Importance Of Anypoint Dedicated Load Balancer in MuleSoft Ecosystem

Dedicated Load Balancer is an optional component in Anypoint Platform which allows the route of external HTTP/HTTPs traffic.

Jitendra Bafna

Jan. 04, 21 · Opinion

Likes (4)

Comment

Save

15.6K Views

Introduction

Dedicated Load Balancer is an optional component in Anypoint Platform which allows the route of external HTTP/HTTPs traffic to multiple applications deployed to Cloudhub within VPC.

Each Dedicated Load Balancer has a DNS A record lb-name.lb.anypointdns.net that resolves to the two public IP addresses of the two instances.

To create a dedicated load balancer, you must first create the Anypoint VPC which can be mapped to the multiple environments and the same dedicated load balancer can be used for different environments. You can use multiple DNS for the same dedicated load balancer (i.e. api-dev.example.com and api-test.example.com)

Why Dedicated Load Balancer in MuleSoft Ecosystem?

One of the limitations of SLB is the lower rate limit. To avoid that issue, you can use a dedicated load balancer.
All applications can be hosted under a single domain.
Custom SSL certificates can be configured on DLB.
Handle load balancing among the different Cloudhub workers that run your application.
To access apis publicly or whitelisted client deployed within VPC.
To support Mutual Authentication (Two Way SSL).

Prerequisites

At least one VPC configured to create DLB.
SSL Certificates in .pem format.

Whitelisted CIDRs

To allow dedicated load balancers must be used by a set of IP addresses or single IP addresses, you need to add those IP addresses in the form of CIDR notations (e.g. 192.168.1.0/24).

By default, all the public traffic allowed on DLB as default CIDR allowed is 0.0.0.0/0. In case if you want to allow public traffic from few clients, you can delete default CIDR and allow only CIDR from which DLB has to accept the traffic.

HTTP Inbound Mode

Off: Causes the load balancer to silently drop the request.
On: Accepts the inbound request on the default SSL endpoint using the HTTP protocol.
Redirect: Redirects the request to the same URL using the HTTPS protocol.

Other Configurations

Disable Static IPs specifies to use dynamic IPs, which do not persist when the DLB restarts.
Keep URL encoding specifies the DLB passes only the %20 and %23 characters as is.
If you deselect this option, the DLB decodes the encoded part of the request URI before passing it to the CloudHub worker.
Support TLS 1.0 specifies to support TLS 1.0 between the client and the DLB.
Upstream TLS 1.2 specifies to force TLS 1.2 between the DLB and the upstream Cloudhub worker.

Dedicated Load Balancer Certificates

Configure SSL certificate to enable HTTPS (Public Key and Private Key). For two way authentication, you can configure Client Certificate and that is optional. The dedicated load balancer must be associated with at least a pair of one certificate.

Generally, we configure the certificates on Dedicated Load Balancer from CA authority. For testing purposes, you can use self-signed certificates.

Note: - Always use CA signed certificates instead of self signed certificates. It is not recommended to use self signed certificates as it is not secure and even not recognized by browsers and few or more clients.

Generating Self Signed Certificates

     Plain Text 
   
 x 
         
openssl req -newkey rsa:2048 -nodes -keyout test-private.pem -x509 -days 3000 -out test-public-crt.pem

The above command will generate Private Key and Public Key that can be configured on a dedicated load balancer.

Generating Self Signed Certificates Using .cfg File

You can generate certificates by adding below content in .cfg file and pass to OpenSSL command.

     Plain Text 
   
xxxxxxxxxx
 
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt = no
[ req_distinguished_name ]
countryName                 = US
stateOrProvinceName         = Arizona
localityName               = Phoenix
organizationName           = Test
commonName                 = example.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = api-dev.example.com
DNS.2   = api-qa.example.com

     Plain Text 
   
xxxxxxxxxx
 
openssl req -newkey rsa:2048 -nodes -keyout test-private.pem -x509 -days 3000 -out test-public-crt.pem -config test-com.cfg

Generating Self Signed Wildcards Certificates

     Plain Text 
   
xxxxxxxxxx
 
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
countryName                 = US
stateOrProvinceName         = Arizona
localityName               = Phoenix
organizationName           = Test
commonName                 = *.example.com

Dedicated Load Balancer Mapping Rules

Mapping rules are used on dedicated load balancers to translate input URI to call applications deployed on Cloudhub. A pattern is a string that defines a template for matching an input text. Whatever value is placed within curly brackets ({ }) is treated as a variable. Variable names can contain only lowercase letters (a-z) and no other characters, including slashes.

