Overview
Summary
This topic describes how to add servers in data centers to a Server Load Balancer (SLB) instance on the Alibaba Cloud public cloud. The design of the application delivery network introduced in this topic aims to migrate the demilitarized zone (DMZ) of a data center to Alibaba Cloud. This design helps you efficiently build a scalable hybrid cloud to facilitate cloud migration.
Keywords
Application Load Balancer (ALB): ALB is an Alibaba Cloud service that runs at the application layer and is optimized to balance traffic over HTTP, HTTPS, and Quick UDP Internet Connections (QUIC). ALB is highly elastic and can process large volumes of Layer 7 traffic on demand. ALB supports complex routing. ALB is deeply integrated with other cloud-native services and is designed to serve as a cloud-native Ingress gateway of Alibaba Cloud. You can add servers in data centers to ALB instances.
Network Load Balancer (NLB): NLB is a Layer 4 load balancing service intended for the Internet of Everything (IoE) era. NLB offers ultra-high performance and can automatically scale on demand. An NLB instance supports up to 100 million concurrent connections, which is ideal for services that require high concurrency. You can add servers in data centers to NLB instances.
Elastic IP Address (EIP): An EIP is a public IP address that you can purchase and hold as an independent resource. In this architecture, EIPs are associated with IPv4 gateways and mapped to servers in a data center to enable Internet access for the data center.
Virtual Private Cloud (VPC): A VPC is a custom private network that you can create on Alibaba Cloud. VPCs are logically isolated from each other at Layer 2. You can create and manage cloud service instances in your VPC, such as Elastic Compute Service (ECS), SLB, and ApsaraDB RDS.
Cloud Enterprise Network (CEN): CEN is a high availability network that runs on the global private network of Alibaba Cloud. CEN uses transit routers to establish inter-region connections between VPCs to allow VPCs to communicate with data centers and establish flexible, reliable, and enterprise-class networks in the cloud.
Internet Shared Bandwidth: Internet Shared Bandwidth supports bandwidth sharing and multiplexing within a region. After you create an Internet Shared Bandwidth instance in a region, you can add elastic IP addresses (EIPs) in the region to the Internet Shared Bandwidth instance. The EIPs can share the Internet Shared Bandwidth instance. This reduces Internet bandwidth costs.
Express Connect: Express Connect is a networking service that connects data centers to Alibaba Cloud. You can use Express Connect to establish high-speed, reliable, and secure private connections between data centers and cloud networks. Express Connect helps you improve network communication quality and security because data transmission over Express Connect is trustable and controllable.
Express Connect circuit: Express Connect circuits are cables or optical fibers that connect data centers. Express Connect circuits are typically deployed and maintained by Internet service providers (ISPs). Express Connect circuits are classified into dedicated Express Connect circuits and shared Express Connect circuits based on the deployment mode.
Virtual border routers (VBRs): VBRs are an abstraction of Express Connect circuits that are isolated and virtualized by using the Layer 3 overlay and vSwitch technologies in the Software Defined Network (SDN) architecture. A VBR is deployed between the customer-premises equipment (CPE) and a VPC to exchange data between the VPC and data center.
VBR-to-VPC connections: VBR-to-VPC connection are point-to-point connections between VPCs and VBRs.
Express Connect Router (ECR): An ECR is a service component that forwards network traffic in a global hybrid cloud in which networks are connected over Express Connect circuits. An ECR provides features such as dynamic routing-based networking and centralized management for route advertisements. For example, you can associate VBRs with an ECR and then associate the ECR with transit routers or VPCs to establish communication between data centers and cloud resources.
Network Intelligence Service (NIS): NIS provides a set of Artificial Intelligence for IT Operations (AIOps) tools for you to manage the entire lifecycle of cloud networks from network planning to network O&M. For example, you can use NIS to perform traffic analysis, network inspections, network performance monitoring, network diagnostics, path analysis, and topology creation. NIS helps you optimize your network architecture, improve network O&M efficiency, and reduce network operations costs.
CloudMonitor: CloudMonitor is a service that monitors resources and Internet applications.
Classic Load Balancer (CLB): CLB distributes inbound network traffic across multiple backend servers based on forwarding rules. CLB helps improve the performance and availability of your applications.
Design principles
SLB, CEN, Express Connect, Internet Shared Bandwidth, EIPs, and security services can be used in combination to connect data centers to cloud networks on Alibaba Cloud. Such design not only increases flexibility and scalability, but also improves data and application security and reliability. The following solution describes how to build a stable and efficient application delivery network for servers in a data center.
The following figure shows the architecture of this solution.
Design highlights of the architecture:
Stability: Stability is a key factor in the design of a DMZ. Enterprises use cloud networks to access cloud resources and provide services. If the cloud network is not stable, service interruptions may occur and cause adverse impacts. For enterprises that provide online services, the stability of cloud networks determines user experience.
Security and compliance: Security is one of the benefits of clouds. Network attacks, such as DDoS attacks and intrusions, can compromise sensitive data of enterprises. Security is a mandatory requirement for public cloud networks to eliminate data leaks and abuse. Some industries or regions have strict data protection laws and regulations. Enterprises must meet network security requirements and compliance requirements.
