WP Deep Dive on Load Balancing | Imperva

Archive

Deep Dive on Load Balancing

Deep Dive on Load Balancing

Load balancing is one of several cloud website services Incapsula offers. With Incapsula Load Balancer, there is no up-front hardware investment to make — you can choose how, when, and why to balance the load of your incoming network requests through the Incapsula dashboard. And if you already have load balancers in your configuration, you can use Incapsula to balance loads on your existing load balancers, giving you many additional configuration possibilities. In this article we look at load balancing topologies and will follow up with an article covering failover and site monitoring.

Load balancing is often a solution for more than one problem, and Incapsula provides many different configurations to boost website performance and security. Here’s why how load balancing can help drive your company’s applications:

  • High performance – Automatically make sure every network request is serviced by a host server with adequate capacity, by routing each request to one of multiple available servers.
  • Robust health monitoring and failure protection – Automatically keep services available when one or more of your servers or your primary Internet service provider becomes unavailable, by routing requests to servers that are viable at the moment of a request.
  • High availability and disaster protection – Automatically keep services available when your entire data center becomes unavailable, by routing requests to a data center that is available, perhaps in another geographic location that you’ve chosen specifically in case of disaster at your primary data center.
  • Content targeting or localization – Automatically route requests from specific geographic locations to hosts or services that provide information that you’ve customized for those locations — either special offers for local users or content in the local language.
  • Regulatory compliance – Automatically route requests from particular geographic locations to servers in corresponding locations to comply with local regulations, particularly with regard to applications that capture individually identifiable information or protected health information.
  • Visibility and control – Verify that your traffic is properly balanced among available servers and data centers, and make necessary adjustments immediately by using the Incapsula dashboard.

Our layer 7  HTTP/HTTPs based-load balancing service applies load balancing algorithms before any requests reach your data centers, providing true global server load balancing that overrides the limitations of DNS-based alternatives. A significant benefit of upstream load balancing is that, because only Incapsula IP addresses are used to access your servers, instantaneous re-routing and failover occur because ISP and DNS caching issues disappear. To understand why, see Introducing the First True Layer 7 Global and Local Load Balancer.

Load Balancing Topologies

Incapsula load balancing supports all in-data center and cross-data center topologies. You configure your topology in the Origin Servers page of the Management Console. The options available to you depend on your current Incapsula plan. You can upgrade your plan to support any number of data centers and servers.

Single origin server

Single Origin Server is the default setting that is established when you initially add your site as an Incapsula user under any plan. With a single origin server, no load balancing or failover is available. When your server is unavailable, your site is unavailable.

A single origin server accepts requests when a server is available.

A single origin server rejects requests when a server is unavailable.

Multiple Origin Servers, Single Data Center

If you have two or more servers to balance loads within a single data center, on the Origin Servers page, select Multiple Origin Servers (Single Data Center). You can then choose among the following topologies to suit your situation.

  • All active – In this topology, all servers you add to Incapsula are set to Active Server. The Incapsula load balancing system expects all servers to be active at all times and attempts to route requests to them using the load balancing algorithm you select. If a server becomes unavailable, Incapsula stops routing requests to it. When it again becomes available, Incapsula automatically resumes routing traffic to it.

Load balancing occurs among multiple origin servers that are all active and available.

Load balancing occurs among the active servers when some multiple origin servers are unavailable.

  • Active/standby (single ISP) – In this topology, you designate one set of servers as your active servers, and another set of servers as your standby servers. Incapsula treats these two banks of servers in an all-or-nothing algorithm, routing requests only to the set of active servers as long as at least one active server is available. If no active servers are available, Incapsula routes all requests to the set of standby servers. When at least one of your active servers becomes available again, Incapsula resumes routing traffic only to the active servers.

With a single ISP, when multiple origin servers are active or on standby, standby servers not used.

With a single ISP, when multiple origin servers are active or on standby, standby servers used only when all active servers are unavailable.

  • Active/standby (two ISPs) – In this topology, you have two Internet service providers — a primary ISP and a standby ISP. The standby ISP is used only in the event your primary ISP becomes unavailable. You configure each server in the data center with two IP addresses — one for the primary ISP and one for the standby ISP. If the primary ISP become unavailable, Incapsula automatically routes traffic to your servers through the standby ISP by using the standby IP addresses.

With multiple origin servers that are active or on standby using two ISPs, active IP addresses are used when the primary ISP is available.

With multiple origin servers that are active or on standby using two ISPs, standby IP addresses are used when the primary ISP is unavailable.

