You are on page 1of 25

2017-6-13 7 High Performance Cloud Load Balancer for Application HA

Geek Flare

Speed up and Secure your


website.
Global CDN. DDoS Protection. Performance Optimization by SUCURI

Start Now! (http://sucuri.7eer.net/c/245992/212721/3713?


u=https%3A%2F%2Fsucuri.net%2Fwebsite-firewall%2F)

7 High Performance Cloud Load


Balancer for Application HA
By Chandan Kumar|Last Updated: April 6, 2017

a If you are targeting large audience or expecting high traffic to


(https://www.facebook.com/dialog/feed?
app_id=1515102335420273&display=popup&name=7
your website/web application globally, then you gotHigh Performance
to use LB Cloud
Load Balancer for Application HA&link=https://geekflare.com/cloud-load-
(load balancer). The load balancer can help you in many
balancer/&redirect_uri=https://www.facebook.com&picture=https://geekflare.com/wp-
content/uploads/2017/04/cloud-load-balancer.jpg)
ways.
d
f High availability
Scaling the application
(https://plus.google.com/share?
url=https://geekflare.com/cloud-
No or minimum downtime
load-balancer/)
Security
Better geographical user experience

* SSL offloading
(https://www.facebook.com/dialog/send?
app_id=1515102335420273&link=https://geekflare.com/cloud-
load-balancer/&redirect_uri=https://facebook.com)
Traditional LB hardware cost around $5,000 so most of the
Share:

https://geekare.com/cloud-load-balancer/ 1/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

Share:
37 medium, start up or low-budget project doesnt think of
getting one.

But not anymore, you can use cloud load balancer for as low
as $20 per month with all the great features you get in
traditional LB.

If you are designing high-availability application for better


performance (https://geekflare.com/optimization-speed-
secure-website/) & security then the following cloud LB will
help you.

Each has some advantage or additional features than others so


choose what works for you.

List of Cloud Load Balancers


1. AWS ELB
2. Google Cloud Load Balancing
3. NodeBalancers
4. Rackspace Cloud Load Balancers
5. Azure Load Balancer
6. DigitalOcean Load Balancer
7. Incapsula Load Balancer

1. AWS ELB
Amazon Web Services (AWS) Elastic Load Balancer
(https://aws.amazon.com/elasticloadbalancing/) (ELB) is no
doubt, one of the best load balancing solution available in the
cloud.

AWS got two types of load balancers.

1. Application load balancer preferred for application layer

https://geekare.com/cloud-load-balancer/ 2/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

(HTTP/HTTPS)
2. Classic load balancer preferred for transport layer (TCP)

If you are building web based applications and use HTTP or


HTTPS protocol, then application load balancer is the best
choice.

ELB distribute the incoming requests to backend configured


EC2 instances based on the routing algorithm.

Some of the following features of AWS Application Load


Balancer.

It support HTTP/2, IPv6, WebSockets


You can offload SSL/TLS (https://geekflare.com/free-ssl-
tls-certificate/)
AWS WAF integration supported
You can enable sticky session (cookies)
Forward request to the backend based on context
URI/path
Add health check

Elastic LB provides the following monitoring metrics by


default.

Average latency
Requests Summary
New/active connection count

https://geekare.com/cloud-load-balancer/ 3/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

Processed bytes
And much more

2. Google Cloud Load Balancing


Google provide global single anycast IP to front-end all your
backend servers for better high-availability and scalable
application environment.

Google provide three types of load balancing


(https://cloud.google.com/load-balancing/) solutions.

HTTP(S) layer 7, suitable for web applications


TCP layer 4, suitable for TCP/SSL protocol based
balancing
UDP layer 4, useful for UDP protocol based balancing

Google Cloud is built on the same infrastructure as Gmail,


YouTube so doubting on performance is out of a question.

Google Cloud LB support more than 1 million requests per


second and you can auto-scale your applications based on the
demand without any manual intervention.

Autoscaling let you be prepared for a spike in traffic without


slowing down the website performance
(https://geekflare.com/essential-tools-to-perform-stress-test-

https://geekare.com/cloud-load-balancer/ 4/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

online/).

