While working on the Lock It Down series for 1&1’s New Generation Cloud Servers (NGCS), there were two concepts that appeared: Securing your service-specific servers with Private Networking and total Firewall Lockdown; LoadBalance your webservers with replication. These two things had what appeared to be an apparant flaw in design in that the Load Balancer would only take the WAN IPs, and not the Private-Lan IPs. This gave me the assumption that LoadBalancing wouldn’t be possible for private servers such as your Databases without the use of a Proxy Server running something like HaProxy. Atleast until I finally decided to run an MTR and trace the path: Good ol’ IP Routing.
The servers know that the LoadBalancer’s IP is on a local subnet within 1and1.com’s Datacenter, so there’s really only 2 HOPs to get to the destination server, and that destination server is the chosen one based on the LoadBalancer’s settings.
In the example below, I’m connecting to my Database Server from my WebServer, using the LoadBalancer as the gateway. A peculiar thing though, the connections appear to come from “184.108.40.206” in this example, but the LoadBalancer is 220.127.116.11.
[[email protected] ~]# date Mon Nov 9 17:39:09 UTC 2015 [[email protected] ~]# ifconfig | grep inet -m 1 inet addr:18.104.22.168 Bcast:22.214.171.124 Mask:255.255.255.255 [[email protected] ~]# ssh [email protected] [email protected]'s password: Last login: Mon Nov 9 17:38:23 2015 from 126.96.36.199 [[email protected] ~]# date Mon Nov 9 17:41:30 UTC 2015 [[email protected] ~]# ifconfig | grep inet -m 1 inet addr:188.8.131.52 Bcast:184.108.40.206 Mask:255.255.255.255 [[email protected] ~]# exit logout Connection to 220.127.116.11 closed.
Allows for LoadBalancing of “Private” Servers
Keeps connection still inside 1&1 Network
LoadBalancer allows for “By IP” configuration for the Ports (a way to combat a CON from below)
LoadBalancer IP is WAN, so it can be found and used from the Net (use IP allowance in configuration)
LoadBalancer bypasses the Firewalls, so that’s a security concern when coupled with the above CON.