LoadBalance and Internal Networking with NGCS

While working on the Lock It Down series for 1&1’s New Generation Cloud Servers (NGCS), there were two concepts that appeared: Securing your service-specific servers with Private Networking and total Firewall Lockdown; LoadBalance your webservers with replication. These two things had what appeared to be an apparant flaw in design in that the Load Balancer would only take the WAN IPs, and not the Private-Lan IPs. This gave me the assumption that LoadBalancing wouldn’t be possible for private servers such as your Databases without the use of a Proxy Server running something like HaProxy. Atleast until I finally decided to run an MTR and trace the path: Good ol’ IP Routing.

The servers know that the LoadBalancer’s IP is on a local subnet within 1and1.com’s Datacenter, so there’s really only 2 HOPs to get to the destination server, and that destination server is the chosen one based on the LoadBalancer’s settings.

In the example below, I’m connecting to my Database Server from my WebServer, using the LoadBalancer as the gateway. A peculiar thing though, the connections appear to come from “74.208.141.59” in this example, but the LoadBalancer is 70.35.192.80.

[[email protected] ~]# date
Mon Nov 9 17:39:09 UTC 2015
[[email protected] ~]# ifconfig | grep inet -m 1
 inet addr:70.35.199.46 Bcast:70.35.199.46 Mask:255.255.255.255
[[email protected] ~]# ssh [email protected]
[email protected]'s password:
Last login: Mon Nov 9 17:38:23 2015 from 74.208.141.59
[[email protected] ~]# date
Mon Nov 9 17:41:30 UTC 2015
[[email protected] ~]# ifconfig | grep inet -m 1
 inet addr:70.35.201.22 Bcast:70.35.201.22 Mask:255.255.255.255
[[email protected] ~]# exit
logout
Connection to 70.35.192.80 closed.

Pros:

Allows for LoadBalancing of “Private” Servers

Keeps connection still inside 1&1 Network

LoadBalancer allows for “By IP” configuration for the Ports (a way to combat a CON from below)

Cons:

LoadBalancer IP is WAN, so it can be found and used from the Net (use IP allowance in configuration)

LoadBalancer bypasses the Firewalls, so that’s a security concern when coupled with the above CON.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.