Some of the worth mentioning Google Cloud HTTP (S) LB


features:

Affinity
One-click Google CDN (https://geekflare.com/google-
cloud-cdn-test/) integration
SSL termination
Health checks
You can create content-based balancing
Global forwarding rules

LB monitoring is integrated with Stackdriver, full-stack


monitoring powered by Google. You get almost everything
metrics you need to monitor from your LB.

The good thing is you can use Stackdriver


(https://cloud.google.com/monitoring/) not just for Google
Cloud but also AWS resources.

If you need Websockets support then, you got to use TCP load
balancing as application LB doesnt support it yet.

3. NodeBalancers
Are you hosting your website with Linode
(https://www.linode.com/?
r=6c14fbd23eb5a9b91bc9d30f36e448dbe3dc1093)?

NodeBalancers (https://www.linode.com/nodebalancers) by
Linode provide all the essential features of LB at only $20 per
month. Configuration is quite straightforward and comes with

https://geekare.com/cloud-load-balancer/ 5/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

some of the basic features as the following.

It support IPv4, IPv6 (https://geekflare.com/enable-ipv6-


nginx-apache/)
Throttle the connection for suspicious traffic to prevent
the resources abuse
Can have multi-port balancing
you can terminate SSL handshake
Session persistence so your request always goes to the
same backend server
Health checks to ensure request goes to healthy server
You can choose routing algorithm from round robin, least
connection or source IP

NodeBalancers can be used to balance any TCP based traffic


including HTTP, MySQL, SSH, etc.

4. Rackspace Cloud Load Balancers


Rackspace is one of the leading in cloud hosting solution
providers offer cloud LB
(https://www.rackspace.com/cloud/load-balancing) to
manage the online traffic by distributing the request to the
multiple backend servers.

It supports multiple routing algorithms like round-robin,


weighted, least connection & random. You can balance almost
any type of services protocol including.

https://geekare.com/cloud-load-balancer/ 6/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

TCP
SMTP/IMAP
HTTP/HTPS
LDAP/LDPAS
MySQL
FTP/SFTP
UDP

Some of the Rackspace cloud LB features:

SSL acceleration for improved throughput


You can terminate SSL so less CPU overload on your web
server
Session persistence to forward request to one server
10Gb/second network throughput
Manage LB through API
Protection malicious traffic by throttling the connection

Rackspace LB is capable of handling 20,000 concurrent


connections, and in a case of the spike, it can extend up to
100,000 connections.

You get logs for all traffic in Apache-style access logs for better
log management (https://geekflare.com/cloud-based-log-
analyzer/).

5. Azure Load Balancer

Load balance the internal or internet facing applications using


Microsoft Azure LB (https://azure.microsoft.com/en-
us/services/load-balancer/). With the help of you Azure LB,

https://geekare.com/cloud-load-balancer/ 7/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

you can build high-available and scalable web applications.

It supports TCP/UDP protocol including HTTP/HTTPS, SMTP,


real-time voice, video messaging applications. If you are
hosting your application already on Azure, then you can
forward your request from LB to the virtual servers.

Some notable features of Azure LB:

Native IPv6 support


You can have NAT rules for better security
Hash-based traffic distribution

There are three types of load balancing solution provide by


Azure.

1. Application Gateway layer 7, terminate the client


connection and forward the request to the backend
servers/services
2. Azure load balancer layer 4, distribute TCP traffic across
Azure instances
3. Traffic manager DNS level distribution

https://geekare.com/cloud-load-balancer/ 8/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

SSL offloading, Path forwarding is supported only in


Application Gateway.

6. DigitalOcean Load Balancer


Similar to Linode, you can control DigitalOceans load
balancer (https://www.digitalocean.com/products/load-
balancer/) either through a control panel or API. If you are
hosting your web application with DO
(https://m.do.co/c/c278bf0364c1) and looking for HA
solution, then this would be probably the best one at a lower
cost.

https://geekare.com/cloud-load-balancer/ 9/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

It supports HTTP, HTTPS & TCP protocol with round robin


and least connection routing algorithm. DO let you terminate
SSL, configure the sticky session, health checks, forwarding
rules, etc. for $20 per month.

7. Incapsula Load Balancer


Incapsula (https://www.incapsula.com/load-balancer.html)
provides load balancer as a service for three main availability
scenarios.

