if there is more than one end point, the request is always routed to an accessible end point. To achieve the highest possible level of availability even in the event of a major outage, the end points are located in two or more Availability Zones.
负载均衡器最重要的任务之一是将流量分配到不同的端点。 通过确保如果有多个端点,则始终将请求路由到可访问的端点来实现高可用性。 为了即使在发生严重故障的情况下也要达到最高的可用性水平,端点位于两个或多个可用区中。
2) Automatic Failover
2)自动故障转移
Using metrics and watchdogs, the ALB can detect whether individual endpoints are no longer functioning properly and automatically select the fail over to another endpoint.
使用指标和看门狗,ALB可以检测单个端点是否不再正常运行,并自动选择故障转移到另一个端点。
3) SSL Termination
3)SSL终止
One of the most interesting features of the ALB is the possibility of SSL termination. This brings some significant advantages which lead to a considerable cost saving especially in small environments and in large environments to a massive saving in maintenance effort.Instead of creating their own certificates or buying expensive wildcard certificates, certificates can be obtained quickly, easily, and free of charge from the ACM. Because AWS has its own root CA, acceptance is very good. The creation and renewal of certificates can be done in a few steps and is immediately transferred to the load balancer. This eliminates the time-consuming rolling out, installation, and maintenance of new certificates for many endpoints.Independent of this, own certificates can of course also be transferred to the ACM.
ALB最有趣的功能之一是SSL终止的可能性。 这带来了一些显着的优势,尤其是在小型环境和大型环境中,可以节省大量成本,从而可以节省大量维护工作。无需创建自己的证书或购买昂贵的通配符证书,就可以快速,轻松,免费地获取证书由ACM负责。 因为AWS有自己的根CA,所以接受度非常好。 证书的创建和更新可以通过几个步骤完成,并立即转移到负载均衡器。 这消除了许多端点新证书的耗时发布,安装和维护的过程。与此无关,当然也可以将自己的证书转移到ACM。
Related content:AWS Certificate Manager
相关内容: AWS Certificate Manager
4) Health Monitoring
4)健康监测
The ALB offers different metrics to display and evaluate latencies, HTTP codes, number of requests, etc. This allows you to analyze the load distribution over specific periods, peaks, and other problems This eliminates the need to analyze the log files to generate visual insights. The metrics are available almost in real-time.
ALB提供了不同的指标来显示和评估延迟,HTTP代码,请求数量等。这使您可以分析特定时间段,峰值和其他问题上的负载分布。这消除了分析日志文件以生成直观见解的需要。 这些指标几乎是实时可用的。
Example: CloudWatch metrics of an Application Load Balancer
示例:应用程序负载平衡器的CloudWatch指标
5) Access Logs
5)访问日志
In addition to the metrics, the entire flow logs of the load balancer can be exported and evaluated in S3. This can be used in connection with machine learning models to identify and evaluate attacks, exploits, or unauthorized access. In a normal setup without a load balancer it would be necessary to activate logging for the specific ports and services in the instance and export them via an agent.
除了指标外,还可以在S3中导出和评估负载平衡器的整个流日志。 可以将其与机器学习模型结合使用,以识别和评估攻击,漏洞利用或未经授权的访问。 在没有负载均衡器的常规设置中,必须激活实例中特定端口和服务的日志记录,然后通过代理将其导出。
Example: Log files automatically exported to S3
示例:日志文件自动导出到S3
6) Dual Stack IPv6 integration
6)双栈IPv6集成
Endpoints, applications, and services that previously only had IPv4 support are now outwardly accessible as dual stack IPv4 & IPv6. The ALB can receive requests as IPv4 and IPv6 in dual stack mode and connects internally to the endpoints based on IPv4. Since many applications still have only an experimental IPv6 implementation or older existing systems have to be integrated, this is a simple and effective way to make them now uniformly accessible via IPv6.