Performance: Scalability is another benefit of public clouds. Applications on public clouds, especially applications and services of IT companies, often experience traffic spikes and flats. Scalable networks and gateways (load balancers) can automatically scale in and scale out resources based on traffic volumes to ensure service quality. In addition, scalable networks are billed based on the actual amount of consumed resources. Resource costs are reduced because enterprises can scale in or scale out resources based on demands.
Key design
Stability
SLB (ALB and NLB):
Compared with CLB which supports active/standby deployment, ALB and NLB support multi-zone deployment. If ALB or NLB fails in one zone, traffic is switched to another zone to maintain service high availability. ALB and NLB support disaster recovery at multiple levels. Network traffic is distributed across groups of backend servers to enable disaster recovery. NLB also supports session persistence and cross-zone deployment to ensure service availability.
Express Connect circuit:
Express Connect connects to Alibaba Cloud points of presence (PoPs) and data centers over Express Connect circuits. To ensure business stability, we recommend that you connect to Alibaba Cloud PoPs by using two Express Connect circuits that are provided by different physical routing or leased line providers.
To connect Express Connect circuits to each other, we recommend that you enable BGP and Bidirectional Forwarding Detection (BFD) to implement failover and quick convergence if one of the Express Connect circuits fails. After BDF is enabled, network interruption can be detected by three BDF packets, each of which takes 200 milliseconds.
Internet ingress (EIP):
We recommend that you select BGP (Multi-ISP) for your EIP. BGP (Multi-ISP) allows EIPs to use multiple ISP lines to ensure network stability and transmits data over optimal routes. This accelerates access and improves reliability. The advantage of BGP (Multi-ISP) is that the optimal route is selected for data transmission. If a line fails or degrades, BGP enables routing policy adjustment based on the real-time network status so that another optimal route is selected for data transmission. This mechanism ensures service continuity and stability even in case of a single point of failure (SPOF).
In-cloud connection (ECR):
We recommend that you use ECRs to connect VBRs and VPCs. ECRs use end-to-end dynamic routing that is highly stable. An ECR schedules traffic to the optimal forwarding route to effectively reduce network latency of Express Connect circuits.
Security and compliance
SLB (ALB and NLB):
NLB supports SSL over TCP, one-way authentication, mutual authentication, and custom TLS policies.
ALB supports HTTPS, one-way authentication, mutual authentication, and custom TLS policies.
Security group: You can add NLB and ALB instances to security groups, which function as blacklists and whitelists.
VPC access control list (ACL): ACLs filter traffic destined for virtual IP addresses (VIPs) of NLB and ALB instances.
DDoS mitigation (EIPs protected by Anti-DDoS Pro/Premium):
By default, Anti-DDoS Origin Basic can mitigate up to 5 Gbit/s of DDoS attacks. The mitigation capacity varies based on the region. Alibaba Cloud provides EIPs protected by Anti-DDoS Pro/Premium, which can mitigate DDoS attacks at the Tbit/s level. If you use EIPs protected by Anti-DDoS Pro/Premium, you do not need to perform additional configurations or change the IP address that is used by your instance to provide services.
Web Application Firewall (WAF):
After you migrate your Internet access, we recommend that you enable protection to identify and block malicious traffic for your website or application. WAF identifies, scrubs, and filters out malicious web traffic, and then forwards trusted traffic to your origin servers. This protects your origin servers against attacks and ensures data and service security.
If you use ALB, we recommend that you integrate WAF 3.0 with ALB in transparent proxy mode. In this mode, you only need to enter your website information without the need to modify the Domain Name System (DNS) record.
Internet border protection (Internet firewall):
The Internet firewall controls the inbound and outbound traffic of all Internet-facing assets in a centralized manner at the Internet boundary. You can use the Internet firewall to manage inbound and outbound traffic between your Internet-facing assets and the Internet in a fine-grained manner. This helps reduce the exposures of the Internet-facing assets on the Internet and security risks of business traffic.
Performance
SLB (ALB and NLB):
In a multi-zone region, the default maximum QPS of an ALB instance is 100,000, which does not change with the number of zones. The maximum QPS of an ALB instance in static IP mode is 100,000. The maximum QPS of an ALB instance in dynamic IP mode automatically scales up to 1 million.
Each NLB instance supports up to 100 million concurrent connections and 100 Gbit/s of bandwidth. You do not need to select a specification for an NLB instance or manually upgrade or downgrade an NLB instance when workloads change. NLB instances can automatically scale on demand.
NLB and ALB allow you to add backend servers across regions. You can deploy the ALB or NLB in the region that is nearest to clients to shorten the Internet distance and improve network quality.