Local load balancer request is forwarded to most suites


servers based on routing algorithm within the same data
center.

https://geekare.com/cloud-load-balancer/ 10/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

Global server load balancer (GSLB) perfect for a large


organization or hybrid cloud infrastructure where you can
forward the requests to multiple data center for high
availability and better performance.

GSLB support geo-targeting which means you can forward the


traffic based on visitor geolocation to the regional page or
nearest data center.

https://geekare.com/cloud-load-balancer/ 11/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

Auto site failover automate and accelerate disaster recovery


based on the health checks without manual intervention.
Traffic are instantly rerouted to another data center.

Incapsula provides real-time dashboard, active/passive health


checks & option to create the redirect/rewrite rules.

The load balancer is essential for high-availability, and I hope


above give you an idea about some of the high-performing
cloud load balancer.

https://geekare.com/cloud-load-balancer/ 12/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

Comments

About Chandan Kumar


(http://chandan.io/)
I cover Web Security, Optimization,
Middleware, Web Tools & trending
interesting topics. Let's connect on
Twitter
(https://twitter.com/ConnectCK)
Passionate about learning new things.
Biryani Lover.

(https://www.facebook.com/geekfla
re)

https://geekare.com/cloud-load-balancer/ 13/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

How to Secure and Harden


Cloud/VPS VM (Ubuntu/CentOS)?
By Chandan Kumar|Last Updated: March 14, 2017

a Securing OS is as important as your website, web applications,


(https://www.facebook.com/dialog/feed?
app_id=1515102335420273&display=popup&name=How
online business. You may be spending on security plugin,to Secure
WAF and Harden
Cloud/VPS VM (Ubuntu/CentOS)?&link=https://geekflare.com/cloud-vm-security-
(https://geekflare.com/cloud-waf-to-stop-website-attacks/),
guide/&redirect_uri=https://www.facebook.com&picture=https://geekflare.com/wp-
content/uploads/2017/03/cloud-vm-security.jpg)
cloud-based security to protect your site (Layer 7) but leaving
d OS unhardened can be dangerous.
f
The trend is changing
(https://plus.google.com/share?
url=https://geekflare.com/cloud-
(https://trends.builtwith.com/hosting).
vm-security-guide/)
* (https://www.facebook.com/dialog/send?
app_id=1515102335420273&link=https://geekflare.com/cloud-
vm-security-guide/&redirect_uri=https://facebook.com)
Share:
17

The Web is moving to Cloud & VPS from shared hosting


(https://www.siteground.com/index.htm?
afcode=4f8d16df8f11e30b0e41557ee8ab1afc) for multiple

https://geekare.com/cloud-load-balancer/ 14/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

advantages.

Faster response time as resources are not shared by any


other user
Full control on tech stack
Full control of operating system
Low cost

With great power comes great responsibility

You get higher control in hosting your website on cloud VM,


but that require a little bit of System Admin skills to manage
your VM.

Are you ready for it?

Note: if are not willing to invest your time into it then you can
choose Cloudways (https://www.cloudways.com/en/?
id=61196) who manage AWS, Google Cloud, Digital Ocean,
Linode (https://www.linode.com/?
r=6c14fbd23eb5a9b91bc9d30f36e448dbe3dc1093), Vultr &
Kyup VM.

Lets get into a practical guide to secure Ubuntu and CentOS


VM.

Cloud Server Security Tips


1. Changing SSH Default Port
2. Protecting from Brute Force Attacks

3. Disable Password-based Authentication


4. Protecting from DDoS Attacks
5. Regular Backup

https://geekare.com/cloud-load-balancer/ 15/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

6. Regular Update
7. Dont leave opened ports

1. Changing SSH Default Port


By default, SSH daemon listen on port number 22. This means
if anyone finds your IP (https://geekflare.com/find-real-ip-
address-of-website-powered-by-cloudflare/) can attempt to
connect to your server.

They may not be able to get into the server if you have secured
with a complex password. However, they can launch brute
force attacks to disturb the server operation.

The best thing is to change the SSH port to something else so


even though if someone knows the IP, they cant attempt to
connect using default SSH port.

Changing SSH port in Ubuntu/CentOS is very easy.

