HAProxy Enterprise Documentation 10.5

UDP Load Balancing

Use LVS in NAT mode to load balance UDP services at layer 4. In this scenario, responses from servers flow through HAProxy ALOHA (i.e. not Direct Server Return).

With Network Address Translation (NAT), HAProxy ALOHA changes the destination IP address and the client's source IP address in the packets before relaying them to the backend server. The destination IP is converted from the public IP on which HAProxy ALOHA listens to the backend server's private IP. The client's source IP is converted to be the HAProxy ALOHA appliance's IP. This leads to the least amount of configuration on the backend servers, which receive traffic on their private addresses, and simply return traffic to the source IP, which is that of the HAProxy ALOHA appliance. HAProxy ALOHA reverses these addresses on the return trip to the client.

This method is supported by both Linux and Windows backend servers. Backend servers can keep the network's external gateway as their default gateway. Disadvantages include that it reduces the number of connections that HAProxy ALOHA can support, due to needing to use more ports.

Optionally, you can enable NAT for the destination IP only and then set HAProxy ALOHA to be the default gateway on the backend server. That accomplishes the same thing and would use fewer ports on HAProxy ALOHA, at the cost of a slightly more complex setup on the backend server (i.e. needing to change the default gateway).

Traffic flow

  1. The client connects to your application at the configured public IP address. HAProxy ALOHA listens at that address and receives the packets.

  2. The packet's destination IP address is translated from HAProxy ALOHA's public IP to the private IP of one of the backend servers.

  3. Simultaneously, the packet's source IP addresses are translated from the client's IP to HAProxy ALOHA's IP address.

  4. The backend server accepts the request to its IP.

  5. The backend server sends its response to HAProxy ALOHA because its address is set as the source IP in the packet.

  6. HAProxy ALOHA performs the reverses the NAT before relaying the response to the client.

Important

This introduces:

  • a limit on the number of simultaneous connections to a backend server. Only 65534 source ports are available for HAProxy ALOHA addresses.

  • a heavy load on HAProxy ALOHA (connection tracking must be enabled).

This emulates what a TCP proxy does.

Prefer the LB Layer7 TCP mode for pure TCP service. Use this method only for UDP services or services using a range of tcp-ports such as FTP.

Enable Destination NAT

We will configure LVS so that it translates the destination IP from the public IP on which HAProxy ALOHA listens to the backend server's private IP.

  1. In the web UI's LB Layer 4 tab, add the mode nat directive to your existing configuration, and apply your changes.

    director web 10.0.0.3:8000 UDP
      balance leastconn
      mode nat
      server web1 10.0.0.20:8000 weight 10 check

Enable Source NAT

We will create iptables NAT rules to translate the client's source IP to the HAProxy ALOHA appliance's IP.

  1. In the NAT tab, click + to add a new NAT rule.

    https://cdn.haproxy.com/documentation/aloha/10-5/assets/0_form_source_nat-f0c10cbefa387fee9e618da25b9ab092e120f115731ab2f8b2433f1f886b6e3f.png
  2. Select the following values in the New Rule area, depending on how many network interfaces are attached to HAProxy ALOHA.

    • One network interface

      --------+-------- 10.0.0.0/24, VIPs, backend servers
              |
              | eth0
         +---------+
         |         |
         |  ALOHA  |
         |         |
         +---------+

      Field

      Description

      IN

      Inbound network interface

      OUT

      Outbound network interface, the same as the inbound interface

      Protocol

      UDP

      https://cdn.haproxy.com/documentation/aloha/10-5/assets/one_nic_source_nat-d1d81efafb5eec6cbb2b481f2eb3cb9fb91b64c772681fad26b4b120302b3ffe.png
    • Two network interfaces

      --------+-------- 10.0.0.0/24, VIPs
              |
              | eth0
         +---------+
         |         |
         |  ALOHA  |
         |         |
         +---------+
              | eth1
              |
      --------+-------- 10.0.3.0/24, backend servers

      Note

      If you use a cluster, to ensure a consistent configuration, set up a VIP on eth1 to route traffic to the backend server.

      This way, a failover on IPs on eth0 would also trigger a failover of the VIP on eth1.

      Field

      Description

      IN

      Inbound network interface

      OUT

      Outbound network interface, different from the inbound interface

      Protocol

      UDP

      https://cdn.haproxy.com/documentation/aloha/10-5/assets/two_nic_source_nat-f8b2d0843a49575290ea7255d9246a67ae5a671f209414466ecd4b51765b8afa.png
  3. Enter the following values in the Before area.

    Field

    Value

    Example

    Source

    Blank

    Source port

    Blank

    Destination

    VIP address

    10.0.0.3

    Destination port

    UDP port or range

    8000, or 50000-51000

    https://cdn.haproxy.com/documentation/aloha/10-5/assets/before_area_nat-7a802e4b785ea4a80bcfd54ae0a11b72c374e1e812c7cd57a70fe8de8be54f46.png
  4. Enter the following values in the After area.

    Field

    Value

    Example

    Source

    VIP address

    Note

    If you enter a local IP address, it can not be shared between the members of a cluster.

    10.0.0.3

    Source port

    Blank

    Destination

    Blank

    Destination port

    Blank

    https://cdn.haproxy.com/documentation/aloha/10-5/assets/after_area_nat-037972d212e7077d670969be199036e1e462309662e94bcd753dad3aa295a30c.png
  5. Check your configuration, then apply it.

    https://cdn.haproxy.com/documentation/aloha/10-5/assets/form_source_nat-e93d85bf15e51e880d3757b36930bc0f75da851292099edb83e6869cc1171a9d.png

Enable LVS's connection tracking

NAT relies on the connection tracking information so that it can translate all of the packets in a session in the same way.

  1. In the Services tab, click LVS setup.

    https://cdn.haproxy.com/documentation/aloha/10-5/assets/lvs-setup-936d408a281ea1aa190edcd6d3da07227d12dccdb2dfcfaf3fa4728a66f5d822.png
  2. Enable connection tracking through the conntrack keyword.

    service lvs
      ############ Linux Virtual Server, layer 3/4 load balancing
      conntrack
  3. Apply and reload the LVS service.


Next up

TCP Load Balancing