Input Path	Target App	Output Path	Protocol
/{app}/	{app}	/	http
/{app}/	org-{app}-{subdomain}	/	http

One Dedicated Load Balancer Mapped With One Environment

One Dedicated Load Balancer Mapped With Multiple Environment

Let's consider that we have 2 DNS (i.e. api-dev.example.com and api-test.example.com) setup on a dedicated load balancer.

api-dev.example.com is for the Dev environment whereas api-test.example.com is for the Test environment.

Use Case 1

We are receiving requests on the DLB https://api-dev.example.com/ecommerce/v1.0/invoices and need to redirect them to http://org-ecommerce-api.cloudhub.io/v1.0/invoices (the Cloudhub application name will be org-ecommerce-api)

We can use this mapping rule to achieve this.

Input Path	Target App	Output Path	Protocol
/{app}	org-{app}-api	/v1.0	http

This above rule will be applied when requests come on DLB and route to the Cloudhub application in the VPC.

https://api-dev.example.com/ecommerce/v1.0/invoices ==> http://org-ecommerce-api.us-e1.cloudhub.io:8091/v1.0/invoices

But here we have some problems that on our DLB, we have set up 2 DNSs, one for Dev and another for Test. Now, how will the DLB know this is a request that needs to route to either the Dev or Test application because the same rule will be applied for both?

To avoid this, we will be using a subdomain in the next use case.

Use Case 2

In this case, we will be using a subdomain for routing the request to the correct environment from DLB.

Our application name format must be org-app-subdomain (e.g. org-ecommerce-api-dev for dev environment and org-ecommerce-api-test for test environment) when deploying to CloudHub workers in VPC .

So, our mapping rule will look like this.

Input Path	Target App	Output Path	Protocol
/{app}	org-{app}-{subdomain}	/v1.0	http

subdomain is variable to map any subdomain.

https://api-dev.example.com/ecommerce/v1.0/invoices (DLB) ==> http://org-ecommerce-api-dev.us-e1.cloudhub.io:8091/v1.0/invoices (CloudHub Dev Environment)
https://api-test.example.com/ecommerce/v1.0/invoices (DLB) ==> http://org-ecommerce-api-test.us-e1.cloudhub.io:8091/v1.0/invoices (CloudHub Test Environment)

In this use case, we solve the issue of routing the request from DLB to the correct environment.

Let's consider another scenario where you want to route the request to CloudHub on the basis of the application version. We will see this in the next use case.

Use Case 3

In this case, when we will deploy an application to CloudHub, and it will be in format org-app-subdomain-version (e.g. org-ecommerce-api-dev-v1-0 for Dev environment and org-ecommerce-api-test-v1-0 for Test environment).

Whenever we will get request on DLB, then the version in the URL will be v1.0 and v2.0 but when you deploy application on CloudHub it doesn't allow to use "." in the application name. That is the reason we are using "-" in the version of the application deploying to CloudHub.

So, our mapping rule will look like this.

Input Path	Target App	Output Path	Protocol
/{app}/v{versiona}.{versionb}	org-{app}-{subdomain}-v{versiona}-{versionb}	/v1.0	http

https://api-dev.example.com/ecommerce/v1.0/invoices (DLB) ==> http://org-ecommerce-api-dev-v1-0.us-e1.cloudhub.io:8091/v1.0/invoices (CloudHub Dev Environment)
https://api-test.example.com/ecommerce/v1.0/invoices (DLB) ==> http://org-ecommerce-api-test-v1-0.us-e1.cloudhub.io:8091/v1.0/invoices (CloudHub Test Environment)

DLB Mapping Rules Priority

DLB will apply the first matching rule regardless of more exact matching rules available. A rule defined first, at index 0 has higher priority against other rules defined after it. The higher the index assigned, the less priority the mapping rule has.