260 likes | 410 Views
Virtual Network and Web Services An Update. Thomas Finnern (DESY IT / Systems and Operations) Thorsten Witt (DESY IT / Communication Networks) HEPiX Spring 2010 @ Lisbon , Portugal. Application Delivery Networking. Secure Network Security Policies Filtering Fast Proxy Server Farms
E N D
Virtual Network and Web ServicesAn Update Thomas Finnern (DESY IT / Systems and Operations) Thorsten Witt (DESY IT / Communication Networks) HEPiX Spring 2010 @ Lisbon, Portugal
Application Delivery Networking • Secure • Network Security Policies • Filtering • Fast • Proxy • Server Farms • Available • Server cluster • Load Distribution • Since 2003 Applications Users The Solution Application Delivery Network CRMDatabaseSiebelBEALegacy.NETSAPPeopleSoftIBMERPSFACustom Mobile Phone PDA Laptop Desktop Co-location
Cross Functional Collaboration • Networking • Application Architect • Operations • Security Stakeholders Application Architecture Operations Network Guy Security
Outline of Talk • Intro: • Application Delivery Networking • Cross Functional Collaboration • Part I: Load Balancer • Work Done • Technical Features • Modes of Operation • Part II: Application Examples • Active Services • DESY WEB Page • IT Status Monitor • Outlook and Conclusions
Part I: The Load Balancer F5 Viprion Blade Cluster Things Done Since 2008 The Architecture
Work Done, Planned and In Progress • Updates 9.x -> 10.0 -> 10.1 • Live Upgrade • Still Unix System with GUI and CLI • ssh login, crontab, ... • Migration Old -> New • Redesign Services • ProxyPassSite with Remote Editable Config Table • Integration of Content Management System • 100 % Monitoring with „Dynamic Out Of Service Page“
New Evaluation Licensing Virtual Machine with F5 Functionality Application Templates Administrative/GUI Enhancements CMP Extensions TMSH for LTM/GTM Multiple Routing Domains Overlapping IP-Ranges “Machine readable“ qkview Passive (In-Band) Monitoring Live Installation IPv6 internal Communication IPv6 external Gateway ! Dash Board Logical Volume Manager FastHTTP Profile Extensions iRule Extensions Fast syslog Geo-IP Locator Module Provisioning Various GUI Extensions: Login-Page Reboot/Logout/Timeout/Disclaimer Forced Offline Version 10 Software
Server-Pools Clients Network Infrastructure Office-Switches Core-Router Mobile Phone 10-100 Mbit/s PDA Laptop 10 Gbit/s CC-Switches Desktop Load-Balancer 1 Gbit/s Co-Location 10 Gbit/s Overall Connection Block Diagram Application Server
TrafficShield WebAccelerator 3rd Party Microkernel TCP Proxy Rate Shaping TCP Express SSL Caching XML Compression OneConnect TCP Express Client Side Server Side Client Server iRules High Performance Hardware iControl API Technical Features Unique TMOS Architecture • Hardware • ASIC for Layer 3 + 4 • Software • TMOS • TMOS traffic plug-ins • High-performance networking microkernel • Powerful application protocol support • iControl – External monitoring and control • iRules – Network programming language
Operation Mode “Dumb Service” • F5 Secure Network Address Translation SNAT = on • Server sees F5 Switch as Client • No Server Change • All Service Traffic handled by F5 Switch • HTTP header insert • E.g. Client Address • As X-Forwarded-For Client System Other System Other System NAT Standard Router SNAT GW Server System Server System Server System
