Private load balancing?

[Taylor Barstow]

Hello

I am wondering if there is anyway to perform load balancing entirely on the private network -- i.e. I want to route traffic to a target pool using a private ip address or DNS alias.  Essentially we have an API which serves both internal and external clients (on and off of our private network).  

The web servers handling the API load are inside of a target pool, and they receive public traffic from a forwarding rule.  I need private traffic to be load balanced similarly, but I want that traffic to stay on our network, and not traverse any public interfaces.  

Does anyone know of a way to do this using GCE's existing tools? Or some sneaky way to accomplish this with a pure networking solution (i.e. no additional nodes required), that will work on GCE?

Thank you!

Taylor

[Gary Ling]

Hi Taylor,

There has been increasing demand for Internal Load Balancing support. Unfortunately as of now, there is no built-in support for it. 

The following workarounds (far from ideal in satisfying the use case) are worth considering:

1. Use the built-in load balancing for GCE and apply restrictive firewall rules on each and every VM in the target pool to ensure proper client access.
2. Deploy some software load balancer (eg. HAproxy) on two VMs and, whenever they fail, float an internal IP between the two using GCE route API. But you also need to write some health checking tool to decide when to reassign the IP address.

I realize that you don't want additional VMs, so workaround #2 is ruled out. What about #1? Would you mind sharing your thoughts? Is it security, performance, cost...?

GCE team is evaluating the use case but so far there has been no decision made yet.

Thank you. -Gary

[Taylor Barstow]

Hi Gary,

Thank you for the quick reply!  I had considered workaround like those, #1 is obviously the simplest.  I am primarily worried about cost with that solution, as there is significant internal traffic to these APIs.  Security is a concern as well, but we could certainly engineer around that issue.

I wanted to ask a question about your solution #2, however.  If I were open to adding nodes for HAProxy, I think I could deploy those in a target pool and use a google load balancer to avoid additional tooling on my end. You agree?  I've never tried an active/active HAProxy setup, but seems like it would work as long as the HAProxy configs are stateless.  Curious if you might have any insights or know of other customers with that kind of setup?

My final workaround idea (let's call it #3) is to run HAProxy on the internal client boxes themselves.  So basically the API requests go to a local port, which forwards to an (available) API server.

We might go with #1 at first for simplicity but with a plan to move to #2 or #3 later.  Wondering if you have any insights about those ideas and if you think these options are reasonable?

Thanks so much!!

Taylor

--
© 2013 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to a topic in the Google Groups "gce-discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/gce-discussion/Dv6289i4_rg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/3ee06b0b-9042-469c-827b-84bcb5375e8c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Taylor Barstow, Co-Founder / Developer

Bedrock Data, Inc

(877) 588 2671 x703

http://www.bedrockdata.com/

[Taylor Barstow]

List, sorry for the multiple emails.

Gary, before you respond to that, obviously putting two HAProxy nodes behind load balancer works for the public traffic but I am still stuck with my internal traffic problem (i.e. the additional tooling you mentioned would still be necessary).  Duh!

So I am seriously considering #3 unless it sounds totally insane to you (or anyone else).

Thanks!

Taylor

[Gary Ling]

Hi Taylor,

Option #3 should work! Hope I am not saying the obvious, but 1) make sure the VM is powerful enough to handle the client program and HAproxy at the same time for the "significant internal traffic" as you said, and 2) use some health checking utility to bring up the VM and/or HAproxy just in case of failure.

Good luck! -Gary

PS. As for cost, here is a plug for the Google Cloud's price calculator which I find handy. And not many realize that in the pricing of load balancing, the bandwidth charge is on the inbound only. Cheers.

[Bo Shi]

Hi Gary

> GCE team is evaluating the use case but so far there has been no decision made yet.

Any word on whether a decision has been made?  Should folks be building permanent work-arounds or temporary workarounds?

[Gary Ling]

I won't be able to confirm or deny whether a decision is reached regarding this feature request in the public forum here. Thank you for your patience and understanding. Cheers.

[Rimas Mocevicius]

Private load balancer would be really a nice option to have.

[Eugene Olshenbaum]

Indeed

--
© 2014 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043

 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---

You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.

To post to this group, send email to gce-dis...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/6d6f5488-086c-4009-ad57-946d88306b51%40googlegroups.com.