Multiple Data Centers and Global Load Balancing

If you have two or more data centers to balance loads, on the Origin Servers page, select Multi DC. You can then choose among the following load balancing modes:

  • Best connection time – To maximize performance, Incapsula monitors average connection times between each Incapsula global data center (PoP) and each of your enrolled data centers, and routes requests to the data center that currently has the shortest connection time.

With multiple data centers for performance where all data centers available, the data center with the best connection time handles each request.

With multiple data centers for performance where some data centers unavailable, the available data center with the best connection time handles each request.

  • Geo-targeting required – To comply with regulations requiring you to provide services from a specific location, this mode directs requests from a specified geographical area to a specific data center. If the data center become unavailable, Incapsula does not re-route this traffic and the requests fail.

With multiple data centers for compliance, requests are accepted when the targeted data center is available.

With multiple data centers for compliance, requests are rejected when the targeted data center is unavailable.

  • Geo-targeting preferred – This mode directs requests from a specified geographical area to a specific data center. If the data center becomes unavailable, Incapsula re-routes this traffic to another active data center by applying the Best Connection Time algorithm. You’d typically use this mode when providing targeted content based on the geographical location of requests.

With multiple data centers for targeted content, requests are accepted by targeted data centers when it is available.

With multiple data centers for targeted content, requests are routed to the available data center with the best connection time when the targeted data center is unavailable.

  • Standby data center – This mode normally directs all traffic to the set of data centers that you have designated as Active. If all active data centers become unavailable, the standby data center becomes active. Incapsula provides a Standby DC Kickstart URL setting that can initialize the standby data center, if needed.

With multiple data centers that have a standby data center, active data centers accept all traffic when any active data centers are available.

With multiple data centers that have a standby data center, the standby data center accepts traffic only when all active data centers are unavailable.

Single or Multiple Public IP Addresses

With any topology, each of your origin servers or data centers can operate with either of two traffic routing modes:

  • Multiple public IP addresses – Each origin server has its own public IP address. This is the default setting.
  • Single public IP address with port offsets – Only the site’s edge device (router, firewall, or hardware load balancer) has a public IP address, and each origin server is mapped to a different port. You must set up your edge device with NAT configuration to route port allocations to your origin servers. For detailed information on configuring port forwarding on specific edge devices, see Port Forwarding Configuration.

In-data Center Load Distribution

Within a single data center, you can configure the Mode setting under Load Balancing Attributes to distribute requests to origin servers based on any of the following criteria.

  • Source IP hash – Packets are routed to a specific origin server according to a hash of the request’s IP address, without regard to server load. Because most origin servers implement independent session state, clients are always connected to the same server, clients automatically maintain a connection with the same origin server throughout a session. Incapsula load balancing algorithms evaluate origin server availability prior to allocating packets. Within large server arrays, load is distributed fairly well.
  • Random – Each request is routed randomly to one of the origin servers, without regard to current server load. Random assignment is the most basic type of load balancing and the option that is most often used. Incapsula load balancing algorithms evaluate origin server availability prior to routing any requests. Within large server arrays, load is balanced fairly well, but with smaller sites, random load balancing might not be optimal.
  • Least open connections – Each request is routed to the origin server with the fewest open TCP connections. This algorithm is better than the previous two options for balancing the load between different destination IP addresses, because it takes into account the actual load of the different origin servers when making routing decisions.
  • Least pending requests – Each request is routed to the origin server with the fewest pending HTTP requests. This algorithm takes into account the impact of pending requests on load, which is more accurate than routing based on number of open connections.

Least pending requests is the default and recommended load balancing algorithm. It is the only algorithm available to you have a single data center with multiple origin servers set to All Active and you are have not purchased the Load Balancer add-on. With a multiple data center topology, each server you add has its own load distribution setting.

Persistence

Some web applications require an origin server to maintain a persistent session state with each client that connects, for example, when doing transactional processing such as a shopping cart or banking session. Of all the load balancing modes, only Source IP hash automatically maintains sessions state (if the origin servers implement independent session state). For other situations, you can select the Persistence check box under Load Balancing Attributes to make sure each user session is served by a single origin server. When Persistence is enabled, Incapsula applies the load balancing algorithm only to the first request of each user session. Following that, Incapsula maintains the user session continuity by setting a dedicated session cookie in the client’s browser.

All Incapsula algorithms support session stickiness, as users have the option to select the “Persistence” checkbox as show below under the Multiple origin servers (single data center)

Or in multiple data centers

If you’re looking for more on load balancing, the next installation of our tech deep dive looks at failover and site monitoring.