以前仅支持IPv4的端点,应用程序和服务现在可以作为双堆栈IPv4和IPv6向外访问。 ALB可以双栈模式接收IPv4和IPv6的请求,并在内部基于IPv4连接到端点。 由于许多应用程序仍仅具有实验性的IPv6实现,或者必须集成较旧的现有系统,因此这是一种简单有效的方法,可以使它们现在可以通过IPv6统一访问。
7) HTTP/2 and websockets integration
7)HTTP / 2和websockets集成
HTTP/2 brings some important advantages over the old HTTP 1.1 protocol. As with IPv6, some applications still do not support HTTP/2. Using HTTP/2 can lead to an enormous increase in speed depending on the application. With HTTP 1.1, a separate connection is established for querying each page element (CSS, JS, images) and the transmission is done in uncompressed format. Due to the maximum number of open connections or browser restrictions, long loading times and latencies can occur. With HTTP/2, multiple data is transmitted in parallel in one connection and the transmission is in binary format. In addition, the Application Load Balancer provides bi-directional communication channels between a client and a server over a long-running TCP connection using websockets.
与旧的HTTP 1.1协议相比,HTTP / 2具有一些重要的优点。 与IPv6一样,某些应用程序仍不支持HTTP / 2。 根据应用程序的不同,使用HTTP / 2可以大大提高速度。 使用HTTP 1.1,可以建立一个单独的连接来查询每个页面元素(CSS,JS,图像),并且传输以未压缩的格式进行。 由于打开连接的最大数量或浏览器的限制,可能会导致较长的加载时间和延迟。 使用HTTP / 2,可以在一个连接中并行传输多个数据,并且传输采用二进制格式。 此外,应用程序负载平衡器通过使用Websocket的长时间运行的TCP连接在客户端和服务器之间提供双向通信通道。
8) Service Distribution
8)服务分配
Behind an ALB different instances and services can be addressed based on rules like subdomains or paths. Thus it is possible to connect different services with a single ALB in a highly available way. It does not matter if the endpoint is an EC2 instance, an API gateway, REST API, or an on-premise instance. In this way, highly complex configurations can be realized with only one application load balancer. Time-consuming configuration and maintenance of DNS servers is not necessary, because the load balancer can take over the distribution of requests for different subdomains.
在ALB的后面,可以根据诸如子域或路径之类的规则来处理不同的实例和服务。 因此,可以以高度可用的方式将不同的服务与单个ALB连接。 端点是EC2实例,API网关,REST API还是本地实例都没有关系。 这样,仅使用一个应用程序负载均衡器就可以实现高度复杂的配置。 无需进行耗时的DNS服务器配置和维护,因为负载平衡器可以接管对不同子域的请求的分配。
Example: routing by subdomain rules (source)
示例:按子域规则路由( 源 )
Example: routing by path rules (source)
示例:按路径规则进行路由( 源 )
9) Security
9)安全性
A major advantage is that the ALB is a proxy between the user and the instance and the instance is therefore not accessible from the Internet without protection. Possible exploits or open ports cannot be discovered via port scanning. The instance itself can also be located in a private subnet. An ALB is also less susceptible to DDOS attacks such as syn floods than the usual web servers. In case of attacks, the monitoring and logging of the ALB allows faster countermeasures to be taken.
一个主要优点是ALB是用户与实例之间的代理,因此,如果没有保护,则无法从Internet访问该实例。 无法通过端口扫描发现可能的漏洞利用或开放的端口。 实例本身也可以位于私有子网中。 与通常的Web服务器相比,ALB还不太容易受到DDOS攻击(例如syn洪水)的攻击。 在受到攻击的情况下,ALB的监视和日志记录允许采取更快的对策。
In addition to the fine grained settings via Security Groups, the AWS specialised services like Web Application Firewall (WAF) and AWS Shield are also available to defend against large DDOS attacks.
除了通过安全组进行的细粒度设置外,AWS专用服务(如Web应用程序防火墙(WAF)和AWS Shield)还可用于防御大型DDOS攻击。
Example: DDoS-resilient reference architecture (source)
示例:DDoS弹性参考体系结构( 源 )
Related content:Web Application Firewall for Application Load BalancersAWS Shield
相关内容: 适用于应用程序负载平衡器的Web应用程序防火墙 AWS Shield
10) API control
10)API控制
The ALB can be set up quickly and easily via the AWS GUI. In addition, it is possible to control and change all functions via API using the AWS SDKs. This provides many possibilities to configure the running load balancer. Adding subdomains, path based routes, or new endpoints can be implemented automatically and within a CD/CI.