Login to your VM with the root privilege


Take a backup of sshd_config (/etc/ssh/sshd_config)
Open the file using VI editor

vi /etc/ssh/sshd_config

Look for line which has Port 22 (usually at the beginning of the
file)

# What ports, IPs and protocols we listen for


Port 22

Change 22 to some other number (ensure to remember as


you will need that to connect). Lets say 5000

https://geekare.com/cloud-load-balancer/ 16/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

Port 5000

Save the file and restart the SSH daemon

service sshd restart

Now, you or anyone wont be able to connect to your server


using SSH default port. Instead, you can use the new port to
connect.

If using SSH client or Terminal on MAC then you can use -p to


define the custom port.

ssh -p 5000 username@128.199.100.xxx (mailto:username@128.199.100.xxx)

Easy, isnt it?

2. Protecting from Brute Force


Attacks
One of the common mechanism used by a hacker to take
control your online business is by initiating brute force attacks
against the server and web platform like WordPress
(https://geekflare.com/wordpress-brute-force-protection/),
Joomla (https://geekflare.com/joomla-brute-force-
protection/), etc.

This can be dangerous if not taken seriously. There is two


popular program you can use to protect Linux from brute
force.

SSH Guard
SSHGuard (https://www.sshguard.net/) monitors the
running services from the system log files and blocks repeated

https://geekare.com/cloud-load-balancer/ 17/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

running services from the system log files and blocks repeated
bad login attempts.

Initially, it was meant for SSH login protection, but now it


supports many others.

Pure FTP, PRO FTP, VS FTP, FreeBSD FTP


Exim
Sendmail
Dovecot
Cucipop
UWimap

You can get SSHGuard installed with the following


commands.

Ubuntu:

apt-get install SSHGuard

CentOS:

wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/h
rpm -ivh sshguard-1.5-7.1.x86_64.rpm

Fail2Ban
Fail2Ban is another popular program to protect SSH. Fail2Ban
automatically update the iptables rule if failed login attempt
reaches the defined threshold.

To install Fail2Ban in Ubuntu:

apt-get install fail2ban

and to install in CentOS:

https://geekare.com/cloud-load-balancer/ 18/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

yum install epel-release


yum install fail2ban

SSH Guard and Fail2Ban should be sufficient to protect SSH


login. However, if you need to explore more then, you may
refer the following.

CSF (https://configserver.com/cp/csf.html)
(ConfigServer Security & Firewall)
DenyHosts (https://en.wikipedia.org/wiki/DenyHosts)

3. Disable Password-based
Authentication
If you log in to your server from one or two computers, then
you can use SSH key
(https://www.digitalocean.com/community/tutorials/how-
to-set-up-ssh-keys--2) based authentication.

However, if you have multiple users and often log in from


multiple public computers the, it might be troublesome to
exchange key every time.

So based on the situation, if you opt to disable password-


based authentication, you can do it as following.

Note: this assumes you have already setup SSH key exchange.

Modify /etc/ssh/sshd_config using vi editor


Add the following line oruncomment it if exist

PasswordAuthentication no

Reload the SSH Daemon

https://geekare.com/cloud-load-balancer/ 19/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

4. Protecting from DDoS Attacks


DDoS (https://geekflare.com/ddos-protection-service/)
(Distributed Denial of Service) can happen at any layer, and
this is the last thing you want as a business owner.

Finding the origin IP (https://geekflare.com/test-origin-ip-


exposed/) is possible, and as a best practice, you shouldnt be
exposing your server IP (https://geekflare.com/test-origin-ip-
exposed/) to the public Internet. There are multiple ways to
hide the Origin IP to prevent the DDoS on your cloud/VPS
server.

Use a load balancer (LB) implement an Internet-facing load


balancer, so server IP is not exposed to the Internet. There are
many load balancer you can choose from Google Cloud LB,
AWS ELB, Linode Nodebalancer, DO LB, etc.

https://geekare.com/cloud-load-balancer/ 20/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

Use a CDN (Content Delivery Network) CDN


(https://geekflare.com/free-cdn-list/) is one of the great
ways to improve the website performance and the security.

When you implement CDN, you configure DNS A record with


anycast IP address provided by CDN provider. By doing this,
you are advertising CDN provider IP for your domain and
origin is not exposed.

