The load-balancer is in the middle of all transactions between the user and the server.
It maintains two separated TCP connections:
- With the user: the load-balancer acts as a server. It takes requests and forward responses
- With the server: the load-balancer acts as a user: it forward requests and get responses
It is really close to the proxy mode, but has one main difference: the load-balancer opens the connection to the server using the client IP address as source IP.
Of course, the backend server default gateway must be the load-balancer.
TCP connection overview
The diagram shows clearly the two TCP connections maintained by the load-balancer.
Since the load-balancer opens the TCP connection to the server with the user IP address, the server must use the load-balancer as its default gateway.
Otherwise, the server would forward response directly to the client and the client would drop it…
Pros and cons
- servers see the client IP address at network layer
- secure: server aren’t reached directly
- allows protocol inspection and validation
- intrusive: must change the default gateway of the server.
- “slower” than layer 4 load-balancing (we speak about micro-seconds)
- clients and servers must be in two different subnets.
When use this mode?
- when the load-balanced service needs client IP at network layer (IE: anti-spam services)
- when you need application layer intelligence (content switching, etc…)
- in order to protect an application