可以通过AWS GUI快速轻松地设置ALB。 此外,可以使用AWS开发工具包通过API控制和更改所有功能。 这提供了许多配置运行中的负载均衡器的可能性。 添加子域,基于路径的路由或新端点可以在CD / CI中自动实现。
Related content:AWS SDKExample: Node.js Class ELBv2
相关内容: AWS开发工具包 示例:Node.js类ELBv2
Costs
费用
The costs of the application load balancer are determined on the basis of two cost factors:
应用程序负载平衡器的成本是基于两个成本因素确定的:
- Application Load Balancer-hour (or partial hour) 应用程序负载均衡器小时(或不足一小时)
- LCU-hour (or partial hour) LCU小时(或不足1小时)
While hourly usage is easy to determine (usually 24 hours/day), LCU units are somewhat more complex and are calculated using the following criteria:
尽管每小时使用量很容易确定(通常是每天24小时),但LCU单位要复杂一些,并使用以下标准进行计算:
- New connections 新连接
- Active connections 活动连接
- Processed bytes 处理的字节
- Rule evaluations 规则评估
For an application load balancer in idle or low load, the costs are about 20 USD per month, depending on the region.
对于处于空闲或低负载状态的应用程序负载均衡器,费用大约为每月20 USD,具体取决于区域。
To understand and calculate the costs (especially LCU) I recommend the following calculator: Application Load Balancer Pricing
为了了解和计算成本(尤其是LCU),我建议使用以下计算器: Application Load Balancer定价
Conclusion
结论
A Load Balancer is essential in productive environments with highly available architectures. Many services at AWS automatically provision a pre-configured Load Balancer without the need or possibility to configure it. For your own applications running on EC2 instances or different services that should be accessible via a central endpoint, the use of an ALB according to the above mentioned criteria would make sense. There is also no taboo to cascade several Load Balancers, one after another. This is often the case, for example, if a Load Balancer in a private subnet connects a highly available application and cannot be reached from outside. A higher-level ALB in a public subnet can connect the high availability application via the Load Balancer in the private subnet.The ALB scales automatically and AWS ensures that the underlying resources are adjusted to the demand. Therefore you should never refer to the IP address of the ALB but always use the unique DNS name. IP of the ALB can change due to internal autoscaling or configuration changes.
在具有高可用性架构的生产环境中,负载均衡器至关重要。 AWS的许多服务会自动配置预配置的负载均衡器,而无需进行配置。 对于在EC2实例上运行的您自己的应用程序或应通过中央端点访问的其他服务,应根据上述标准使用ALB。 级联几个负载均衡器也不是一个禁忌。 例如,如果专用子网中的负载均衡器连接了高可用性应用程序并且无法从外部访问,则通常是这种情况。 公共子网中的更高级别ALB可以通过私有子网中的负载均衡器连接高可用性应用程序.ALB自动扩展,AWS确保基础资源适应需求。 因此,您永远不要引用ALB的IP地址,而应始终使用唯一的DNS名称。 由于内部自动缩放或配置更改,ALB的IP可能会更改。
These 10 use cases and examples for the use of an Application LoadBalancer are only a rough overview to show the versatile possibilities of a Load Balancer. For the effective and meaningful integration of an Application Load Balancer, the existing architecture must be identified and analyzed. Since the subsequent integration of a Load Balancer leads to instances and endpoints that were previously accessible from the outside now being operated in a private subnet or with restrictive firewall rules, the integration of an Application Load Balancer immediately increases security.
这10个使用案例和应用程序LoadBalancer的使用示例只是一个粗略的概述,以显示负载均衡器的多种功能。 为了有效,有意义地集成应用程序负载平衡器,必须识别和分析现有体系结构。 由于负载均衡器的后续集成会导致以前可从外部访问的实例和端点现在在私有子网中或使用限制性防火墙规则进行操作,因此集成应用负载均衡器会立即提高安全性。
aws 多网卡理由
扫一扫
1167
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