There is many CDN provider to accelerate the website


performance, DDoS protection, WAF & many other features.

Cloud Flare
MaxCDN
(http://tracking.maxcdn.com/c/245992/3982/378)
Incapsula
SUCURI
(http://sucuri.7eer.net/c/245992/212721/3713)
KeyCDN

https://geekare.com/cloud-load-balancer/ 21/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

So pick the CDN provider who provider performance &


security both.

Tweak the Kernel settings & iptables you can leverage


iptables to block suspicious request, non-SYN, bogus TCP flag,
private subnet and more.

Along with iptables, you may also configure the kernel


settings. Javapipe (https://javapipe.com/iptables-ddos-
protection) has explained it well with the instructions so that I
wont duplicate it here.

Use a firewall If you afford hardware based firewall then


excellent otherwise you may want to use a software based
firewall which leverage iptables to protect the incoming
network connection to the VM.

There are many, but one of the most popular one is UFW
(Uncomplicated Firewall) for Ubuntu
(https://www.digitalocean.com/community/tutorials/how-
to-set-up-a-firewall-with-ufw-on-ubuntu-14-04) and
FirewallD for CentOS
(https://www.digitalocean.com/community/tutorials/how-
to-set-up-a-firewall-using-firewalld-on-centos-7).

5. Regular Backup
Backup is your friend! When nothing works then the backup
will rescue you.

Things can go wrong, but what if you dont have the necessary
backup to restore? Most of the cloud or VPS provider offer
backup at a little extra charge and one should always

https://geekare.com/cloud-load-balancer/ 22/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

consider.

Check with your VPS provider how to enable backup service. I


know Linode and DO charge 20% of droplet pricing for the
backup.

If you are on Google Compute Engine or AWS, then schedule a


daily snapshot.

Having backup will quickly allow you to restore the entire VM,
so you are back in business. Or with the help of snapshot, you
can clone the VM (https://geekflare.com/clone-google-cloud-
vm/).

6. Regular Update
Keeping your VM OS up-to-date is one of the essential tasks to
ensure your server is not exposed to any latest security
vulnerabilities.

In Ubuntu, you can use apt-get update to ensure latest packages


are installed.

In CentOS, you can use yum update

7. Dont leave opened ports


In another word, allow the needed ports only.

Keeping unwanted opened ports like an inviting attacker


(https://geekflare.com/port-scanner-server/) to take
advantage. If you are just hosting your website on your VM

then most likely you need either port 80 (HTTP) or 443


(HTTPS (https://geekflare.com/free-ssl-tls-certificate/)).

https://geekare.com/cloud-load-balancer/ 23/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

If you are on AWS, then you can create the security group to
allow only the required ports and associate with the VM.

If you are on Google Cloud, then allow the necessary ports


using firewall rules.

And if you are using VPS then apply basic iptables ruleset as
explained in Linode guide
(https://www.linode.com/docs/security/firewalls/control-
network-traffic-with-iptables#basic-iptables-rulesets-for-ipv4-
and-ipv6).

The above should help you in hardening and secure your


server for better protection from online threats.

Alternatively, if you are not ready to manage your VM, then


you may prefer Cloudways
(https://www.cloudways.com/en/?id=61196) who manage
multiple cloud platform.

And if you are specifically looking for premium WordPress


hosting then WP Engine (https://www.shareasale.com/r.cfm?
B=398787&U=1264148&M=41388&urllink=).

Show all responses

https://geekare.com/cloud-load-balancer/ 24/25
2017-6-13 7 High Performance Cloud Load Balancer for Application HA

About Chandan Kumar


(http://chandan.io/)
I cover Web Security, Optimization,
Middleware, Web Tools & trending
interesting topics. Let's connect on
Twitter
(https://twitter.com/ConnectCK)
Passionate about learning new things.
Biryani Lover.

(https://www.facebook.com/geekfla
re)

Load Next Post (https://geekflare.com/google-cloud-cdn-test/)

(https://geekflare.com/cloud-load-balancer/)

Terms of Use (https://geekflare.com/terms/)


Privacy (https://geekflare.com/privacy/)
Disclosure (https://geekflare.com/disclosure/)
. 2017 Geek Flare

https://geekare.com/cloud-load-balancer/ 25/25