Basically we proposed NHLD deployment to load balance clients 2 ISP links for outbound traffic.
On other hand they also have internal web servers publicly accessed. Now client wants to use their 2 ISP links as a redundancy for their web servers and other domains.
In the diagram, I assume that is a single site? GSLB is to load balance servers in a different locations. In GSLB proxy mode, the ADC will re-write the outbound DNS responses (A or AAAA) with the IP for the web server at the determine active location. I do not think this is applicable to what you are doing. If you need to use GSLB, it's still not applicable to NHLD. They are completely separate functions.
For NHLD, you are load-balancing outbound traffic towards the ISP's. I do not believe this will require any special configuration for the externally reachable nameservers sitting behind the ADC's. The nameservers are sitting behind a slb virutal-server (VIP), correct? When a DNS request comes in (regardless of ISP received), will forward the request to one of the nameservers, which will respond back to through the the ADC, which will route the packet back towards the ISP form which it was received. DNS are typically short lived and I don't believe would require any persistence either, but others may have a differing option and can respond. You could use persistence if you like w/o consequence.
If the servers are sitting on the edge with public IP's, move them behind the ADC and put the public IP's on the ADC (slb VIP).
You are correct in thought but incorrect on configuration. You are concerning yourself with NHLD. That is outbound traffic. This is inbound.
It would be something like:
Real server: slb server WEB01 192.168.10.101 port 80 tcp ! slb server WEB02 192.168.10.102 port 80 tcp ! slb server DNS01 192.168.10.103 port 53 tcp port 53 udp ! slb server DNS02 192.168.10.104 port 53 tcp port 53 udp ! slb server ISP01 1.1.1.1 port 0 tcp ! slb server ISP02 2.2.2.2 port 0 tcp
Service group: slb service-group WEB_SVR member WEB01 80 member WEB01 80 ! slb service-group DNS_TCP member DNS01 53 member DNS02 53 ! slb service-group DNS_UDP member DNS01 53 member DNS02 53 ! slb service-group ISP_1_&_2 member ISP01 0 member ISP02 0 !
Virtual Server: slb virtual-server SERVICES_VIP 10.10.10.100 port 80 service-group WEB_SRVR port 53 dns-tcp service-group DNS_TCP port 53 dns-udp service-group DNS_UDP ! slb virtual-server ISP 0.0.0.0 port 0 tcp service-group ISP_1_&_2 port 0 udp service-group ISP_1_&_2 port 0 others service-group ISP_1_&_2 !
I'm typing this off top of my head. Please consult documentation for explanations and examples. Also, check out the deployment guides on teh A10 website for: DDoS Protection for Web and DNS Servers
No, that is untested & provided for guidance only, but it would be extremely easy for you to setup and test...and you can load-balance the dns regardless of location of the real servers (if you need too). The ADC will forward the query to the configured real servers.
Client have a two ISP provider, they want to have a redundant access in inbound traffic. their DNS server is not hosted internally, it was hosted in the cloud.
Ok, that's fine, remove it from what I sent. I only added as I thought initial email include dns, but it only said web. I wasn thinking dns b/c of gslb.
evea
Member ✭
Comments
On other hand they also have internal web servers publicly accessed.
Now client wants to use their 2 ISP links as a redundancy for their web servers and other domains.
Is GSLB applicable for this kind of setup?
Can you please share us some sample config of it?
Thanks.
For NHLD, you are load-balancing outbound traffic towards the ISP's. I do not believe this will require any special configuration for the externally reachable nameservers sitting behind the ADC's. The nameservers are sitting behind a slb virutal-server (VIP), correct? When a DNS request comes in (regardless of ISP received), will forward the request to one of the nameservers, which will respond back to through the the ADC, which will route the packet back towards the ISP form which it was received. DNS are typically short lived and I don't believe would require any persistence either, but others may have a differing option and can respond. You could use persistence if you like w/o consequence.
If the servers are sitting on the edge with public IP's, move them behind the ADC and put the public IP's on the ADC (slb VIP).
I've attached a sample NHLD.
Example.
Real server:
WEB 192.168.10.100 - Internal Server
Service group:
SRV_GRP tcp
member WEB:80
Virtual Server:
VIP1 10.10.10.100 - ISP 1 - link 1
service-group SRV_GRP
VIP2 20.20.20.100 - ISP 2 - link 2
service-group SRV_GRP
It would be something like:
Real server:
slb server WEB01 192.168.10.101
port 80 tcp
!
slb server WEB02 192.168.10.102
port 80 tcp
!
slb server DNS01 192.168.10.103
port 53 tcp
port 53 udp
!
slb server DNS02 192.168.10.104
port 53 tcp
port 53 udp
!
slb server ISP01 1.1.1.1
port 0 tcp
!
slb server ISP02 2.2.2.2
port 0 tcp
Service group:
slb service-group WEB_SVR
member WEB01 80
member WEB01 80
!
slb service-group DNS_TCP
member DNS01 53
member DNS02 53
!
slb service-group DNS_UDP
member DNS01 53
member DNS02 53
!
slb service-group ISP_1_&_2
member ISP01 0
member ISP02 0
!
Virtual Server:
slb virtual-server SERVICES_VIP 10.10.10.100
port 80
service-group WEB_SRVR
port 53 dns-tcp
service-group DNS_TCP
port 53 dns-udp
service-group DNS_UDP
!
slb virtual-server ISP 0.0.0.0
port 0 tcp
service-group ISP_1_&_2
port 0 udp
service-group ISP_1_&_2
port 0 others
service-group ISP_1_&_2
!
I'm typing this off top of my head. Please consult documentation for explanations and examples. Also, check out the deployment guides on teh A10 website for: DDoS Protection for Web and DNS Servers