Global Server Load Balancing with Kemp

Tutorial to setup Global Server Load Balancing with Kemp GEO which only handles A (IPv4) and AAAA (IPv6) records for now

Benefits of Global Server Load Balancing (GSLB)

  • Intelligently distributes traffics across servers in different datacenters based on DNS query and Health monitoring in Kemp
  • Enables many distributed application servers to function as a single, virtual server

We will test and verify how easy to setup and its functionality with Kemp GEO comparing with DNS Failover for Web Servers with DNSMadeEasy

Lab prepared for this tutorial

Global Server Load Balancing with Kemp

  • 2 x Data Centers
  • 2 x FortiGate Firewall
  • 2 x Kemp VLM as Reverse Proxy for Nginx

Refer to my previous post on how to setup Reverse Proxy for Nginx with Kemp VLM

FortiGate Firewall in Production Site

1 to 1 NAT / PAT is required to ensure that the source IP of Kemp is identical with inbound NAT IP

Kemp does not recommend a Layer 3 source IP NAT to the LoadMaster as it will mask source IP visibility during geographical coding operations, all devices before the LoadMaster should be transparent.

Inbound NAT (Virtual IP) to map 121.121.43.51 to 192.168.1.222 for TCP 22 (SSH) & UDP 53 (DNS)

Outbound NAT to translate source IP from 192.168.1.222 to 121.121.43.51

Create a NAT Loopback rule to allow machines in LAN to access servers’ NATed Public IP Address

FG60E (12) # show
config firewall policy
    edit 12
        set name "LAN-NAT Loopback"
        set uuid ac4edb2c-8969-51ea-2e4f-971c3a9f66bd
        set srcintf "internal"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "NAT-51-222-DNS" "NAT-51-222-HTTPS" "NAT-51-222-SSH"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set match-vip enable
    next
end

Create a Policy Route to allow Kemp to access it own public IP Address

FG60E (4) # sh 
config router policy
    edit 4
        set input-device "internal"
        set src "192.168.1.222/255.255.255.255"
        set dst "192.168.1.222/255.255.255.255"
        set output-device "internal"
    next
end

Configure the FortiGate Firewall in DR Site for inbound & outbound NAT following the steps above

Setup GEO LoadMaster Partners

Login to Kemp VLM at Production and go to Certificate & Security – Remote Access – GEO Settings

  • GEO LoadMaster Partners – IP ADDRESS of Kemp VLM in DR Site
  • Partner Status – Ensure that it is always in GREEN color
  • GEO LoadMaster Port = 22 (Default)
  • GEO Update Interface – Interface used for GEO Communication

Login to Kemp VLM at DR and configure the IP Address of GEO LoadMaster Partners

SSH to Kemp VLM at DR Site to verify the SSH traffic in detail with tcpdump in Utilities – Diagnostics – Diagnostic Shell

Ensure that the Source NAT is configured for Kemp VLM to be identical with NAT IP Address for outgoing traffics if other Firewall is used

% tcpdump 'host 121.121.43.51'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
08:51:01.269525 IP 10.10.10.208.31761 > 121.121.43.51.22: S 1267849930:1267849930(0) win 29200 <mss 1460,nop,wscale 7>
08:51:01.280766 IP 121.121.43.51.22 > 10.10.10.208.31761: S 1535316721:1535316721(0) ack 1267849931 win 29200 <mss 1452,nop,wscale 7>
08:51:01.280799 IP 10.10.10.208.31761 > 121.121.43.51.22: . ack 1 win 229
08:51:01.296731 IP 121.121.43.51.22 > 10.10.10.208.31761: P 1:22(21) ack 1 win 229

New GEO Cluster

Login to Kemp VLM in Production Site and add the IP Addresses of both Kemp VLM in Global Balancing – Manage Clusters

Login to Kemp VLM in DR Site to verify the settings are synchronized successfully

Click Modify to configure Cluster Health Check via TCP 22 (SSH)

By default, Health Check is performed every 2 minutes (120 Seconds) and it can be adjusted in Global Balancing – Miscellaneous Param – Resource Check Parameter

Stickiness is the property that enables all name resolution requests from an individual client to be sent to the same set of resources until a specified period has elapsed.

Fully Qualified Domain Name (FQDN)

Add a FQDN called uat.aventislab.info in Global Balancing – Manage FQDN and click modify to continue

mage-20200429212102239

Configure the IP Address for uat.aventislab.info and set the Checker to Cluster Checks

Maximum 2 x FQDN is supported in Kemp VLM Free Edition

Selection Criteria

  1. Round Robin – Incoming requests are distributed sequentially across the IP address end-points.

  2. Weighted Round Robin – Incoming requests are distributed across the cluster in a sequential manner, while taking account of a static "weighting" that can be pre-assigned per server.

  3. Fixed Weighted – Used in Disaster Recovery (DR) sites. The highest weight Real Server is only used when other Real Server(s) are given lower weight values. However, if the highest weighted server fails, the Real Server with the next highest priority number is available to serve clients.

  4. Real Server Load – Requires integration with LoadMaster, this allows you to obtain datacenter-level metrics from LoadMaster which are used in real-time to direct clients to the cluster that’s least busy

Real Server Load cannot be selected in Kemp VLM Free Edition ?

  1. Location Based – Allows GEO to direct a client to a data center based on the client’s country, continent or IP address range as defined by the created policies.
  2. Proximity – takes Location Based one step further and allows for longitude and latitude granularity for definition of proximity.
  3. All Available – Returns all possible healthy targets for an A (IPv4) or AAAA (IPv6) query request

Site Failure Handling

Failure Delay – This setting determines how long (in minutes) the LoadMaster waits until it designates a site as having failed, thereby initiating a site failover.

Site Recovery Mode

This determines what recovery options are implemented when a failed site recovers.

  1. Automatic – when the data center recovers, the LoadMaster automatically performs a failback (restores services to the recovered data center)

  2. Manual – upon failure, the data center is administratively disabled and is not available for a failback until the admin clicks the Enable button for the relevant data center

Unanimous Cluster Health

If this option is enabled, if any IP addresses fail health checking – other FQDN IP addresses which belong to the same cluster is marked as down

Delegate Subdomains in DNSMadeEasy

Create A Records for ns1.aventislab.info (121.121.43.51) & ns2.aventislab.info (103.18.246.222)

Delegate the Sub-Domain (uat.aventislab.info) to NS1 & NS2

Functionality of Global Server Load Balancing with Kemp

Configure Fixed Weighted for uat.aventislab.info with highest weight to web server (121.121.43.51) in Production Site

The following page will be displayed when accessing to https://uat.aventislab.info

Shutdown the Kemp VLM in Production Site

Shutdown the Kemp VLM in Production Site

Login to Kemp VLM in DR Site to verify the availability of Kemp VLM in Production Site is DOWN

It will take up to 2 minutes to change from UP to DOWN based on the default 120 seconds Health Check Interval

A Record for uat.aventislab.info had been changed from 121.121.43.51 to 103.18.246.222, and the following page will be displayed when accessing to https://uat.aventislab.info

Power on Kemp VLM in Production Site

A record of uat.aventislab.info will be changed back to the IP Address of Kemp VLM in Production site automatically

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top