Internet ingress (EIP and Internet Shared Bandwidth):
You can configure CEN to enable inter-region communication, which can connect Internet ingresses in different regions to data centers in the same region. This enables nearby Internet access and improve Internet performance by using multiple ISPs. Up to 89 high-quality BGP lines are provided on a global scale. These BGP lines can provide ultra-high bandwidth at a level same as Taobao and Tmall. Direct connections can be established in all regions of the Chinese mainland through lines of the following ISPs: China Telecom, China Unicom, China Mobile, China Mobile Tietong, China Netcom, China Education and Research Network (CERNET), National Radio and Television Administration, Dr. Peng Telecom & Media Group, and Founder Broadband Network. The bandwidth of an Internet Shared Bandwidth instance can reach hundreds of Gbit/s, which varies based on the region.
You can apply for and release EIPs anytime, and associate EIPs with servers or network devices in data centers. EIPs are easy to manage and facilitate business deployment.
Internet Shared Bandwidth supports dynamic bandwidth adjustment through manual configurations or automatic configurations made by API calls. Internet Shared Bandwidth can quickly respond to traffic changes, which maximizes the performance at minimum costs. In cases of unexpected traffic spikes that require higher bandwidth, you can increase the bandwidth by five times and use the pay-by-95th-percentile-bandwidth metering method.
ECR:
An ECR schedules traffic to the optimal forwarding route to effectively reduce network latency of Express Connect circuits.
Express Connect:
Express Connect circuits do not support real-time scaling. We recommend that you estimate the bandwidth capacity required by your business in advance.
Observability
SLB (ALB and NLB):
ALB and NLB monitoring: supports monitoring and alerting on connections and bandwidth.
ALB and NLB operation logs: record operations performed on ALB and NLB, no matter console operations or API calls. Operation logs help you trace issues.
Fine-grained monitoring of NLB: supports monitoring on small traffic spikes.
ALB access log: records access to ALB in Simple Log Service. You can analyze the access log to learn about user behaviors, regional distribution of users, and perform troubleshooting.
Intelligent O&M:
NIS is a cloud service that monitors the health status and performance of Internet traffic and load balancing services, performs diagnostics and troubleshooting, and analyzes and measures network traffic. NIS is integrated with AIOps methods such as machine learning and knowledge graphs to simplify network management and implement automated O&M. NIS allows network architects and O&M engineers to design and use networks with higher efficiency.
Traffic analysis:
Enterprise Edition transit routers of CEN and VPCs support flow logs, which record business traffic as log entries. You can analyze flow logs for traffic details.
CloudMonitor:
CloudMonitor supports O&M, alerting, and monitoring on cloud services.
Best practices
Layer 4 application delivery by using NLB
Core architecture:
NLB: supports multi-zone deployment to process Layer 4 Internet traffic. You can add servers in a data center to NLB instances.
ECR + Express Connect: supports dynamic routing. An Express Connect can connect to multiple access points. Data centers can communicate with Alibaba Cloud over BGP and BDF.
Layer 7 application delivery by using ALB
Core architecture:
ALB: supports multi-zone deployment to process Layer 7 Internet traffic.
ECR + Express Connect: supports dynamic routing. An Express Connect can connect to multiple access points. Data centers can communicate with Alibaba Cloud over BGP and BDF.
Layer 7 application delivery by using NLB and a self-managed Layer 7 cloud gateway
Core architecture:
NLB: supports multi-zone deployment to process Layer 4 Internet traffic. You can add self-managed Layer 7 gateways to an NLB instance within the VPC or add self-managed Layer 7 gateways across regions by using transit routers.
Self-managed gateways: process Layer 7 Internet traffic for applications.
ECR + Express Connect: supports dynamic routing. An Express Connect can connect to multiple access points. Data centers can communicate with Alibaba Cloud over BGP and BDF.
Layer 7 application delivery by using NLB and a self-managed Layer 7 gateway in a data center
Core architecture:
NLB: supports multi-zone deployment to process Layer 4 Internet traffic. You can add self-managed Layer 7 gateways in a data center to an NLB instance.
Self-managed gateways: process Layer 7 Internet traffic for applications.
ECR + Express Connect: supports dynamic routing. An Express Connect can connect to multiple access points. Data centers can communicate with Alibaba Cloud over BGP and BDF.
Scenarios
Scalable Internet ingress for Internet applications: Alibaba Cloud networks and network elements are scalable. They can dynamically scale based on business requirements. This allows enterprises to flexibly increase or reduce bandwidth resources to cope with traffic fluctuations. Enterprises only need to pay for the actual resources that they use. This reduces costs and prevents resource waste. Some enterprises, especially IT enterprises, experience traffic spikes within a short period of time caused by hot event and online promotional activities. IT enterprises can use scalable Internet ingresses deployed on the cloud to cope with traffic spikes.
Multi-Level Protection Scheme (MLPS) compliance: Alibaba Cloud provides compliance support and tools to help you meet MLPS compliance requirements after you migrate Internet ingresses to Alibaba Cloud.
Internet security: The professional security teams and technologies of Alibaba Cloud continuously protect your Internet ingress after it is migrated to Alibaba Cloud.
Internet performance optimization: Alibaba Cloud has globally distributed data centers. After your Internet ingress is migrated to Alibaba Cloud, your business can be deployed in geographical locations that are close to your users to reduce network latency and increase the response speed.