I understand that IP addresses behind the ELB may change in time, new IP addresses can be added and removed depending on the traffic pattern we have at the moment.
My question is - how does this work with long living connections, e.g. websocket? Let's say I have persistent websocket connection to the web service behind the ELB. When AWS changes the ELB's IP address I'm currently connected to, replacing it with some other, what will happen? I cannot find a good answer in AWS docs.
Thanks,
Vovan
When AWS changes the ELB's IP address I'm currently connected to, replacing it with some other, what will happen? I cannot find a good answer in AWS docs.
In general there are two situations where the ELB's IP addresses will change:
Underlying ELB Failure
Think of the ELB as a scalable cluster of Load Balancers all addressable under a single DNS name, each with an IP address. If one node dies (e.g. due to an underlying hardware failure), the IP will be removed from the DNS record and replaced with a new node.
Clients connected to it at the time of failure will lose their connection and should handle a reconnect. It won't automatically be routed to a 'healthy' part of the ELB.
Traffic Variation
If the ELB is scaled up or down - because of modifications in traffic profile - as mentioned in the forum post linked above, the connections will continue to function for some time, but there is no guarantee of that period (min or max). This is especially notable in cases where the LB is scaled up quickly to meet load ("cliff face" style), as the 'old' ELB nodes may be overwhelmed (or become so) and their ability to process traffic impaired.
Subsequently it does mean developers need to handle reconnections in both cases on the client side.
Related
I have searched before writing this ... All i found is at certain point they are using load balancer hardware or software. But the thing i need is without hardware and Software can we do the load balancing ?.
While i was searching for this i came across the below statement.
"Another way to distribute requests is to have a single virtual IP (VIP) that all clients use. And for the computer on that 'virtual' IP to forward the request to the real servers"
Could you please anyone let me know how to do the Virtual IP load balancing?.
I have searched lots of article but i could not find anything related to VIP configuration or setup. All i found is only theoretical materials.
I need to divide the incoming requests into two applications. In this case both application server should be up and running.
Below is the architecture:
Application Node 1 : 10.66.204.10
Application Node 2 : 10.66.204.11
Virtual IP: 10.66.204.104
Run an instance of Nginx and use it as a load balancing Gateway for connections. There's no difference using virtual IPs to actual IPs - although it helps if your cloud setup is on LAN based IPs for both security and ease.
Depending on your setup there's two paths to go:
Dynamically assign connections to a server. This can be done on a split (evenly distributed) or on one instance until it fills up - then overflow.
Each function has it's own IP assigned. For example, you can configure the Gateway to serve static content itself and request dynamic content from other servers.
Configuring Nginx is a large job. However, it's a relatively well documented process and it shouldn't be hard for you to find a guide that suits your needs.
In an AWS VPC, is there any difference in networking performance (or in risk of networking failure) between EC2 instances these two scenarios?
A) An EC2 instance in subnet Data communicating with an EC2 instance in subnet Apps. Both subnets belong to the same availability zone.
B) Two EC2 instances in a single subnet Data+apps.
I'm asking because even when Windows route print shows On-link for the subnet and a route to a gateway for other subnets in the VPC, I suspect that in the background there are no real differences in the routing that takes place.
There is no difference in performance or reliability when instances are on the same subnet, or on different subnets within the same availability zone, because of the way the network infrastructure actually works in VPC.
This is because the network is not really an Ethernet network with routers.
The entire network infrastructure in VPC is virtual, software-defined.
The best way to see this for yourself is to sniff packets on two machines on the same subnet. You'll find a significant difference in the behavior of ARP. On a "normal" network, machines on the same subnet are also in the same broadcast domain. They discover each other's hardware address by "arping" for each other, with "who has/tell" and "I have" messages. These are conspicuously different on VPC: machine A sends a request and gets a response... yet machine B never saw that request, and did not actually generate the response that it seems to have generated. There's also a conspicuous absence of stray incoming ARP messages you would find on a LAN. This layer 2 behavior is entirely emulated by the network infrastructure, which actually connects nodes together over a routed network using a numbering scheme that's entirely different from and unrelated to the numbering your topology uses, but simulates an Ethernet network very effectively.
See also A Day in the Life of a Billion Packets for an excellent overview of how the magic comes together in VPC networking.
No Keeping the instances in different subnet wishing the same region or availability zone doesn't affect the performance.However the EC2 Instance capability and provisioned resources do play a role as the lower capability EC2 may introduce some latency delay in response.
I would like that outgoing web service calls from different EC2 instances will have the same origin IP address. Is there any proper solution for this problem which is not defining a NAT within the Amazon VPC?
All the questions I found over the www (see below) related always end-up with a NAT recommendation and I am wondering is there another solution but the NAT solution?
https://serverfault.com/questions/530783/multiple-outgoing-ip-on-one-amazon-ec2-instance
https://forums.aws.amazon.com/message.jspa?messageID=430341
http://engineering.silk.co/post/31923247961/multiple-ip-addresses-on-amazon-ec2
To have requests come from a single IP address, then the machine with that IP address needs to send all the requests (obvious, I know). Therefore, it either needs to be the source of those requests, or requests from other machines need to route through that machine.