Operation Mode “Smart Service” • F5 Network Address Translation NAT = on • Server Changes: • Default Route to F5 Switch • F5 Relaxed IP Binding on GW-Proxy • Limitations • Server must be on F5 connected network (GW) • Multiple Services Possible • For DMZ and Extra F5 Subnet • (Almost) All Traffic handled by F5 Switch • Our new favorite Client System Other System Other System Other System Other System NAT Standard Router GW Server System Server System Server System Server System Server System
Part II: Application Examples Overview DESY WEB Page (DESY IT / Information Fabrics) DESY State Info System (DESY IT / Systems and Operations)
Top Statistics Over One Month | bits since | bits in prior | current | Mar 9 16:01:44 | 5 seconds | time BIG-IP ACTIVE |---In----Out---Conn-|---In----Out---Conn-| 14:25:59 lb-198-220.desy.de 647.6G 566.8G 4.290M 8.452M 27.20M 138 VIRTUAL ip:port |---In----Out---Conn-|---In----Out---Conn-|-Nodes Up-- none:any 470.8G 8.496M 91376 272448 0 0 1 infoscreen.desy.de:ht 7.265G 302.0G 3404 245904 10.98M 0 2 www.desy.de:http 7.416G 137.1G 256425 351680 15.66M 5 1 none:any 51.87G 215040 183153 7.098M 0 10 1 wof-hasylab.desy.de:h 4.646G 37.77G 148096 856472 4.353M 13 2 none:any 37.05G 30.13M 244119 508808 640 3 1 indico.desy.de:https 1.132G 30.56G 41830 8944 7264 0 2 it-news.desy.de:http 28.41G 2.876G 443636 938664 168552 24 3 ip-console-vs.desy.de 10.36G 10.68G 10 0 0 0 2 ics.desy.de:http 3.905G 3.247G 3064 202152 169104 0 2 wof-xfel-eu.desy.de:h 257.6M 6.424G 20313 320 320 0 2 NODE ip:port |---In----Out---Conn-|---In----Out---Conn-|--State---- rt-248-16.desy.de:any 470.8G 0 91376 264008 0 0 UP it-news02.desy.de:htt 4.188G 152.2G 385006 70016 1.934M 9 UP it-news01.desy.de:htt 4.236G 152.1G 396351 75880 1.600M 8 UP web2.desy.de:http 1.988G 72.26G 100105 346712 15.40M 2 UP wofzeoc7.desy.de:http 2.622G 69.56G 150929 27952 781408 4 UP rt-40-16.desy.de:any 51.86G 0 179544 4.247M 0 9 UP FW-5-15.desy.de:any 37.06G 14.14M 241541 509448 0 3 UP it-indico1.desy.de:ht 1.110G 31.43G 41540 58936 484080 0 UP wofdb.desy.de:http 2.069G 26.58G 103313 281736 2.202M 7 UP ip-console3.desy.de:a 10.39G 10.71G 10 0 0 0 UP wof2.desy.de:http 970.4M 17.54G 61640 373360 3.303M 6 UP
Virtual Service Proxy with IP-Number + Port Certificate Scripting Redirect Editing (stream) Mapping … Persistence to Pool Members SSL Offloading RAM-Caching Optimizing http-Protocol (OneConnect) Pooling Multiple Machines/Ports Monitoring Ping Service Monitoring Opt. Remote Control By Remote Flag Files Port Mapping Load Balancing In Band Load Round Robin Number Connections … Virtual Services and Pooling
www.desy.de with ProxyPassSite CLI Configuration: virtual web-http-service { pool wofzms-http-pool destination 131.169.40.41:http ip protocol tcp rules ProxyPassDESY profiles { http {} stream {} tcp {} } } virtual web-https-service { pool wofzms-https-pool destination 131.169.40.41:https ip protocol tcp rules ProxyPassDESY profiles { http {} serverssl_desy { serverside } stream {} tcp {} www-desy-client { clientside } } } infoscreen.desy.de with Fast HTTP Profile CLI Configuration: virtual it-infoscreen-http-service { snat automap pool it-infoscreen-pool destination 131.169.5.220:http ip protocol tcp profiles fasthttp_snat {} } pool it-infoscreen-pool { lb method member least conn min active members 1 monitor all http_80_desy members { 131.169.5.76:http { priority 5 } 131.169.5.130:http { priority 5 } } Example Configuration
