I was looking at Mesos + Marathon to manage Docker containers.
What we're trying to achieve is a way of getting an external DNS entry (test.example.com) to point to a specific set of docker containers.
The DNS entry for test.example.com points to a load balancer which translate and send the connection to one of our backend servers app.
To do this I looked into Mesos-dns. With mesos-dns I can get DNS name for each container and can resolve DNS with container IP but couldn't find out way to load balance between set of servers.
Can someone confirm if Mesos-dns provides load balancing? If yes, how can I achieve load balancing with it?
Do I need to use some other solutions like HAProxy or Bamboo to achieve this?
Thanks!!
Sumit
Yes with Mesos-DNS you can do load balancing, see for example the respective HTTP API endpoints, but it's really not recommended in the context of DC/OS: see the internal (Minuteman) and external (Marathon-lb, HAProxy-based) load balancing and service discover options in the docs.
Related
We have on-premise 3-nodes cluster for devs in our office: 6.1.467, WinSrv2016. Everything works fine. Now we need to configure built-in service fabric reverse proxy (port 19081). For example, increase proxy timeout (now it is 120s) or enable client affinity. But I cannot find any information about how to do it.
Can anyone help to solve this?
I dont think there is a configuration for client affinity.
I suggest you use dedicated load balancer for it. You can use naming service to query the address of your service and manage affinity at load balancer level.
This is a micro services deployment question. How would you deploy Envoy SDS(service discovery service) so other envoy proxies can find the SDS server hosts, in order to discover other services to build the service mesh. Should I put it behind a load balancer with a DNS name( single point of failure) or just run the SDS locally in every machine so other micro services can access it? Or is there a better way of deployment that SDS cluster can be dynamically added into envoy config without a single point of failure?
Putting it behind a DNS name with a load balancer across multiple SDS servers is a good setup for reasonable availability. If SDS is down, Envoy will simple not get updated, so it's generally not the most critical failure -- new hosts and services simply won't get added to the cluster/endpoint model in Envoy.
If you want higher availability, you set up multiple clusters. If you add multiple entries to your bootstrap config, Envoy will fail over between them. You can either specify multiple DNS names or multiple IPs.
(My answer after misunderstanding the question below, for posterity)
You can start with a static config or DNS, but you'll probably want to
check out a full integration with your service discovery.
Check out Service Discovery
Integration
on LearnEnvoy.io.
I have a couple of ec2 instances sitting behind a load balancer. How can I determine which requests went to a particular instance?
Is there a log? Somewhere on the console I can look at?
Dont know of an direct way on the console. You could either activate ELB access logs and look at the backend:port field in the logs which gives the instaces ip (docs here). Or you could have your application running on your instances add something to the headers to identify themselves in their responses.
This may sound a basic question...
But I am new to concept of load balancing and had few questions.
Scenario - I have 3 Tomcat 7 servers which I want to be load balanced.
I read few articles and saw that using Apache HTTP Server one can do this.
There exists a worker.properties file which needs to be defined with the servers you would like to load balance. Now the problem is that this needs to be done before I start the Apache HTTP Server.
Problem - What if I want to add few more Tomcat Servers dynamically without restarting the Apache HTTP Server. Is this possible ?
Regards
Ajax
I spot an interesting article about Tomcat & PAAS: http://www.devx.com/Java/Article/48086
You will probably find what you need in the article. It describes the mechanism to register / unregister a new node in the cluster.
HIH
Apache HTTPD 2.4 supports dynamic reconfiguration of the load balancer. But use the load-balancer proxy module for this, not mod_jk.
We usually blacklist IPs address with iptables. But in Amazon EC2, if a connection goes through the Elastic Load Balancer, the remote address will be replaced by the load balancer's address, rendering iptables useless. In the case for HTTP, apparently the only way to find out the real remote address is to look at the HTTP header HTTP_X_FORWARDED_FOR. To me, blocking IPs at the web application level is not an effective way.
What is the best practice to defend against DoS attack in this scenario?
In this article, someone suggested that we can replace Elastic Load Balancer with HAProxy. However, there are certain disadvantages in doing this, and I'm trying to see if there is any better alternatives.
I think you have described all the current options. You may want to chime in on some of the AWS forum threads to vote for a solution - the Amazon engineers and management are open to suggestions for ELB improvements.
If you deploy your ELB and instances using VPC instead of EC2-classic, you can use Security Groups and Network ACLs to restrict access to the ELB.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/USVPC_ApplySG.html
It's common to run an application server behind a reverse proxy. Your reverse proxy is layer you can use to add DoS protection before traffic gets to your application server. For Nginx, you can look at the rate limiting module as something that could help.
You could set up an EC2 host and run haproxy there by yourself (that's what Amazon is using anyways!). Then you can apply your iptables-filters on that system.
Here's a tool I made for those looking to use Fail2Ban on aws with apache, ELB, and ACL: https://github.com/anthonymartin/aws-acl-fail2ban