The easiest way to route requests through a single machine is to treat it as a NAT. This involves:
Modifying route tables so that traffic destined for the Internet routes to the NAT server
Configuring the NAT server to forward the traffic to the Internet and pass back responses
This could be done via a proxy rather than a NAT, but the result is effectively the same.
It is not possible to give the same IP address to multiple machines, since the return traffic won't know where to go. (Actually, it is possible -- see Anycast on Wikipedia, but this is only for incoming traffic to stateless services.)
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Does anyone have a complete list of all IP addresses used by the Apple Push Notification Service?
I know that Apple uses a content delivery network to spread out these requests, and DNS lookups will return servers close to the requestor's location - the problem I have is in locating all of these servers that handle content for the United States.
For example:
$ nslookup gateway.push.apple.com
Non-authoritative answer:
canonical name = gateway.push-apple.com.akadns.net.
Address: 17.172.238.216
Address: 17.172.238.224
Address: 17.172.238.226
etc.
This list changes every time I query DNS - but all of the addresses seem to be in the same 17.172.238.x range - but there's no guarantee that tomorrow or next week I'll see a different range.
For the test push server, however, I already get results in different subnets. Sometimes I get one set of addresses:
$ nslookup gateway.sandbox.push.apple.com
Non-authoritative answer:
canonical name = gateway.sandbox.push-apple.com.akadns.net.
Address: 17.149.34.66
Address: 17.149.34.65
and other times, I'll get these addresses:
Address: 17.172.233.65
Address: 17.172.233.66
My server that will use the Apple Push Notification Service will be behind a corporate firewall, and I'll need to open up ports 2195 and 2196 for the production and test gateways -- however, my firewall team requires specific IP Addresses instead of host names.
I'm worried that if I just ask the firewall team to allow the IP Addresses I've seen so far, then my server will simply stop working a day or a week from now when the DNS server decides to serve up a different range.
If anyone has a comprehensive list for both the production and test environments, I'd appreciate it.
Update: I've tried asking the firewall team to open Apple's entire IP block (17.0.0.0/8), but they won't do that for me -- I need to narrow down the addresses a little bit.
Final update - 10/16/2016
Even though this question is closed, I thought I'd add a note explaining my final solution - and it is not what anyone looking for an answer wants to hear. I could never get ahead of the constantly changing addresses used by the CDN, so I finally gave up and leased an external server from Rackspace. I got the smallest server possible, and the only thing running on it is a port-forwarder that listens on 2195 and 2916 and sends the connections to Apple.
I used a simple iptables configuration on the Rackspace server to only allow connections on 2195/2916 from my corporate gateway, and then had my firewall team open a path to the static IP address on the external server. The firewall team is happy, with implementing a single path, and the external server can connect to the entire 17.0.0.0/8 range used by Apple.
From Apple's documentation (emphasis on the interesting bit added):
Push providers, iOS devices, and Mac computers are often behind firewalls. To send notifications, you will need to have TCP port 2195 open. To reach the feedback service, you will need to have TCP port 2196 open. Devices and computers connecting to the push service over Wi-Fi will need to have TCP port 5223 open.
The IP address range for the push service is subject to change; the expectation is that providers will connect by hostname rather than IP address. The push service uses a load balancing scheme that yields a different IP address for the same hostname. However, the entire 17.0.0.0/8 address block is assigned to Apple, so you can specify that range in your firewall rules.
17.0.0.0/8 is CIDR notation for 17.0.0.1 to 17.255.255.254.
The official answer is, unfortunately, that there is no official answer :) -- unless you consider Apple's rather sloppy approach of simply allowing all traffic to 17.0.0.0/8. Apple developer support provided the same link to the documentation as vcsjones in the first answer.
For my particular situation, I have narrowed the IP addresses down to these ranges after checking DNS regularly for the last couple of weeks. Keep in mind that these are only valid for the midwest portion of the United States, since Apple's CDN will return a set of addresses closest to the server making the query.
For gateway.push.apple.com, I'm opening ports 2195 and 2196 on my firewall for:
17.149.35.0 / 24
17.172.238.0 / 24
For gateway.sandbox.push.apple.com, I'm opening ports 2195 and 2196 on my firewall for:
17.149.34.66
17.149.34.65
17.172.233.65
17.172.233.66
Since these addresses are obviously subject to change, I've built in some monitoring for my application to detect when the APNS servers are no longer reachable (and fall back to these address ranges instead of using DNS). It's not the ideal solution, but it will have work for now until I can work out a solution with my corporate network / firewall teams...
I'm interested in having a second web host run a copy of my website, such that if my first host goes down, the traffic routes to the second host. Is this possible?
My guess would be to add additional nameservers beyond the first two.
I also suspect it's doable with no-ip.com, but I'm not clear on how that works, and if they would require me to leave my first host entirely?
See if your DNS provider will let you do round robbin DNS.
Basically, DNS queries will return more than one IP for your site. Try nslookup google.com to see how it might look.
There are loads of other ways to do geographical load balancing and failover (most are expensive though).
DNS Made Easy provides this service, which is called DNS Failover. For others looking:
http://www.dnsmadeeasy.com/s0306/price/dns.html