Re: [load balancing] Verisign and Load Balancers

From: Alex Samonte (asamonteIZZATsitesmith.com)
Date: Fri Feb 16 2001 - 19:16:14 EST

  • Next message: Alex Samonte: "Re: [load balancing] Cascading switches off of a Foundry switch"

    On Fri, Feb 16, 2001 at 11:02:08AM -0500, Steve Reppucci wrote:
    > On Fri, 16 Feb 2001, Paris Lundis wrote:
    >
    > > We have considered such.. however, great cost prohibition... need two
    > > of those for redundancy :) so 30k on top of other network
    > > expenditures...
    >
    > Agreed, but note that when these fail, they look like a piece of wire, so
    > your redundancy option *could* be normal secure servers on the back end.
    > (But then, there goes the cert management savings...)

    He's not talking about failover that way, he's talking about how
    they would be for a typical site with HA load balancers.

                   | |
                 intel intel
                   | |
                   | |
                  LB----------LB
                   | |
                   | |

    Typical HA scenario. doing active/passive failover.
    I have 2 intel boxes, 1 doing something, the other doing nothing.
    If I only need 200 conn/s then that's fine. But if I need
    201 then it looks like this.

                   | |
                 intel intel
                   | |
                 intel intel
                   | |
                  LB----------LB
                   | |
                   | |

    I now have 4 intel boxes, 2 doing something, 2 doing nothing.
    If I need 601 I have 6 boxes, 3 doing something 2 doing nothing.

    And doing nothing just means it's waiting for failover.

    The architecture we like is a 1 armed scenario.

                   | |
                  LB----------LB
                   | |
           -------------------------------------
           | | | | | | | |
          ssl ssl ssl ssl web web web web

    The ssl box being a SSL accelerator proxy (alteons SSL ISD does this, as well
    as a few other new boxes).

    you have 443 go to the ssl farm load balanced. The SSL proxy takes in 443
    decrypts it, and spits it back out on say port 81. port 81 is load balanced
    to the webservers on port 81. Giving you N+1 ssl accelrator scalability
    just like your webfarm.

    The SSL one armed can also be done like a firewall sandwitch, but because
    SSL traffic is only a small percentage of overall traffic, having
    it pass through the same LB twice isn't a big burden.

    Also, in this case you're using each box equally (load balanced) intel's
    architecture fills one box to capacity and then spills over to
    the next.

    -Alex



    This archive was generated by hypermail 2b30 : Fri Feb 16 2001 - 19:21:22 EST