[Rimas Mocevicius]

Hi Gary,

Do you have any updates on the matter?

Thanks

Rimas

[Gary Ling]

Sorry Rimas. But there is no new update that I can share at this point.

Thank you for your patience. Cheers.

[Rimas Mocevicius]

Hi Gary,

Any updates on this matter?

As we have moved our whole web hosted services to Google Cloud, the private load balancer really became the must to have,

as we had it on AWS.

Thanks

Rimas

[Gary Ling]

Hi Rimas,

Thank you for the email. But I am sorry to tell you that I have no new information to share on this forum at this time. Thank you for understanding.

In the meantime, please continue to use the Network load balancing with proper firewall rules. We have recently adjusted the pricing of network on GCE such that the intra-region traffic between VMs via external public IP is at $1c/GB. For more details, please refer to the documentation on network pricing.

Thanks again.

Gary Ling

Product Manager

Google Cloud Platform

[Tate Blahnik]

Has any new work been done on this? This is a very common requirement and I'm aghast that GCE is lacking such a fundamental requirement. I'm hoping I just haven't found the proper docs/thread with updated information.

Thanks,

-Tate

[Anthony Voellm]

Not sure I understand the question.  Something like NGINX should work fine for creating your own LB but it wont scale as well or as fast as the GCE LB.  Is this what you mean by private LB?

--
© 2014 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/f685495e-cf25-4b88-a0c8-4c8bb2bc8a6e%40googlegroups.com.

[Tate Blahnik]

No, the need is for internal IP load balancers. Similar to what AWS, Rackspace, everyone else does. NGINX is outside the scope of what would be needed. The servers behind the internal load balancer are often non app servers.

There are many cases where you don't want traffic to use your external IPs and in fact there is no need to even expose it since the traffic should remain internal at all times; eg from Servers A,B,C to Servers D,E,F behind an internal load balancer.

AWS's docs:

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-create-internal-load-balancer.html

[Alex Blardone]

I second Tate's comment. There are many use cases for the need of internal load balancers. Multi-tiered applications and distributed systems are good examples. In our case, Clustrix is a distributed relational database that requires a load balancer to distribute client traffic across the cluster. The database clients (app servers) reside on the local network, thus an external load balancer is problematic due to security, performance (latency), and bandwidth costs reasons. 

Setting up HAproxy is an option, but it is cost prohibitive to add 2 more VMs for an LB, and it is more complex to setup for redundancy and scalability.

 

It would be good to know wether an ILB is on the road map for GCE.

Thank you 

Alex 

[Morgan Dollard]

Hi all,

Load balancing across internal IP addresses is indeed on our roadmap. Unfortunately, we don't have an ETA right now, but we will update this thread when we have more information to share.

Thanks,

Morgan Dollard

Product Manager

Google Cloud Networking

[Tate Blahnik]

Morgan,

Do you have a high level idea of when? This year, next year....2017...

It's a major feature that many people need if they want to switch from AWS, so knowing we have x months/years helps plan for the future.

Thanks,

-Tate

You received this message because you are subscribed to a topic in the Google Groups "gce-discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/gce-discussion/Dv6289i4_rg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to gce-discussio...@googlegroups.com.

To post to this group, send email to gce-dis...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/7b91bdb1-ac06-433c-9bac-dbf7bd59162b%40googlegroups.com.

[GizerHappy Man]

Sticking with option 1 for now but 

hope to see this feature soon as well

Regards

Andy

[Tate Blahnik]

Morgan,

Unfortunately we will be sticking with AWS then. This seems like a basic requirement for almost any modern infrastructure. 

Hopefully there will be more updates to this thread in another year or two.

Thanks,

Tate

[André Cruz]

Hello Morgan.

We are in the process of choosing a cloud provider and internal load balancers are a must have feature for us. Can you share with us a rough ETA for it?

I would be interested to know if it is this year or not.

Thank you and best regards,

André

[Tate Blahnik]

Has any progress been made towards adding internal only network load balancing?

Thanks

[Zach Bjornson]

This is the corresponding ticket if you want to star it:

https://code.google.com/p/google-compute-engine/issues/detail?id=249&q=Type%3DFeature-Request&colspec=ID%20Type%20Component%20Resource%20Service%20Status%20Stars%20Summary%20Log

Cheers,

Zach