Example 1 : Redesign of www.desy.de • Remove Single Points of Failure • Single Machines • Provide Offline WEB Site Status Info • Enable Mixed WWW/WOF-Environments • Common ProxyPassSite Configuration • Import External ProxyPassTable • Enhance Load Balancing and Speed • Caching • Protocol Optimizing • CMS: Separate Read/Write Pools • Cookie Dependent Routing • CMS: Direct Zope Interface • Offload SSL • Other Features • Get rid of old F5 Switches • No Source Network Address Translation • Intern/Extern-Routing • Intern/Extern Handling • http/https-Redirections
Apache Other System Other System Other System Zope CMS Server System Server System Server System Server System Before / Now Loadbalance CMS-Interface Service Proxy Pooling Content Management N Clients At DESY Site Service http Persist: ZopeId Service https Standard Router Standard Router N Clients At Other Sites www desy.de http other desy.de http Standard Router Standard Router www desy.de https other desy.de https Various WEB Services
Web Service Zope CMS Server System Server System Server System Server System Server System Server System Server System Server System After / Now Service Content Management Loadbalance CMS-Interface N Clients At DESY Site Service http Persist: ZopeId, __ac Separat Read/Write Pools Proxy Pooling Service https WEB Management N Clients At Other Sites www desy.de http Migration Old/New Pools Standard Router www desy.de https Proxy Pass Table
ProxyPassSite Features • Config Load from AFS • “clientside" := "CMD[+Option] serverside“ • “clientside" := "CMD serverside poolname[/https-pool]" • Feature Redirect • "www.host.com/clientdir" := "Redirect internal.company.com/serverdir" • Feature Alias • "/clientdir" := "Alias+HostMap /serverdir” • “host.desy.de/" := "Alias+Protomap+ZopeMap /serverdir wof-read-pool” • Option +Cssl • Option +Intern • Option +Hostmap • Option +Pathmap • Option +ProtoMap • Option +Zopemap • Option +Slash • Option +Log[0-2] • Option +Snat "/" := "Alias+HostMap+Snat zms.desy.de/", "/dgs" := "Redirect http://guest-services.desy.de", "hasylab.desy.de/" := "Alias+Snat / wof-http-pool/wof-https-pool", "chor.desy.de/" := "Alias+ZopeMap+ProtoMap /VirtualHostBase/ <proto>/<host>.desy.de:<port>/sites2009/site_<host>/content/ wof-ro-pool/wof-rw-pool", "www.desy.de/~" := "Alias web2.desy.de/~ web2-http-pool/web2-https-pool", "/cgi-bin" := "Alias /cgi-bin web-http-pool/web-https-pool", "/dgo" := "Alias+Intern /dgo web2-http-pool/web2-https-pool", "/favicon.ico" := "Alias /favicon.ico web2-http-pool/web2-https-pool",
Computing Status Accelerator Status IT-Info Pool Server System Server System Server System Server System Server System Server System Server System Server System Server System Server System Server System Server System Example 2 : DESY State Information System Service Loadbalance ASIC-Interface Accelerator Management IT Management 50 Permanent Thin Clients At Site http IT-Monitor http Proxy Pooling Infoscreen http DB, Maintenance, Timing N Random Thick Clients At User http IT-News desy.de http Standard Router IT-News desy.de https
Outlook and Conclusions • Rather Simple To Use • Nice Operating Model • Easy High Availability • Replaces Host and Cluster Solutions • Has Become a Standard Feature • People trust virtual services • Last minute Application Safety Support • Getting Better • Customer Invisible Service Switching • Enhanced Load Distribution • Only One Virtual Hostname Per Service • Enhancing Fault Tolerance and Security • SSO, Certificates, Login, …
Thank you for listening • Questions ? • Answers !